cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Showing results for 
Search instead for 
Did you mean: 
Newcomer I

GDRP in Australia

Hi all,

 

Are Australian Companies, that employee EU Citizens for example on an Sponsorship Visa living in Australia required to comply with GDPR?


Thanks,
Caio

3 Replies
Newcomer II

Re: GDRP in Australia

Hi Caio,

 

The short answer is yes.

 

As EU citizens, they are entitled to GDPR protections so technically speaking, there is an obligation on an Australian business to be GDPR compliant. 

 

http://blog.isc2.org/isc2_blog/2018/09/free-gdpr-course-for-members.html might also be of benefit for you. Its a fantastic GDPR training course for (ISC)2 members that is available to you, free of charge, that will help educate on the finer points of GDPR. 

 

Any questions, let me know. 

Highlighted
Newcomer I

Re: GDRP in Australia

Hi Tony,

 

Thanks for the reply.

 

I am enrolled and currently going through the training and why the curiosity for the question came up.

 

I understand the compliance for companies that trade globally either with presence in the EU, or if only externally but also offer services or goods to EU citizens living in EU countries, but I am still intrigued on how SME all over the world that have EU citizens living in a country other than on EU member states, would be required to be compliant and pay fines to the EU, when their own countries don't even have anything signed with EU to enforce the strict requirements.

 

Australia for example has implemented the NDB Scheme based on the Australian Privacy Act but is still a separate compliance. It does mention compliance requirements to the GPDR as follows:

"Some Australian businesses covered by the Australian Privacy Act 1988 (Cth) (the Privacy Act) (known as APP entities), may need to comply with the GDPR if they:

  • have an establishment in the EU (regardless of whether they process personal data in the EU), or
  • do not have an establishment in the EU, but offer goods and services or monitor the behaviour of individuals in the EU."

https://www.oaic.gov.au/agencies-and-organisations/business-resources/privacy-business-resource-21-a...

 

Where would you say is the obligation coming from based on my original question?

 

Thanks again.

 

Caio

 

 

 

Newcomer II

Re: GDRP in Australia

Hi Caio,

 

This may be a question best asked of a lawyer but I'll do the best I can.

 

GDPR and NDB are not mutually exclusive. 

 

Notifiable Data Breaches in Australia covers a data breach of any data held by eligible organisations (turning over $5m and not State or Local Government organisations). For SMB's under this turnover number, NDB does not apply. 

 

Technically speaking, the EU could pursue a non-EU based organisation if the data of an EU citizen is compromised through a breach. If that organisation has a formal presence in the EU, its much more likely to do so and that organisation will need to have ensured GDPR compliance (and that compliance affects ALL of its global operations). Of course, how the EU chooses to enforce these rules remain to be seen. 

 

Again, this is definitely a legal question to consider. 

 

https://www.oaic.gov.au/media-and-speeches/news/general-data-protection-regulation-guidance-for-aust... will assist you as well.