Home //All about the GDPR //GDPR: Who is affected?

We, the residents of Europe

As the GDPR applies to a company and to the processing of personal data, it does not matter whether the persons behind the data are of this or that nationality, or whether they reside in this or that country. They will benefit from their rights under the GDPR. However, European residents are affected in more ways than one.

Find out more about the rights granted to individuals, European or not

Which rights for individuals

GDPR who is concerned: European citizens

As this is a European regulatory text, European residents were informed of its adoption well in advance. The GDPR is inspired by previous European legislation.

Lobbying campaign against the GDPR, information campaign of the control authorities, updates of the general conditions of companies by email or on the websites: any European citizen who is at least slightly informed or connected has heard about the GDPR and the new rights it institutes.

In the medium term, the GDPR rules will be used in other sectors to defend our rights: banking, insurance, labour law, competition law.

GDPR who is concerned: European companies

The first companies to be affected by the GDPR are those with an establishment in the European Union. Therefore, all data processing that is intended to remain local, either because of the company’s own activity or because the company is only established in the European Union, will concern Europeans first and foremost.

For your company to be affected by the GDPR , it is sufficient that it has an establishment in the European Union and that, in the context of the activities of this establishment, personal data is processed. The processing carried out by the European establishment on its own servers will therefore of course be subject to the GDPR.

But processing carried out outside the European Union, on the servers of the American parent company for example, will also be carried out if it is part of the activities of the European establishment.

For instance: the evaluation of employee performance used by the establishment for the advancement of its staff, processing relating to targeted advertising used for the marketing of the establishment.

When the establishment is a member of a group of companies, the rules of the GDPR are adapted:

  • it is possible to appoint a DPO responsible for the whole group

We, the companies of the world

An innovation of the GDPR is that its scope is extraterritorial: the GDPR potentially applies to businesses worldwide.

Indeed, if a company located outside the European Union targets consumers located in the European Union, to offer them goods or services, the GDPR applies to the processing of these consumers’ data. Here, the data must specifically relate to EU residents for the GDPR to apply.

GDPR - who is affected? Companies worldwide

Case law will specify the criteria for targeting European consumers, which may consist of the language used, the delivery territories and the currencies used.

This extraterritoriality marks the importance of personal data protection for the European legislator, who wished to prevent foreign companies from circumventing the GDPR.

In order to facilitate relations between the European data protection authorities and foreign companies subject to the GDPR, the latter are obliged to designate a representative in the European Union.

Thus, the answer to the question “GDPR who is concerned?” can be summarized as follows:

  • All European citizens, each of whom is subject to the processing of their personal data as a result of their activities
  • Establishments in the European Union which must ensure the ethics of this processing and the security of the data
  • Foreign establishments offering services