Imagine the following situation:
Your business is based in the US and you trade your goods both in the US and with customers in Europe. For customers who live in Europe, you must observe the requirements of the GDPR (Territorial scope principle - GDPR Art. 3 No. 2). If you don't do this, it can lead to high fines - "... up to 20 000 000 EUR, or in the case of an undertaking, up to 4 % of the total worldwide annual turnover of the preceding financial year, whichever is higher." (Art. 83, No 6 GDPR)
The Territorial scope principle regulates that the GDPR applies, if you process data from a person who lives in Europe.
Article 4 of the GDPR regulates what is exactly meant by data. I linked the page here.
The GDPR includes a variety of requirements that you must implement, such as
• Purpose limitation of data processing
• Minimization of data processing
• Accountability
• Different types of legality
• Conditions for consent to data processing
• What rights the data subjects have and how you have to implement this
• Information obligations for data processing
• Which information rights the data subject has
• Different specifications for ensuring data protection
• …
Furthermore, you must note that additional requirements apply, since the data processing of EU citizens takes place outside of Europe. We are here in the US.
In October 2022, President Joe Biden signed the “Executive Order to Implement the European Union-U.S. Data Privacy Framework”. ( https://www.whitehouse.gov/briefing-room/statements-releases/2022/10/07/fact-sheet-president-biden-signs-executive-order-to-implement-the-european-union-u-s -data-privacy-framework/)
This regulation is important because the previously applicable Privacy Shield was declared invalid by the European Court of Justice on June 16th, 2020.
In this context, the following questions arise:
How have you worked towards legitimizing the processing of data for your European customers since June 16th, 2020?
What measures must you take to ensure compliance and avoid potential penalties?
As a certified data protection officer and certified data protection auditor, I have a wide range of experience and would be happy to advise you on any questions.
Let's get in touch!
