GDPR And Non-EU Businesses A Quick Guide to Find Out If The EU-GDPR Applies to Your Non-EU Business

Reading Time: 2 minutes

While GDPR is a EU law, it can apply to businesses anywhere in the world. Some business owners do not know if the new law applies to them and others haven’t even heard about it.  If you are unsure how GDPR will affect your business and want to avoid potential sanctions or possibly millions in penalties, this quick guide is a starting point for you.

Territorial Scope

Your organization does not need to be located within EU borders to be subject to GDPR provisions.

Targeting and Intent

  1. Language — Unless you are from a Spanish speaking country, having your website in Spanish may be interpreted as intentionally targeting people in Spain. The same applies for any other official language of EU member countries.
  2. Currency – You price your offerings in Euro or any other currency of either a EU member country. This includes the following currencies:
    Euro (EUR), Bulgarian Lev (BGN), British Pound Sterling (GBP), Gibraltar Pound (GIP), Croatian Kuna (HRK), Czech Koruna (CZK), Danish Krone (DKK), Hungarian Forint (HUF), Polish Zloty (PLN), Romanian Leu (RON) and Swedish Krona (SEK)
  3. Domain — If you use a domain assigned to a country within the EU, e.g.  .fr, .it, .ie, .de, etc., this is interpreted as targeting individuals residing in the EU.
  4. Content — Is your content specifically designed to resonate with individuals within the EU? This could be anything, from your overall content to testimonials from EU residents. If your website features testimonials from Maria in Barcelona or Jörg in Hamburg, intentional targeting could be inferred.

Penalties and Sanctions

GDPR gives supervisory authorities the right to place hefty fines on non-compliant organiztions. Yet, some supervisory authorities may be more cooperative than others when it comes to helping businesses reaching or regaining compliance. Recently the UK’s Information Commissioner stated that its goal is to work with organizations. Depending on the nature, scale, severity and duration of identified non-compliance there are four different ways a supervisory authority can handle your GDPR violation.

  1. Warning In case that non-compliance is likely to occur, you may get a written warning by your local supervisory authority.
  2. Reprimand — The supervisory authority can issue a reprimand against a controller or processor, if an infringement of GDPR provisions is detected.
  3. Suspension — Your local supervisory authority can simply you from processing data of EU residents altogether.
  4. Penalty — If the non-compliance is deemed severe, your local supervisory authority can fine your organization up to €20m or 4% of its global annual turnover for the preceding financial year, whichever is greater

In some jurisdictions, additional penalties might be added. The updated German Data Protection Act states that violation with the intent to gain a commercial advantage can carry a jail-term of up to three years.

Frequency and Scale

Now, you do not have to get paranoid, because some members of your coffee gourmet membership website might be vacationing in Milan or you happen to have two subscribers from Athens. If you occasionally process data from people residing in the EU and you do not do it on a large scale, you will likely not be subject to penalties under GDPR.


Share this Post

Further Reading