GDPR Applies to US Firms

Extract from article by Stanislaw Kastory

The entry into force of the GDPR also means changes for companies based outside the EU. According to article 3(2) of the GDPR, the GDPR applies to processing of personal data of data subjects who come from the European Union, by a controller or processing entity not established in the European Union if the processing activities relate to:

  1. a) the offering of goods or services to such data subjects in the European Union and
  2. b) the monitoring of their behaviour.

This means that, e.g. a US insurance company not based in the EU will be subject to the GDPR (and all the requirements thereunder) if it offers its insurance products to entities in EU countries. The new GDPR will also apply to all companies offering “suggestions” used for example on YouTube, Instagram or Spotify. Suggestions that you may like someone’s profile or music are based on processing of personal data. If a US company makes such suggestions to EU citizens, it will automatically fall under the ambit of the GDPR.

However, the GDPR does not only apply to big players. If you are a local whiskey producer in Kentucky and you send 10 bottles to a client in France, you are also required to respect the new European regulation. Generally speaking if your business in anyway relates to EU citizens, you should not disregard the GDPR.

Additional Reading: