Compliance Deadline Approaching to Comply with EU’s New Data Protection Regulations

Richard Walawender
Miller Canfield
Contact
LinkedIn
Facebook
X
Send
Embed

Miller Canfield

On May 25, 2018, the European Union’s new data privacy regulation, known as the General Data Protection Regulation (Regulation (EU) 2016/679) (“GDPR”), will become effective. Not only does the GDPR regulate processing personal data by an E.U. controller or processor, but also requires non-E.U. entities, such as non-E.U. companies, universities, investment funds and charities, to comply with the GDPR if they:

  • Offer goods or services to individuals who are in the E.U., or
  • Monitor their behavior, for example, through online tracking.

Failure to comply with the GDPR can lead to hefty fines (up to 20 million euros or 4% of global annual revenues, whichever is higher).

Accordingly, if an entity undertakes certain activities relating to personal data (e.g., collect, record, organize, structure, store, adapt or alter, retrieve, consult, use, disclose by transmission, disseminate or otherwise makes available, align or combine, restrict, erase or destruct personal data) as a controller or processor, it will need to comply with the GDPR in two instances: (1) in case personal data at stake refers to individuals in the E.U. and processing relates to offering goods or services to such individuals in the E.U.; and, (2) in case of monitoring of their behavior if such behavior takes place in the E.U.

In the case of offering of goods or services to individuals who are in the E.U., it does not matter if there is a payment involved. A data processor or controller that envisages offering services in more than one E.U. country is likely to be caught by this provision. Relevant factors include use of a language or a currency generally used in one or more E.U. countries with the possibility of ordering goods and services in that language.

Generally, however, merely having a website with an accessible email address or use of a foreign language or a language spoken in that E.U. country, without more, may not be enough to trigger the GDPR compliance requirements, but this should be carefully reviewed.

In the second case, involving monitoring behavior, the GDPR will apply when the monitoring consists of tracking individuals on the internet, including potential subsequent profiling, analyzing or predicting personal preferences, behaviors and attitudes. For example, this scenario could apply in cases where on-line providers and advertising networks place cookies or other tracking devices on the equipment of E.U. individuals for the purpose of tracking their online behavior.

Accordingly, if the non-E.U. entity is covered by the GDPR, it is required to comply with the regulation’s mandates. These include enacting or revising privacy policies and posting certain privacy notices as required by the GDPR, updating procedures for collecting, processing and storing data and establishing policies and procedures for data breaches. In certain instances, the non-E.U. entity may need to appoint a representative in the E.U. and a data protection officer.

Send Print Report

DISCLAIMER: Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations.

© Miller Canfield | Attorney Advertising

Written by:

Miller Canfield
Miller Canfield
Contact
more
less

Miller Canfield on:

Reporters on Deadline

"My best business intelligence, in one easy email…"

Your first step to building a free, personalized, morning email brief covering pertinent authors and topics on JD Supra:
Sign Up Log in
*By using the service, you signify your acceptance of JD Supra's Privacy Policy.
Custom Email Digest
- hide
- hide