- Posted by Francesca Dimunno
- On 08/01/2019
Data protection: are non-EU companies also subject to the GDPR?
The purpose of the GDPR enactment was to create and guarantee a “climate of trust” in order to boost the development of the digital economy throughout the internal market, eliminating uncertainties regarding sensitive data protection. In fact, before the GDPR, non protection of sensitive data had resulted in a lower circulation of data within the EU territory, which had had significant consequences also on the economic-commercial fields.
Article 3 establishes that the Regulation “applies to the processing of personal data in the context of the activities of an establishment of a controller or a processor in the Union, regardless of whether the processing takes place in the Union or not”. The GDPR also applies if the data processed is internal to the EU but the data controller or processor is established outside the EU, as well as when the processing is referred to the transfer of goods or services to EU entities, or to monitoring cases within the EU. Finally, the GDPR must be applied in cases where the controller is a non-EU entity, but is subject to the laws applying in a EU Member State.
A practical example: if a company under US law has its registered office and/or an operative office in Italy that oversees all business operations within the EU, including marketing and advertising, the company present in Italy is to be considered a stable organization.
For this reason, the Italian company must be treated as a branch of the foreign company within the EU territory and, therefore, will have to comply with the GDPR.
In conclusion, a stable organization within the EU, set up by a non-EU company, is obliged to comply with the GDPR.
If you are looking for more information on privacy or the GDPR, contact one of our lawyers, by filling out the form below