Expert Advice Community

Guest

GDPR Scope and applicability

  Quote
Guest
simmal Created:   Aug 16, 2022 Last commented:   Aug 18, 2022

GDPR Scope and applicability

We are a US based very small company (4-5 employees) and provide software for collecting data related to plant performance to plants based in US and EU both. 

Now the only personal data we have in our cloud (365 office and outlook) are email id's and names of the employees of EU based plant workers. In some cases we have access to their offical phone numbers. 

So yes we have what can categorize as personal data. But due to the limited customer information that we have would GDPR still apply to us ? and in this case would be act as a processor or controller of PI ? 

 

0 0

Assign topic to the user

EU GDPR & ISO 27001 INTEGRATED DOCUMENTATION TOOLKIT

Step-by-step implementation for smaller companies.

EU GDPR & ISO 27001 INTEGRATED DOCUMENTATION TOOLKIT

Step-by-step implementation for smaller companies.

Expert
Tudor Galos Aug 18, 2022

As per article 3 GDPR, Territorial scope, GDPR applies to non-EU organizations that either offer goods or services to data subjects in the Union or that monitor their behavior as far as their behavior takes place within the Union. In your case, however, from your input, you don’t offer goods and services to people in the EU, you offer services to organizations in the EU. In this case, you should act as a Data Processor for personal data that you process on behalf of your customers. However, as per Chapter V GDPR - Transfers of personal data to third countries or international organizations and per European Data Protection Board’s Guidelines 05/2021 on the Interplay between the application of Article 3 and the provisions on international transfers as per Chapter V of the GDPR, there is a transfer of personal data between your EU customers and your US company. So, per Article 44 – General principle for transfers and per Article 46 – Transfers subject to appropriate safeguards, you should use an appropriate legal mechanism for the compliant personal data transfer between EU and US. You might choose to use Standard Contractual Clauses (SCCs) templates, the latest version issued by European Commission, but you must take into consideration that after the European Union Court of Justice Schrems II decision, you should make sure that the transferred personal data has the same level of protection as it is offered under GDPR, by taking the right technical and organizational measures needed to protect the data.

Part of our EU GDPR Toolkit, we have a Cross Border Personal Data Transfer Procedure template and the EU SCCs with comments that help you fill in the template. 

Please also consult these links:

Tudor Galos
Quote
0 1

Comment as guest or Sign in

HTML tags are not allowed

Aug 16, 2022

Aug 18, 2022

Suggested Topics

Guest user Created:   Sep 30, 2020 EU GDPR
Replies: 1
0 0

GDPR Privacy querries

Guest user Created:   Aug 06, 2023 EU GDPR
Replies: 1
0 0

Do we need VPN to comply with GDPR?

Guest user Created:   Jul 12, 2023 EU GDPR
Replies: 1
0 0

Business Continuity Plan and GDPR