Resources

{ Banner Image } Print PDF
Share
Subscribe to Publications

People

Services

Industries

Compliance Deadline Approaching to Comply with EU’s New Data Protection Regulations

January 31, 2018

On May 25, 2018, the European Union’s new data privacy regulation, known as the General Data Protection Regulation (Regulation (EU) 2016/679) (“GDPR”), will become effective. Not only does the GDPR regulate processing personal data by an E.U. controller or processor, but also requires non-E.U. entities, such as non-E.U. companies, universities, investment funds and charities, to comply with the GDPR if they:

Failure to comply with the GDPR can lead to hefty fines (up to 20 million euros or 4% of global annual revenues, whichever is higher).

Accordingly, if an entity undertakes certain activities relating to personal data (e.g., collect, record, organize, structure, store, adapt or alter, retrieve, consult, use, disclose by transmission, disseminate or otherwise makes available, align or combine, restrict, erase or destruct personal data) as a controller or processor, it will need to comply with the GDPR in two instances: (1) in case personal data at stake refers to individuals in the E.U. and processing relates to offering goods or services to such individuals in the E.U.; and, (2) in case of monitoring of their behavior if such behavior takes place in the E.U.

In the case of offering of goods or services to individuals who are in the E.U., it does not matter if there is a payment involved. A data processor or controller that envisages offering services in more than one E.U. country is likely to be caught by this provision. Relevant factors include use of a language or a currency generally used in one or more E.U. countries with the possibility of ordering goods and services in that language.

Generally, however, merely having a website with an accessible email address or use of a foreign language or a language spoken in that E.U. country, without more, may not be enough to trigger the GDPR compliance requirements, but this should be carefully reviewed.

In the second case, involving monitoring behavior, the GDPR will apply when the monitoring consists of tracking individuals on the internet, including potential subsequent profiling, analyzing or predicting personal preferences, behaviors and attitudes. For example, this scenario could apply in cases where on-line providers and advertising networks place cookies or other tracking devices on the equipment of E.U. individuals for the purpose of tracking their online behavior.

Accordingly, if the non-E.U. entity is covered by the GDPR, it is required to comply with the regulation’s mandates. These include enacting or revising privacy policies and posting certain privacy notices as required by the GDPR, updating procedures for collecting, processing and storing data and establishing policies and procedures for data breaches. In certain instances, the non-E.U. entity may need to appoint a representative in the E.U. and a data protection officer.

Miller Canfield, together with its offices in Europe, has developed GDPR compliance checklists, procedures and policies especially for non-E.U. entities, and can provide legal counsel to your entity to navigate the requirements of the GDPR. Please contact us if you would like further information or if you have questions or concerns.

-Dr. Justyna Regan
+1.312.460.4207
regan@millercanfield.com

Miller, Canfield, Paddock and Stone, P.L.C. Cookie Preference Center

Your Privacy

When you visit our website, we use cookies on your browser to collect information. The information collected might relate to you, your preferences, or your device, and is mostly used to make the site work as you expect it to and to provide a more personalized web experience. For more information about how we use Cookies, please see our Privacy Policy.

Strictly Necessary Cookies

Always Active

Necessary cookies enable core functionality such as security, network management, and accessibility. These cookies may only be disabled by changing your browser settings, but this may affect how the website functions.

Functional Cookies

Always Active

Some functions of the site require remembering user choices, for example your cookie preference, or keyword search highlighting. These do not store any personal information.

Form Submissions

Always Active

When submitting your data, for example on a contact form or event registration, a cookie might be used to monitor the state of your submission across pages.

Analytical Cookies

Analytical cookies help us improve our website by collecting and reporting information on its usage. We access and process information from these cookies at an aggregate level.

Powered by Firmseek