The General Data Protection Regulation (GDPR) applies not only to the majority of companies, but also to associations and public organizations.
In this practical guide, we address a common question about the GDPR: Who is affected? Our goal is to dispel any uncertainties so that you can obtain clear answers to your questions.
Who is affected by the GDPR?
The GDPR applies to any entity, whether it be companies, associations, or public organizations, that collects, stores, or uses personal data of residents of the European Union, regardless of where it is located.
Here are the key points:
- Geographical location: The entity's location does not matter. A company located in the EU but not using personal data of European residents is not affected. Conversely, a company outside the EU that processes personal data of European residents is affected.
- Extraterritorial application: The GDPR also applies to large international companies such as Google, Amazon, Facebook, Apple, and Microsoft (GAFAM), demonstrating its extraterritorial scope.
In summary, almost all entities, regardless of their size, are affected by the GDPR, whether they are small businesses, medium-sized enterprises, large companies, public administrations, hospitals, small shops, or hair salons, as long as they process personal data of European residents.
Attention! The GDPR also applies to individuals as soon as they process personal data outside of their personal or domestic activities. For example, this applies to individuals who install cameras filming the exterior of their home or who employ a worker within their home. Similarly, the GDPR applies to individuals who publish personal data of other individuals on publicly accessible social networks.
Personal data and processing, what is it about?
The GDPR applies to companies that process personal data
According to Article 4 of the GDPR, personal data is defined as "any information relating to an identified or identifiable natural person".
In other words, personal data is any information that allows the recognition or identification of a natural person, such as a name, first name, email address, telephone number, social security number, address, IP address, identifier, etc.
Any company that holds such data (whether it concerns personnel, partners, suppliers, customers, users...) holds personal data and is subject to the GDPR.
The European Regulation adopts a very broad understanding of the concepts of "personal data" and "processing". Data processing encompasses any activity involving the collection, storage, modification, or use of data.
Therefore, even if you only store the personal data you collect without using it, you are subject to the GDPR. As soon as this data is stored in your information system, a database, or an Excel sheet, you are considered to be carrying out "processing of personal data".
Clarifications on the scope of the GDPR
Here are some key points to better understand the scope of application of the GDPR in a company.
The GDPR is not limited to customer data
The GDPR covers all personal data stored by your company and related to European residents, including your customers, users, suppliers, employees, prospects, and candidates.
Understanding the notion of "European residents"
The GDPR governs the processing of personal data of "European residents" or "European citizens". This means that:
- The GDPR applies to personal data of European citizens living abroad.
- It also applies to data of foreign individuals residing in one of the countries of the European Union.
- The GDPR therefore concerns all individuals residing in the EU, regardless of their nationality.
The GDPR & companies
For companies, two important points should be noted:
The data related to the "company" entity (such as the SIRET number, turnover, number of employees) is not personal data. However, information regarding contacts within the client company (name, first name, position, phone number, email) is personal data and falls under the GDPR.
The GDPR seems to be less strict regarding the processing of B2B data, especially regarding obtaining consent during collection or storage of data. However, this point remains unclear in the GDPR text, and companies exploit this legal uncertainty. Nevertheless, recent developments suggest that rules regarding B2B data could tighten in the coming years.
Attention to subcontracting
If you outsource data processing, such as using a web analytics tool, you must:
- Verify that the service provider complies with GDPR rules.
- Assume joint responsibility with the subcontractor in case of non-compliance with the processing.
Who is not affected by the GDPR
The GDPR does not apply to personal data of individuals who do not reside in the EU or who are not European citizens.
Outside of this obvious case, there are a few exceptions:
- Processings carried out strictly privately, such as creating a personal contact directory.
- Processings carried out for the protection of fundamental rights and freedoms.
- Processings carried out within the framework of preventing criminal offenses.
Check if your organization is affected by the GDPR
Most large companies have already complied with the GDPR, but this is not always the case for small businesses and individual companies. Many of them have not yet taken any measures, and some SMEs have still not started their GDPR compliance process.
If you are a company, an association, or any other type of organization and you want to know if the GDPR applies to you, we invite you to contact one of our experts! They can answer all your questions, conduct an audit of your data, determine if you are affected, and, if necessary, support you in your GDPR compliance process.
It is important to remember that the penalties for non-compliance with the GDPR are severe and the supervisory authority (in France, the CNIL) is now less tolerant. Fines can reach up to 20 million euros. Therefore, it is crucial not to take this risk lightly.