Understanding GDPR territorial scope is essential for businesses operating across EU and UK borders. With the rise of digital transactions, cloud storage, and remote working, personal dataInformation which relates to an identified or identifiable natural person. is routinely transferred across the globe. This often creates a maze of regulatory challenges for organisations that must remain compliant whilst maintaining efficient operations.
In this blog, we’ll explain what the GDPR’s extended jurisdiction means for non-EU and non-UK businesses and offer practical guidance on key obligations for staying compliant.
For the purposes of this blog, GDPR will refer to both the EU GDPRRegulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons regarding the processing of personal data and on the free movement of such data (General Data Protection Regulation). and the UK GDPRThe UK General Data Protection Regulation. Before leaving the EU, the UK transposed the GDPR into UK law through the Data Protection Act 2018. This became the UK GDPR on 1st January 2021 when the UK formally exited the EU.. Although the legislations are essentially similar, there are some differences due to the UK leaving the EU. For more details, read about the impact of Brexit and UK GDPR Representation.
The General Data Protection RegulationRegulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (General Data Protection Regulation). (GDPR) transformed global privacy standards, requiring even non-EU and non-UK businesses to comply if they processA series of actions or steps taken in order to achieve a particular end. the personal data of EU and/or UK individuals. This is known as extra-territorial scope, and it means that even if your company isn’t based in the EU or UK, you might still be subject to the GDPR’s rules if you serve or monitor EU or UK customers.
For any business, understanding the GDPR’s jurisdictional reach is vital – not only to avoid penalties but also to build trust and confidence with customers.
Determining whether the GDPR applies to your business can seem daunting, especially for companies without any physical presence in the EU or UK. Here is an overview of how organisations in the EU/UK are impacted versus those operating outside these regions.
Business Location | GDPR Applicability | Relevant Article |
---|---|---|
EU/UK |
Applies to all organisations established in the EU/UK that process personal data, regardless of the company size or nature of the data processing activities. This includes businesses, charities and not-for-profits, and public authorities |
Article 3(1) |
Non-EU/UK |
Applies if the organisation offers goods or services to individuals in the EU/UK or monitors their behaviour |
Article 3(2) |
Identifying whether your business is acting as a data controller or data processor under the GDPR is also essential, as this distinction will shape your compliance obligations and the specific responsibilities you have under the law.
For more detailed information, visit the European Data Protection Board (EDPB) website for the EDPB’s official guidance on data controllers and data processors.
For UK guidance, the Information Commissioner’s OfficeThe United Kingdom’s independent ‘supervisory authority’ for ensuring compliance with the UK GDPR, Data Protection Act 2018, the Privacy and Electronic Communications Regulations etc. (ICOThe United Kingdom’s independent supervisory authority for ensuring compliance with the UK GDPR, Data Protection Act 2018, the Privacy and Electronic Communications Regulations etc.) has similar UK GDPR guidance on controllers and processors.
For data controllersEntities (such as an organisation) which determine the purposes and means of the processing of personal data. that fall within the GDPR’s extra-territorial scope, there are several obligations to navigate, including ensuring compliance with all aspects of the GDPR. Controllers have broader and more direct responsibilities than processors, but these are the two most fundamental requirements:
If your business acts as a data processor under the GDPR’s extra-territorial scope, you will have fewer responsibilities compared to data controllers, but you must still comply with certain GDPR requirements. These are some of the key obligations:
Understanding the data protection requirements for cross-border transfers is another key component of the extra-territorial scope of the GDPR. Whether you are a data controller or a data processor, transferring personal data outside the European Economic Area (EEA)/UK requires careful attention to data protection to ensure compliance with GDPR standards.
If the European CommissionOne of the core institutions of the European Union, responsible for lawmaking, policymaking and monitoring compliance with EU law. has approved that a non-EU country meets adequate data protection standards, personal data can be transferred to that country freely. However, in the absence of an adequacy decision, the controller or processor must implement appropriate safeguardsWhen transferring personal data to a third country, organisations must put in place appropriate safeguards to ensure the protection of personal data. Organisations should ensure that data subjects' rights will be respected and that the data subject has access to redress if they don't, and that the GDPR principles will be adhered to whilst the personal data is in the..., such as Standard Contractual Clauses (SCCs) or Binding Corporate RulesA series of data protection policies adhered to by companies established in the EU allowing for transfers of personal data outside the EU within a group of undertakings or enterprises. BCRs provide adequate safeguards when making restricted transfers within an international organisation if both sender and receiver has signed up to the BCRs. Guide to Binding Corporate Rules | ICO (BCRs).
For businesses operating in the UK, similar rules apply under the UK GDPR. The UK government has issued adequacy decisions for certain countries (like Japan and Canada), allowing for free transfers of personal data between the UK and these jurisdictions.
Achieving compliance with the GDPR can seem challenging but there are some initial practical steps you can follow to support your compliance journey:
The GDPR’s reach extends beyond the EU and UK. This means that even if your business is based outside these regions, you may still need to comply with the GDPR if you process the personal data of EU/UK individuals or monitor their behaviour. And knowing whether your business acts as a data controller or data processor is also essential for determining your specific obligations under the law.
For non-EU and non-UK businesses, compliance involves adhering to the GDPR’s core principles, appointing an EU/UK Representative, and ensuring safe cross-border transfers. By taking practical steps to ensure compliance, businesses can turn compliance into a competitive advantage and strengthen customer trust and reputation.
The DPO Centre has one of the largest teams of specialist DPOs available and our EU/UK Representatives cover all 27 EU Member States and the UK – if your business would benefit from our support, please contact us and we can discuss your needs.
______________________________________________________________________________________________________________________________
______________________________________________________________________________________________________________________________
For more news and insights about data protection follow The DPO Centre on LinkedIn
Fill in your details below and we’ll get back to you as soon as possible