Do I Need to Comply with the GDPR? - TermsFeed (2024)

The General Data Protection Regulation (GDPR) is a new set of privacy laws protecting residents of the European Union. The GDPR states that any entity which collects or processes the personal data of residents of the EU must comply with the regulations set forth by the GDPR.

The GDPR is very straightforward in saying that any entity which collects or processes personal data from residents of the EU must be compliant with the GDPR. This new level of reach is intended to ensure that the rights and privacy of citizens in the EU remain protected no matter where they are on the internet.

It does not matter if the company collecting the data is based outside of the EU, or if the majority of a website's users are not residents of the EU. The GDPR is designed to protect the rights and privacy of its residents regardless of who is handling their personal information.

Our Privacy Policy Generator makes it easy to create a Privacy Policy for your business. Just follow these steps:

  1. At Step 1, select the Website option or App option or both.

    Do I Need to Comply with the GDPR? - TermsFeed (1)

  2. Answer some questions about your website or app.

    Do I Need to Comply with the GDPR? - TermsFeed (2)

  3. Answer some questions about your business.

    Do I Need to Comply with the GDPR? - TermsFeed (3)

  4. Enter the email address where you'd like the Privacy Policy delivered and click "Generate."

    Do I Need to Comply with the GDPR? - TermsFeed (4)

    You'll be able to instantly access and download your new Privacy Policy.


  • 1. Am I under the jurisdiction of the GDPR?
  • 2. What the law says
  • 3. Where are my users located?
  • 4. Conclusion
  • 5. Looking to the future

Am I under the jurisdiction of the GDPR?

Do I Need to Comply with the GDPR? - TermsFeed (5)

Let's say you are a United States-based app developer releasing a mobile game. For your game, users are prompted to create an account. During registration, user information is requested including the user's name, age, and email address. This game is available via your website as well as the Google Play Store.

So, would your app be subject to the GDPR?

Maybe.

Since your app collects personal data from its users (name, age, and email address), it is regulated by privacy laws. Since you are based in the US, you must comply with US privacy laws, such as CalOPPA (CalOPPA protects the data collection of residents of California, similarly to the GDPR for the EU).

The real question then is, do you have users in the EU?

If you released your game on both US and EU app stores, then you must comply with the GDPR. If you only released your game in US app stores which are unavailable to international users, then you do not need to comply with the GDPR.

However, if your app was also made available on your website and your website is available worldwide, then you should comply with the GDPR as it is possible that residents of the EU may download and register their information in your game.

Likewise, if you offer shipping to the EU, mention the EU on your website, or sell products in EU currency, this will be seen as targeting residents of the EU and will therefore require compliance with the GDPR.

The following questions can help you determine if you are under the jurisdiction of the GDPR:

  • Do you have users or subjects in the EU?
  • Do you collect or process any personal data from those users or subjects?
  • Do you target residents of the EU or are residents of the EU part of your intended market?

If you answered yes to any of these questions, you should comply fully with the GDPR.

The distinction between "users" and "subjects" in this case is that the GDPR applies to data processors as well as their parent company. What that means is, even if your company is a data processor or third-party tool without users of its own, if you process the data that another entity has collected from its users in the EU then you are still under the jurisdiction of the GDPR.

While that data may not come directly from users of your app or website, they are the users of another app or website and you are processing their personal data as subjects of your service.

This distinction helps to avoid companies outsourcing data processing services in order to bypass the GDPR, hence the distinction of applying to any entity that collects or processes the personal data of residents of the EU.

What the law says

Do I Need to Comply with the GDPR? - TermsFeed (6)

Article 3 of the GDPR discusses the concept of territorial scope, explaining who falls under its jurisdiction:

Do I Need to Comply with the GDPR? - TermsFeed (7)

The GDPR is abundantly clear in its stating that geographic location is a non-issue so long as the company in question is offering goods and services or simply monitoring behavior. Because the latter is not overly specific, general consensus is that any collection or processing or personal data from outside the EU should be backed by compliance with the Regulation.

Recital 23 clarifies to what extent intent of the company plays in determining the responsibility for compliance with the GDPR:

Do I Need to Comply with the GDPR? - TermsFeed (8)

But while this section gives us some examples of what might constitute intent to target residents of the EU, it is not abundantly clear under what circ*mstances companies are not required to comply. Until we receive further clarification, it is not advised to risk failing to comply based on an argument over your level of intent.

When in doubt, comply.

Where are my users located?

Do I Need to Comply with the GDPR? - TermsFeed (9)

As you have probably already figured out, the need to comply with the GDPR hinges on the location of your users and not on your location. If your website is based in the US, operates exclusively out of the US, and only collects personal data from residents of the US, then you probably don't need to comply with the GDPR.

However, if your website is based out of an EU country, operates in some facet from an EU country, or collects personal data from residents of the EU (regardless of where it is located), then you need to be compliant with the GDPR.

Even if your website is not intending to serve users of the EU, it is important to know how much EU traffic you are getting and if it is enough to warrant compliance with the GDPR. Currently, the following countries are a part of the European Union and protected under the GDPR:

  • Austria
  • Belgium
  • Bulgaria
  • Croatia
  • Republic of Cyprus
  • Czech Republic
  • Denmark
  • Estonia
  • Finland
  • France
  • Germany
  • Greece
  • Hungary
  • Ireland
  • Italy
  • Latvia
  • Lithuania
  • Luxembourg
  • Malta
  • Netherlands
  • Poland
  • Portugal
  • Romania
  • Slovakia
  • Slovenia
  • Spain
  • Sweden
  • United Kingdom

If your analytics tools or web hosting service reports traffic originating from any of the countries listed above, and you collect or process personal information, then you should be compliant with the GDPR.

In some cases it is more obvious than others to tell where users are located. For example, certain app stores or websites only serve residents of a certain country (think Amazon US vs Amazon UK). In these cases, the app or website is only intended for users in a certain country, making the distinction clear.

In other cases, however, a website may be available worldwide, meaning users may or may not come from any given country. If you run such a website, and that website collects personal data from its users, you must find out whether any of your traffic is coming from the EU in order to determine if you must comply with the GDPR.

Best practice when serving users worldwide is to be compliant with the GDPR regardless of your current traffic. The reason is that you may not have users in the EU currently, but if you begin to attract users from the European market then you would be violating the GDPR by collecting data from those individuals without being compliant with their privacy laws.

Fortunately, since this essentially boils down to a question of whether or not your users are located within the EU, there are ways you can find out this information from analytics tools such as Google Analytics or your web hosting service.

Conclusion

The scope of the GDPR reaches far and wide, affecting both domestic and international companies. Whether you collect or process personal data, use a third-party service that does, have few or many users who reside in the EU, or simply plan to expand into the European market in the future, it makes sense to be compliant with the GDPR to avoid potential hefty fines and future complications.

If you website is truly designed and intended strictly for a non-European user base (such as the US) and you do not collect or process the data of residents of the EU, then you do not need to comply with the GDPR. However, in the modern age of the internet it is easy to send and receive information anywhere in the world in the blink of an eye, and the GDPR does not leave much room for negotiation. If there is any question as to whether or not you should comply with the GDPR, it may be safer to simply follow the regulations and take advantage of the European market.

Looking to the future

Even if you are not currently required to comply with the GDPR, there is certainly no harm in doing so. Companies planning on expanding into the European market in the future may opt to become compliant now along with those who are required to do so. There are currently a lot of resources available for becoming compliant with the GDPR, so if you plan on becoming compliant in the future, taking advantage of these resources now is not a bad idea.

You can also expect other countries to follow suit with the EU by updating their own privacy laws. The GDPR is the most modern and one of the strongest sets of privacy laws to date, setting a good example for countries around the world.

It also simply looks good for companies to be GDPR-compliant even if they don't have users from the EU. Compliance with the GDPR shows that you value the privacy of your users and take the utmost care to protect their rights and personal information, even beyond the means to which you are legally required.

Do I Need to Comply with the GDPR? - TermsFeed (2024)

FAQs

Do I Need to Comply with the GDPR? - TermsFeed? ›

Who needs to comply with the GDPR? Any company or organization that collects or processes the personal data of residents of the EU must comply with the GDPR.

Is GDPR compliance mandatory? ›

Any company that stores or processes personal information about EU citizens within EU states must comply with the GDPR, even if the company doesn't have a business presence within the EU.

Does everyone have to comply with GDPR? ›

The Data Protection Act 2018 is the UK's implementation of the General Data Protection Regulation (GDPR). Everyone responsible for using personal data has to follow strict rules called 'data protection principles'. They must make sure the information is: used fairly, lawfully and transparently.

Does GDPR require you to agree to terms and conditions? ›

Terms and Conditions are not legally required to enter into a contract on a website. Properly written terms and conditions, however, serve to: Establish what uses of your site and associated property are and are not allowed.

What happens if you don't comply to GDPR? ›

83(4) GDPR sets forth fines of up to 10 million euros, or, in the case of an undertaking, up to 2% of its entire global turnover of the preceding fiscal year, whichever is higher. Especially important here, is that the term “undertaking” is equivalent to that used in Art.

Who is exempt from GDPR compliance? ›

Law enforcement - Police and secret services are exempt from the GDPR in certain contexts. Journalism - The GDPR cannot be used to suppress the freedom of the press. Education - Universities are not always required to provide access to students' exam papers.

Who does not need to comply with GDPR? ›

Furthermore, companies outside the EU without EU customers or users may be exempt from GDPR compliance. This means that if a non-EU company does not provide services or process data for individuals within the EU, they may not be subject to the GDPR's regulations.

Does GDPR apply to US citizens? ›

The answer is yes — GDPR can apply to anyone living in the EU countries, including US citizens.

When did GDPR become mandatory? ›

The GDPR is Europe's new framework for data protection laws. It replaces the previous 1995 data protection directive. The new regulation started on 25 May 2018.

Is compliance with GDPR optional? ›

GDPR compliance is not optional, and companies that do not handle personal data correctly may face severe fines.

Who needs to abide by GDPR? ›

While the GDPR is an EU law, it applies to any company that makes its website or services available to EU citizens, including US companies.

Where is GDPR mandatory? ›

The GDPR applies if: your company processes personal data and is based in the EU, regardless of where the actual data processing takes place.

What does the GDPR legally require? ›

You must have a lawful basis to process personal data. Consent is one of them but there are alternatives. There are six available lawful bases set out in Article 6 of the GDPR. These are consent, contract, legal obligation, vital interests, public task, legitimate interests in total.

Can you refuse a GDPR request? ›

You can only refuse to provide the information if an exemption or restriction applies, or if the request is manifestly unfounded or excessive.

What is considered a GDPR violation? ›

In short, a personal data breach is a security incident that negatively impacts the confidentiality, integrity, or availability of personal data; meaning that the controller is unable to ensure compliance with the principles relating to the processing of personal data as outlined in Article 5 GDPR.

What is a GDPR violation? ›

A personal data breach is a security incident impacting the availability, confidentiality, or integrity of your personal data. A breach of the UK GDPR could lead to accidental or unlawful destruction, unauthorised disclosure, or your personal data being compromised.

Who is required to be GDPR compliant? ›

While the GDPR is an EU law, it applies to any company that makes its website or services available to EU citizens, including US companies.

Top Articles
Latest Posts
Article information

Author: Jonah Leffler

Last Updated:

Views: 6275

Rating: 4.4 / 5 (65 voted)

Reviews: 80% of readers found this page helpful

Author information

Name: Jonah Leffler

Birthday: 1997-10-27

Address: 8987 Kieth Ports, Luettgenland, CT 54657-9808

Phone: +2611128251586

Job: Mining Supervisor

Hobby: Worldbuilding, Electronics, Amateur radio, Skiing, Cycling, Jogging, Taxidermy

Introduction: My name is Jonah Leffler, I am a determined, faithful, outstanding, inexpensive, cheerful, determined, smiling person who loves writing and wants to share my knowledge and understanding with you.