Does European Union’s GDPR Apply to your Business?

1/4/2019

Organizations working with the personal data of individuals residing in the European Union (EU) will need to comply with the General Data Protection Regulation (GDPR).  However, ASR believes that our clients are not subject to this new law.

The GDPR is Europe’s new framework for data-protection laws, designed to harmonize data-privacy laws across Europe and give greater protection and rights to individuals.  Personal data is defined in the GDPR as any information that can be used to identify a data subject, directly or indirectly, such as a name, an identification number, or any factors specific to the physical, genetic, mental, economic, cultural, or social identity of that person.  A data subject is defined in the GDPR as an individual whose personal data is being collected, held, or processed.

The GDPR applies only when personal data are collected from a data subject who is located in an EU country at the time the data are collected.  The personal data of an EU citizen residing in the U.S. would not be subject to the GDPR, whereas the personal data of a U.S. citizen residing in the EU would be subject to the GDPR.

The EU Data Protection Board released guidelines in November on the territorial scope of the GDPR.  Specifically, in order to be subject to the law, an entity must either be established in the EU or direct goods and services to data subjects located in the EU.  Therefore, note the following:

  • If your company is a service provider based outside the EU that provides services to customers outside the EU, and your clients can use your services when they travel to other countries, including within the EU, your company is not subject to the regulations provided your company does not specifically target its services at data subjects in the EU.
  • If your company has employees living in the EU and pays such employees a salary, this H.R. function is not considered the provision of good or services.
  • If your manufacturing company markets goods to companies in the EU, you are not providing such goods to data subjects.

Again, ASR believes that our clients are not likely subject to the GDPR, but we recommend you speak with your legal counsel for confirmation.

If you have questions about the GDPR, call ASR Health Benefits at (616) 957-1751 or (800) 968-2449.