cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
iluom
Contributor II

GDPR Scope

Does GDPR apply to Non-EU data subjects (living outside the EU member countries) if the controller(Data Owner company) or processor (Cloud Service Provider )company based in the EU?

 

Regards

 

 

 

Chandra Mouli, CISSP, CCSP, CSSLP
9 Replies
Balby84
Newcomer II

This is actually a quite interesting question, following this thread

Flyslinger2
Community Champion

Personally I would never want someone that I didn't elect making laws "on my behalf".  Most likely they wouldn't have my best interests at heart because they didn't consult me.

 

 

AlecTrevelyan
Community Champion


@iluom wrote:

Does GDPR apply to Non-EU data subjects (living outside the EU member countries) if the controller(Data Owner company) or processor (Cloud Service Provider )company based in the EU?

 

Regards

 

 

 


Yes, the GDPR would apply in your example.

 

This is covered under the first point in Article 3 of the General Provisions section of the GDPR:

 

https://gdpr-info.eu/art-3-gdpr/

 

"Article 3

 

Territorial scope

 

1. This Regulation applies to the processing of personal data in the context of the activities of an establishment of a controller or a processor in the Union, regardless of whether the processing takes place in the Union or not."

 

Effectively it is saying that all EU based companies have to process ALL personal data in accordance with the GDPR.

 

AlecTrevelyan
Community Champion


@Flyslinger2 wrote:

Personally I would never want someone that I didn't elect making laws "on my behalf".  Most likely they wouldn't have my best interests at heart because they didn't consult me.

 

 


This is one of the core arguments used by people who voted for Brexit.

 

Balby84
Newcomer II

I think the point here is that if you do business in a specific country, you will follow the rules of that country.

MikeGlassman
Contributor II

If you happen to be an American, and with no intention to say something against America, but the data laws in place there, as well as the gvm'ts ability to access any data it wants at any time with the flip of a finger, should make you wish your data was stored in the EU or subject to EU regulations.

 

I, when considering where to store my corporate data, will never store it in the US, for that reason.

 

so you should be happy with what the EU does in privacy regards, even if it is a bit of a mishmash.

Sincerely,

Mike Glassman, CISSP
Iguana man
MikeGlassman
Contributor II

I would change the words "you will" to "you are required".

This is even more true if you are discussing privacy issues.
Sincerely,

Mike Glassman, CISSP
Iguana man
HTCPCP-TEA
Contributor I

If ever you have any sort of doubt around whether GDPR is in scope or not, follow a simple rule:

 

If at any point a reference is made to the EU, an EU citizen or anything European, it is more or less certain that GDPR is applicable. 

 

Therefore, while looking at your task, if any single piece of it lands on EU soil, or citizen - Bingo - GDPR. 

 

Cheers

 

 

iluom
Contributor II

Smiley Happy awesome!!!

Chandra Mouli, CISSP, CCSP, CSSLP