GDPR Doesn't Only Protect EU Citizens - Who Does GDPR Affect?

Last updated: 8/3/2020 — GDPR

Although the European Union’s General Data Protection Regulation has been in effect for a while now, the online world is still figuring out many of the nuances of the sweeping consumer protection legislation. One of the important questions for data collectors and processors to answers is exactly whose data is protected by the GDPR.

At first glance that seems like a simple question. The GDPR is a European Union regulation, so it applies to citizens of the EU, right? Well, as it turns out, that is not entirely true. Citizenship does not affect the territorial scope and the GDPR never actually references “citizens” or “residents”. The highly detailed, 99-article regulation describes a broader definition.

Recital 14 of the GDPR notes that “The protection afforded by this Regulation should apply to natural persons, whatever their nationality or place of residence, in relation to the processing of their personal data.”

As you can see, the GDPR refers to “natural persons” and “data subjects,” two terms that can be interpreted roughly as “any human who uses the internet”. Obviously the EU’s jurisdiction can’t include every data subject on Earth, so again, who exactly is covered here? The jurisdiction of the GDPR depends on whether a product or service is delivered in the EU and personal data is processed and/or monitored as a result.

Generally speaking, if the product or service is offered within the EU, then the data processing needs to comply with the GDPR, whether or not the company is physically located there or not. That goes for both physical and online goods, from ordering a pair of sneakers to purchasing movies for streaming.

Let’s take a more concrete example:

It might be obvious that an EU resident who orders a product from an online store based in Denmark would be protected under GDPR rules. But suppose an American business traveler in Denmark places the same order? The processing of personal data is still undertaken by a company established in the EU, and the processing is in this case also regulated by the GDPR, though he might have a product delivered in the US.

If you’re a little confused by all of this, you’re not alone. Even respected data protection experts have admitted to being baffled by the parameters of GDPR at first. Truth be told, since so little of this regulation has been put to the test so far, it’s likely that we won’t know the precise details of whose data is and isn’t protected until more of its provisions get enforced.

For the time being, if your website is accessible to anyone living in or visiting the EU, it’s best to play it safe and get up to speed on GDPR data collection guidelines.

Have you automated your GDPR web compliance process? Siteimprove Data Privacy locates the personal data you handle online so you can pinpoint and remove that data across your websites, minimizing the risk of fines and other legal consequences.

Learn more about Siteimprove GDPR