Expert Advice Community

Guest

Applicability of EU GDPR

  Quote
Guest
Guest user Created:   Nov 29, 2017 Last commented:   Nov 29, 2017

Applicability of EU GDPR

I work for an American organisation who owns companies all over the world including UK and Europe.
0 0

Assign topic to the user

EU GDPR DOCUMENTATION TOOLKIT

Step-by-step implementation for smaller companies.

EU GDPR DOCUMENTATION TOOLKIT

Step-by-step implementation for smaller companies.

Expert
Andrei Hanganu Nov 29, 2017
EU GDPR is applicable to the company I work for (in the UK - a subsidiary of the American organisation) as we store and process personally identifiable data for our staff, and EU GDPR will be applicable to the American Organisation's located in Germany and Italy.
As we are owned by an American Company, I am assuming that the American Company will need to be EU GDPR compliant as it owns companies operating in UK, Germany and Italy? Our company is a B2B company and sells products and services to other businesses, but stores personally identifiable data on behalf of it's staff that work for it.
Is EU GDPR applicable at the Corporate level?
If there was a breach at one of the companies operating in the EU, is the fine applicable to the Corporate annual turnover or the company that has breached?
Finally, if one of the companies is storing personally identifiable staff data on a Corporate database where the data is stored in the US - I'm guess ing that Corporate will have to be EU GDPR compliant as the data is stored outside the EU?

Answer:

The EU GDPR will be applicable to all companies established in the EU/EEA regardless where their parent companies are established. So any companies established in the EU/EEA will have to comply with the EU GDPR.

Regarding the EU parent Company, is not necessary to be compliant with the EU GDPR just because of the mere fact that it owns subsidiaries in the EU/EEA.

GDPR would be applicable to the if US based parent Company would be acting as controller that offers goods and services to, or monitor, individuals in the EU/EEA. Depending on the actual processing activities carried out by the US based parent Company the EU GDPR may or may not be applicable, an exact answer can be offered after a more in depth analyze of the relations between the US based parent Company and its EU/EEA subsidiaries.

If one of the subsidiaries within the EU/EEA were to suffer a data breach that might result in a fine, the worst case scenario means that the amount of the would be established based on the annual turnover of the “undertakings” which are as defined by reference to the competition law definition in Articles 101 and 102 of the Treaty of the Functioning of the European Union (TFEU). The TFEU sees undertakings as economic units, so potentially includes group companies. In other words is possible, at least in theory, that a global turnover of a group of companies to be considered when establishing the fine.

If the US based parent Company would just be storing personal data of EU/EEA employees and acts as a processor on behalf of the EU/EEA based subsidiaries, then the parent Company would have to provide appropriate safeguards for cross border transfers of personal data which could be for example: adherence to Privacy Shield or using “Model Contracts for the transfer of personal data to third countries” (Model Contracts).

The EU GDPR implementation Toolkit provides guidance on how to use the Model Contracts as safeguards for cross border transfers of personal data- see the details here: https://advisera.com/eugdpracademy/eu-gdpr-documentation-toolkit/
Quote
0 0

Comment as guest or Sign in

HTML tags are not allowed

Nov 29, 2017

Nov 29, 2017

Suggested Topics

Guest user Created:   Nov 16, 2022 EU GDPR
Replies: 1
0 0

Data breach

Guest user Created:   Oct 19, 2022 EU GDPR
Replies: 1
0 0

Required documents