The General Data Protection Regulation (GDPR) is a European regulation that came into force on 25 May 2018. As it is a regulation, it applies in all the member states of the European Union with no need for transposition into domestic law.
The GDPR is a collection of rules aimed at protecting the personal data of natural persons within the EU. It may be considered to be the most stringent data protection regulation in the world. Its application has led to the harmonisation of rights and freedoms in respect of personal data protection across the European Union.
The GDPR gives the term “personal data” a very extensive meaning, in that it includes all identified or identifiable data about a natural person:
All public or private entities, insofar as they process sensitive personal data, regardless of their size, country of establishment or type of activity.
Indeed, the regulation applies to all bodies based in the European Union that process personal data, even if the personal data relate to individuals located outside the EU.
What is more, non-European organisations with activities targeted to European customers are also subject to the GDPR.
Note also that the GDPR also applies to subcontractors that collect and process personal data on behalf of other organisations.
A French winemaker selling all its production to North American customers in America must comply with the GDPR.
Similarly, an e-commerce company based in Turkey that sells Chinese-manufactured products in Germany from its German-language website must also comply with the GDPR.
Non-compliance with the General Data Protection Regulation can result in penalties up to €20 million or 4% of the total annual turnover of a company, whichever is greater.
IMPORTANT: while “large penalties” get the most publicity, that does not mean only large organisations are concerned. Indeed, most of the penalties under the GDPR (link in English) are smaller and applied against smaller organisations such as SMEs, local government agencies or e-commerce websites.
As the United Kingdom left the European Union on 1 January 2021, it is technically no longer governed by the rules applicable in the EU. However, their data protection and privacy rules are, to date, identical to those under the European GDPR. The United Kingdom has its UK GDPR (General Data Protection Regulation), which is equivalent to the European GDPR.
Nevertheless, the situation may change in coming years. We will keep you informed of any changes in the legislation governing the protection of personal data.
The appointment of a representative is an obligation under the General Data Protection Regulation. Even though there are some exceptions, companies located outside the EU are absolutely required to comply with that obligation.
The GDPR representative acts for and on behalf of its principal in all the member states of the European Union and the European Economic Area. It is a major advantage for compliance with the General Data Protection Regulation.
In the European Union:
If you need to appoint a European GDPR representative, that representative must be located in one and only one country of the EU. That is because the GDPR applies uniformly across the whole of the European Union. As a result, if you appoint a representative in one of the 27 member states of the EU, its field of action will cover the entire Union. You can thus appoint a representative in the country of your choice.
In the United Kingdom:
As the United Kingdom is no longer in the EU, if you engage in activities involving the processing of personal data, you will have to appoint a GDPR representative in that country, and comply with UK laws and regulations.
With its network of branches and partners, ASD Group will put you in contact with GDPR specialists who will take charge of your representation needs and help you become compliant.
Our expert partners are:
Working with these selected partners will offer you many benefits. The following services are included in the agreements of our partners: