Determining an organization’s applicability under the General Data Protection Regulation is a complex topic, and many are left a bit confused while researching applicability under the monumental regulation. Oftentimes, there’s conflicting information as to whether it applies to a specific organization. The expansive coverage of the GDPR by itself can intimidating, but, by breaking down the fundamentals into smaller, more manageable sections, we can start making better decisions on its applicability and craft a compliance framework based on a solid foundation.
Before we jump into the requirements, it’s important to note that this criteria below is applicable to organizations even where the processing of personal data takes place outside of the EU. Due to that international reach, one cannot simply avoid GDPR obligations because they are outside the jurisdiction of the EU. So, let’s begin to dissect the parts of Article 3 and its provisions under "territorial scope" to get a better understanding of how GDPR classifies an "in-scope" organization, along with the two conditions that decide the applicability of an organization in the eyes of the regulation.
Criterion 1: If your business is offering goods or services, irrespective of whether a payment of the data subject is required, to such data subjects in the EU
The definition of "offering of goods and services" isn’t extraordinarily specific when referring to Article 3. In general, websites are globally accessible. So, would that mean your business is, by default, offering goods and services to EU citizens? Looking further into the GDPR’s clarification under Recital 23 provides a better perception of how its interpreted according to the regulation.
Read More: iapp.org/news
About the AuthorMore Content by Kevin Kish