EU GDPR is applicable to the company I work for (in the UK - a subsidiary of the American organisation) as we store and process personally identifiable data for our staff, and EU GDPR will be applicable to the American Organisation's located in Germany and Italy.
As we are owned by an American Company, I am assuming that the American Company will need to be EU GDPR compliant as it owns companies operating in UK, Germany and Italy? Our company is a B2B company and sells products and services to other businesses, but stores personally identifiable data on behalf of it's staff that work for it.
Is EU GDPR applicable at the Corporate level?
If there was a breach at one of the companies operating in the EU, is the fine applicable to the Corporate annual turnover or the company that has breached?
Finally, if one of the companies is storing personally identifiable staff data on a Corporate database where the data is stored in the US - I'm guess ing that Corporate will have to be EU GDPR compliant as the data is stored outside the EU?
The EU GDPR will be applicable to all companies established in the EU/EEA regardless where their parent companies are established. So any companies established in the EU/EEA will have to comply with the EU GDPR.
Regarding the EU parent Company, is not necessary to be compliant with the EU GDPR just because of the mere fact that it owns subsidiaries in the EU/EEA.
GDPR would be applicable to the if US based parent Company would be acting as controller that offers goods and services to, or monitor, individuals in the EU/EEA. Depending on the actual processing activities carried out by the US based parent Company the EU GDPR may or may not be applicable, an exact answer can be offered after a more in depth analyze of the relations between the US based parent Company and its EU/EEA subsidiaries.
If one of the subsidiaries within the EU/EEA were to suffer a data breach that might result in a fine, the worst case scenario means that the amount of the would be established based on the annual turnover of the “undertakings” which are as defined by reference to the competition law definition in Articles 101 and 102 of the Treaty of the Functioning of the European Union (TFEU). The TFEU sees undertakings as economic units, so potentially includes group companies. In other words is possible, at least in theory, that a global turnover of a group of companies to be considered when establishing the fine.
If the US based parent Company would just be storing personal data of EU/EEA employees and acts as a processor on behalf of the EU/EEA based subsidiaries, then the parent Company would have to provide appropriate safeguards for cross border transfers of personal data which could be for example: adherence to Privacy Shield or using “Model Contracts for the transfer of personal data to third countries” (Model Contracts).