If your business is processing personal data it is critical that you understand whether the GDPR applies to your activities. There are statutory and contractual reasons why you may be required to comply with the GDPR. GDPR compliance can be quite involved so it’s a good idea to get an understanding around the scope and responsibilities of the EU data protection laws. Australian entities need to consider the implications of the GDRP.
Here is why:
- established in the European Union (regardless of whether personal data is processed in the EU);
- not established in the EU but offers goods or services to EU-based individuals (paid or for free); or
- not established in the EU that monitor behaviour of EU based individuals.
Certain contractual arrangements may require you to comply with the GDPR as well. We see more and more contracts where European businesses impose contractual requirements on their overseas business partners, requiring them to comply with the GDPR (even though technically they wouldn’t be required to comply with the GDPR).
GDPR compliance clauses are frequently included in:
- service and consulting agreements with EU businesses;
- supply chain agreements with links to Europe; or
- data processing contracts between an EU based data controller and a data processor.
The GDPR requires that whenever a controller uses a processor(a third party who processes personal data on behalf of the controller) it needs to have a written contract in place. Similarly, if a processor employs another processor it needs to have a written contract in place.
These contracts must now include certain specific terms. Contracts between data controllers and data processors ensure that they both understand their obligations, responsibilities and liabilities. They help them to comply with the GDPR, and help controllers to demonstrate their compliance with the GDPR.
The GDPR is technology neutral. That means that it applies to any processing of personal data regardless of the technology.
The GDPR applies to the European Economic Area (EEA), which includes all EU countries plus Iceland, Liechtenstein and Norway. When personal data is transferred outside the EEA, the protections offered by the GDPR should travel with the data. This means that to export data abroad, companies must ensure that certain safeguards are in place.
Compliance with the GDPR requires time and resources to update systems, processes, policies, and, of course, contracts. What was once best practice under the EU Privacy Directive has now morphed into a mandatory legal regime.
Fines of up to 4% of annual global turnover or €20 million (whichever is greater) loom for those that are found to be in breach of the GDPR.
If you need help with your GDPR compliance, get in touch with LawDownUnder +61 4 324 85 612 or fill out the contact form.