top of page

US companies must comply with GDPR, too

The GDPR applies to companies outside the EU because of its extra-territorial in scope, as explained in Article 3, "Territorial scope." One thing to keep in mind is that GDPR is not 'data privacy' or a refined version: the law is designed to protect the data subjects’ rights, while data privacy, broadly and mostly, regulates and protects businesses. If you think your 'data privacy' organization is de-facto making you compliant with the GDPR, we have news for you: you're not.

A “data subject” is any person in the EU, including citizens, residents, and even visitors. The personal data, scope of the GDPR, are personal identifiable information that can be used, directly or indirectly, to identify a unique data subject.

In practice, this translates to the fact that if you collect personal data of a data subject, you are required to comply with the GDPR no matter where you are in the world (see what is considered personal data under the GDPR from the project.)

The European Union can enforce a law beyond its borders through mutual assistance treaties and other mechanisms all the time. GDPR Article 50 addresses exactly this. Other countries should not test EU’s reach, and EU data protection authorities are already active on that respect.

4 views0 comments

Recent Posts

See All

When too much is really too much.

Since the GDPR came into force, there's been a surge in data breach reporting across the EU. The flood of reports though, over 280,000 data breaches submitted across the EU, resulted only in around 50


bottom of page