The GDPR[1], the European regulation on data protection, has operated in Europe since the 25th May 2018, likewise, it also has effects outside Europe.
The mentality assumed by the majority of companies in the transatlantic continent is that as long as they do not have an established headquarters in Europe, they will not need to expressly comply with European regulations (beyond importation regulations) or, if they do have headquarters, only the latter must comply with European regulations, in an independent and isolated manner. However, as from the entry into force of the GDPR, said regulations must be followed by those companies which:
- Process personal data in the context of the activities of an establishment of the controller or the processor in the Union, whether or not the processing takes place in the Union.
- Process the personal data of persons who reside in the Union, even though the company is not established in the Union, when the activities processed are related to:
a. the offer of goods or services to said interested parties in the Union, regardless of whether payment is required or not.
b. the monitoring of their behaviour, insofar as this takes place within the Union.
Thus, American companies must pay attention to the conduct considered to be the processing of data subject to the GDPR, even if this has not so far been anticipated specifically in the development of their business. Some examples are:
- Newsletters subscribed by European clients.
- European client web contacts.
- European client registers in American service websites (regardless of whether they are free of charge or not).
- Sale of products to consumers in Europe.
- Obtaining of the personal data of professionals through the signing of contracts with European companies.
- Data processing via cookies on the company website (behaviour monitoring and the elaboration of advertising profiles via IP addresses).
- Automatic detection of locations via applications in order to create preference profiles (detection of home address, work, etc.).
The above and many other procedures shall imply a need for American companies to adapt in line with the GDPR and this in turn shall imply the need to anticipate, among others, the following:
- Privacy policies and adapted cookies.
- Notifications/banners regarding the use of cookies which comply with the established specifications.
- To not include preselected acceptation boxes on their websites.
- To inform those affected in accordance with articles 13 and 14 of the GDPR, even if their consent is not required.
- To anticipate in all contracts with European companies provisions regarding data protection, given that the data of company legal representatives (the signatories) shall appear therein.
This adaptation shall require, on the part of such companies, a detailed analysis of their business processes and documentation, and for such purposes it is recommendable to refer to experts in the field in order to minimise risks.
The sanctions established by the GDPR for infringement of the regulations amount to up to Euro 20,000,000 or 4% of the global annual turnover of the company in the previous financial year, whichever is the higher amount.
Likewise, and equally as important as the above, any consent obtained under the previous GDPR regulations should be revised in order to verify that it remains valid or whether it should be obtained from scratch.
Should any analysis be required with regard to the above or adjustment to the GDPR, Vilá Abogados remains at your entire disposal.
Andreas Terán
Vilá Abogados
For more information, please contact:
8th March 2019
[1] Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation).