{"id":8812,"date":"2024-10-21T12:24:41","date_gmt":"2024-10-21T10:24:41","guid":{"rendered":"https:\/\/s8.tgin.eu\/?p=8812"},"modified":"2024-10-21T12:24:42","modified_gmt":"2024-10-21T10:24:42","slug":"gdpr-as-a-non-eu-company","status":"publish","type":"post","link":"https:\/\/techgdpr.com\/blog\/gdpr-as-a-non-eu-company\/","title":{"rendered":"Embracing the GDPR as a non-EU company"},"content":{"rendered":"\n

6 years after becoming enforceable, the GDPR has not died out in popularity as a conversation topic among board members. While is remains the elephant in the room for many a stakeholder, non-EU companies who have embraced its application and requirements are finding it much easier to remain contenders on the European market<\/a>. This article How can non-EU companies get started complying with a regulation they believe does not apply to them?<\/p>\n\n\n\n

When does the GDPR apply?<\/h2>\n\n\n\n

The GDPR applies when public or private organization process personal data. These assume one of two distinct roles, either as a data controllers <\/strong>and data processors<\/strong>. When discussing role distribution in supplier or customer relationships, we label one or the other as data controller or processor, respectively. However, one logically determines this at the level of a single processing activity<\/em>.<\/p>\n\n\n\n

The law is extremely clear about the territoriality, targeting and offering of goods and services. Thus, the GDPR applies to your non-EU company <\/strong>if:\u00a0<\/p>\n\n\n\n

    \n
  1. you establish a company<\/strong> or a subsidiary in the EU.
    No matter your product or service, your employees are people too and their data is protected by law. This places you under data controller<\/em> <\/strong>obligations.<\/li>\n\n\n\n
  2. you provide goods and services<\/strong> (for a fee or not) to people in the EU.
    Since processing their personal data is a requirement to provide said goods and services, you are under data controller<\/em> obligations.<\/li>\n\n\n\n
  3. you provide processing services<\/strong> (SaaS, PaaS) to a company to which the GDPR applies by virtue of the above points.
    The GDPR becomes applicable when handling personal data for a company established in the EU. In this case you likely assume data processor<\/em> obligations. <\/li>\n<\/ol>\n\n\n\n

    <\/p>\n\n\n\n

    Supplying services to end users<\/h3>\n\n\n\n

    Beyond the letter of the law, your sales teams faces demanding questions from client procurement teams and end users alike. This is the case whether you offer B2B, B2B2C or B2C goods and services. Sales teams need to understand what procurement teams asked of them. At the very least, it communicates a sense of preparedness. In practice, they should only occasionally forward less obvious questions to the tech, product or legal teams. <\/p>\n\n\n\n

    Your internal or external data protection officer<\/a> (DPO) or chief privacy officer<\/a> (CPO) should sit comfortably astride legal and tech. If they do, have them train sales to reduce back and forth communication. These individuals see data processing from the technical perspective of data flows. Importantly, they understand risk from the perspective of risk to the data subject.<\/p>\n\n\n

    \n
    \"\"
    Sisyphus leveraging compliance to finish 1st place.<\/figcaption><\/figure>\n<\/div>\n\n\n

    Leveraging privacy<\/h3>\n\n\n\n

    Being able to address data subject requests<\/strong> (DSRs) in a timely manner, ensures you remain a contender in your client\u2019s procurement shortlist. Some clients operate in a highly regulated field so compliance is crucial to them. Others show high ethical drive and understand non compliance as a risk to their operations. For clients who don\u2019t care, your common relationship will deteriorate at the first privacy pinch from data subject requests. Pressure will come from their own vertical relationships in the supply chain, or enquiries by supervisory authorities.<\/p>\n\n\n\n

    If your business enjoys a direct relationship with people in the EU, you likely assume a data controller role. This is the case with the provision of B2C goods and services. The full requirements of transparency, security and accountability apply, so do the performance of data subject rights. Subjects are savvier now about exercising their rights. You can expect their privacy experience with you to make it onto social media if they don’t trust your practices.<\/p>\n\n\n\n

    Supplying services to other organizations<\/h3>\n\n\n\n

    When supplying SaaS or PaaS solutions, the B2B \/ B2B2C scenario likely makes you a data processor. The requirements for security and accountability apply to both controllers and processors. Yet, transparency obligations are fulfilled by the data controller. This is done through their own channels or via a notice your platform allows them to provide to their end-users. However, your ability to be forthcoming with demonstrations immediately satisfy your customers\u2019 expectation that you are set up to help them demonstrate how they comply<\/em>.<\/p>\n\n\n\n

    Transparency is not the only obligation you will help your customer fulfil. Say you provide a platform that corporate customers can use to create user retail experiences. They remain responsible for collecting proof of consent to the data processing resulting from triggering your platform features (e.g. shopping cart memory or reward schemes). Your platform being the front-end of user interaction for your customers, ask yourself whether your platform<\/p>\n\n\n\n