So I’m generally in favour of GDPR, but I didn’t know about this requirement:
If you have a business outside of the EU and you collect data on EU citizens, you should assign a representative in one of the member states for your business. This person should handle all issues related to processing. In particular, a local authority should be able to contact this person.
I get where this clause is coming from (it’s hard to enforce laws on people who aren’t in the EU), but this arguably seems like the most difficult part of the law to comply with for small projects, startups, and businesses.
If you even do so much as record IP addresses for traffic monitoring, you’re beholden to GDPR. Many of the other parts of that law (such as having a privacy policy, requiring consent, and allowing for deletion of data on request) are feasible to handle and automate. But this? If I’m reading this right this means that even a small side project or nascent startup hosted in the United States is going to have to hire or contract with someone in the EU for the purposes of satisfying this checkbox.
The linked full text of Article 27 does narrow that requirement beyond the general conditions for being subject to GDPR. The narrowing provision is in 2(a).
Rephrased to remove the double-negative and following up references to other articles, my read (as a non-expert, mind you!) is that the mandatory designation of a contact person in the EU only applies if, first of all, your processing of EU citizen data is “on a large scale” (vs. “occasional”), and furthermore includes one of the following three types of sensitive data:
“[S]pecial categories of data as referred to in Article 9(1)”. These are defined as “personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership” as well as “the processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person’s sex life or sexual orientation”. Article 9 places more stringent requirements on processing this kind of data than the normal GDPR requirements.
“[P]ersonal data relating to criminal convictions and offences referred to in Article 10”. Fairly self-explanatory.
Data that is otherwise “[likely] to result in a risk to the rights and freedoms of natural persons”. The vaguest of the three, but in context seems likely to mean data that is similar to the kinds of data in #1 and #2. I would guess someone just logging IP addresses wouldn’t fall under this, since the whole provision is about personally sensitive data—stuff along the lines of race, religion, health conditions, criminal convictions, etc.
Cool, thanks for the explanation. It’s still a bit vague, but it sounds like this only applies if you’re doing large-scale processing of those more sensitive categories of data, which makes sense.
In general it looks like this was thought through pretty well. Still, I wouldn’t be surprised if you started to see “GDPR contact as a service” companies springing up around Europe in the coming years, for small businesses who accept EU customers but don’t have offices there.
Similarly, this brief intro and the UK’s explanation are good.
So I’m generally in favour of GDPR, but I didn’t know about this requirement:
I get where this clause is coming from (it’s hard to enforce laws on people who aren’t in the EU), but this arguably seems like the most difficult part of the law to comply with for small projects, startups, and businesses.
If you even do so much as record IP addresses for traffic monitoring, you’re beholden to GDPR. Many of the other parts of that law (such as having a privacy policy, requiring consent, and allowing for deletion of data on request) are feasible to handle and automate. But this? If I’m reading this right this means that even a small side project or nascent startup hosted in the United States is going to have to hire or contract with someone in the EU for the purposes of satisfying this checkbox.
Am I reading this right?
The linked full text of Article 27 does narrow that requirement beyond the general conditions for being subject to GDPR. The narrowing provision is in 2(a).
Rephrased to remove the double-negative and following up references to other articles, my read (as a non-expert, mind you!) is that the mandatory designation of a contact person in the EU only applies if, first of all, your processing of EU citizen data is “on a large scale” (vs. “occasional”), and furthermore includes one of the following three types of sensitive data:
“[S]pecial categories of data as referred to in Article 9(1)”. These are defined as “personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership” as well as “the processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person’s sex life or sexual orientation”. Article 9 places more stringent requirements on processing this kind of data than the normal GDPR requirements.
“[P]ersonal data relating to criminal convictions and offences referred to in Article 10”. Fairly self-explanatory.
Data that is otherwise “[likely] to result in a risk to the rights and freedoms of natural persons”. The vaguest of the three, but in context seems likely to mean data that is similar to the kinds of data in #1 and #2. I would guess someone just logging IP addresses wouldn’t fall under this, since the whole provision is about personally sensitive data—stuff along the lines of race, religion, health conditions, criminal convictions, etc.
Cool, thanks for the explanation. It’s still a bit vague, but it sounds like this only applies if you’re doing large-scale processing of those more sensitive categories of data, which makes sense.
In general it looks like this was thought through pretty well. Still, I wouldn’t be surprised if you started to see “GDPR contact as a service” companies springing up around Europe in the coming years, for small businesses who accept EU customers but don’t have offices there.