The GDPR Jurisdiction Rule You Probably Don’t Know About

If your company is based in the EU, then the question of whether the GDPR applies to you is easy; it does. But for most of my clients (who are based in the US) the question is not so straightforward. Usually, we will do an analysis on the extent to which they ‘offer’ goods and services to data subjects located in the EU. This is not a black and white standard. It is very fact dependent, and there isn’t a whole lot of case law to go on. We need to look at all the circumstances (such as whether prices are displayed in EU currency, whether you use a domain of an EU member state, etc.) and decide.

But that is not all. 

We also cannot assume that the data that needs to be protected is only the PII of EU citizens. That is simply not true. The GDPR applies to all PII gathered from data subjects who were inside the EU at the time the data was collected. Theoretically, they can be citizens or residents of anywhere.

Now here is the really strange rule you probably don’t know about: You also cannot just assume that if a company is based in the US and all of its customers are in the US that the EU doesn’t apply. 

I know, it’s crazy, right? But it’s true. 

It all comes down to this nearly incomprehensible language in the GDPR, which states that the GDPR applies to “the processing of personal data in the context of the activities of an establishment of a controller or processor in the [EU], regardless of whether the processing takes place in the [EU] or not.” GDPR Article 3(1)

This means that if you have a location or presence, or regular activity inside the EU that is a necessary part of your business, then the GDPR applies to you the same as if your company was based in the EU. Furthermore, it applies to all the PII you maintain, even PII that was not collected from inside the boundaries of the EU! This means that some relatively small process within EU borders can subject all of your PII, wherever located, to the full burden of the GDPR.

Personally, I think it’s a bit excessive. But it doesn’t really matter what I think. What matters is that you have your ducks in a row when the EU comes knocking. 

I hope you found this article interesting, and if you think you need assistance with GDPR please don’t hesitate to contact Digital Edge, or even contact me directly at kbarry@digitaledge.net

Was this article helpful?
Keith J. Barry, Esq.
VP of Compliance

Keith J. Barry joined Digital Edge in 2013. Keith possesses a BA in Computer Science, a Juris Doctor degree from Brooklyn Law School, as well as several industry certifications including AWS Cloud Architect, CompTIA Network+, and CompTIA Server+. His career has mirrored his diverse interests, and Keith has experience on the technical side as a senior systems administrator, and on the legal/business side as an attorney and cybersecurity compliance officer.

Let's talk: +1 (718)-370-3353

Speak to a specialist