As we mentioned in our last update, available here, the GDPR significantly expand the jurisdiction of the EU’s data privacy regulatory framework to companies processing or controlling the personal data of employees or other individuals residing in the EU — regardless of the company’s location.
The GDPR cover companies if they fall under one (or more) of the following three tests:
- the “establishment test” – applies where processing takes place in the context of activities of an establishment in the EU, regardless of whether the processing takes place in the EU. The term “establishment” is not strictly defined;
- the “goods and services test” – applies to the processing of personal data of individuals who are in the EU by entities not established in the EU, where processing relates to the offering of goods and services; or
- the “monitoring test” – applies to the processing of personal data of individuals who are in the EU by an entity not established in the EU, where processing relates to the monitoring of their behavior within the EU.
A company could also technically be subject to the GDPR if the company is not established in the EU, but is subject to the laws of the EU by virtue of public international law. Such circumstances are rare.
Among other heightened requirements and obligations, if a company is covered under the GDPR:
- It will be subject to stricter rules on obtaining employee consent to process and share personal data.
- It may have to appoint a data protection officer.
- Its employees will have greater rights with respect to access and control of their personal data.
- It will be subject to stricter record keeping requirements.
- It must comply with stricter and enhanced reporting obligations to the data protection authority(ies).
- It could be subject to significant penalties for committing a breach, including up to 4 percent of annual global revenues or €20 million (whichever is greater).
Various EU member states are also in the process of adjusting and updating their applicable data privacy and protection rules to comply with the GDPR. Thus, it will also be important for companies who do business in the EU or involving EU-based individuals to make sure that they remain in compliance with applicable local guidelines on data privacy and protection.
The Bottom Line: There is still limited time for impacted companies to bring themselves into compliance with the applicable requirements, but May 2018 is right around the corner. Companies covered by these regulations should not delay in becoming familiar with them. Failure to do so could expose the company to significant penalties, including the greater of 4 percent of global revenue or €20 million.
FordHarrison is a member of Ius Laboris, the world’s largest global employment and labor alliance. As such, our attorneys are uniquely situated to address issues that confront multinational businesses on a daily basis. Ius Laboris has developed a GDPR Compliance Tool to help companies identify data held by their businesses and enable their lawyers to examine the information provided, identify any gaps, and offer compliance advice. If you would like more information about this tool, or if you have questions regarding the status of the GDPR or how to ensure compliance with the regulations, please feel free to contact the author of this post, Jeremy Corapi, firstname.lastname@example.org, or any member of FordHarrison’s Global Legal Services team at email@example.com.