The European Union's General Data Protection Regulation ("GDPR") is arguably the most comprehensive - and complex - data privacy regulation in the world. Although the GDPR went into force on May 25, 2018, there continues to be a great deal of confusion regarding the requirements of the GDPR.
To help address that confusion, BCLP is publishing a multi-part series that discusses the questions most frequently asked by clients concerning the GDPR.
Question: Does a European service provider have to comply with the GDPR, even if its client is not subject to the regulation?
The GDPR applies to companies that process data “in the context of the activities of an establishment . . . in the Union.”1 To the extent that a service provider processes data in the context of its establishment in the European Union it is, therefore, subject to the GDPR regardless of whether its client (i.e., the data controller) is itself subject to the GDPR. So, for example, if an American company that is not subject to the GDPR transmits data to a service provider in Europe, the European service provider is independently “required to comply with the obligations imposed on processors by the GDPR.”2
The net result is that data sent to a European processor by an American company that is not subject to the GDPR receives the GDPR’s processor-imposed protections, but does not receive the GDPR’s controller-imposed protections. From a functional standpoint this means that the processor should:
1. GDPR, Article 3(1) (emphasis added).
2. EDPB, Guidelines 3/2018 on the territorial scope of the GDPR (Article 3) – Version for public consultation (16 Nov. 2018) at 9.
3. EDPB, Guidelines 3/2018 on the territorial scope of the GDPR (Article 3) – Version for public consultation (16 Nov. 2018) at 11.