Are Australian Companies, that employee EU Citizens for example on an Sponsorship Visa living in Australia required to comply with GDPR?
The short answer is yes.
As EU citizens, they are entitled to GDPR protections so technically speaking, there is an obligation on an Australian business to be GDPR compliant.
http://blog.isc2.org/isc2_blog/2018/09/free-gdpr-course-for-members.html might also be of benefit for you. Its a fantastic GDPR training course for (ISC)2 members that is available to you, free of charge, that will help educate on the finer points of GDPR.
Any questions, let me know.
Thanks for the reply.
I am enrolled and currently going through the training and why the curiosity for the question came up.
I understand the compliance for companies that trade globally either with presence in the EU, or if only externally but also offer services or goods to EU citizens living in EU countries, but I am still intrigued on how SME all over the world that have EU citizens living in a country other than on EU member states, would be required to be compliant and pay fines to the EU, when their own countries don't even have anything signed with EU to enforce the strict requirements.
Australia for example has implemented the NDB Scheme based on the Australian Privacy Act but is still a separate compliance. It does mention compliance requirements to the GPDR as follows:
"Some Australian businesses covered by the Australian Privacy Act 1988 (Cth) (the Privacy Act) (known as APP entities), may need to comply with the GDPR if they:
Where would you say is the obligation coming from based on my original question?
This may be a question best asked of a lawyer but I'll do the best I can.
GDPR and NDB are not mutually exclusive.
Notifiable Data Breaches in Australia covers a data breach of any data held by eligible organisations (turning over $5m and not State or Local Government organisations). For SMB's under this turnover number, NDB does not apply.
Technically speaking, the EU could pursue a non-EU based organisation if the data of an EU citizen is compromised through a breach. If that organisation has a formal presence in the EU, its much more likely to do so and that organisation will need to have ensured GDPR compliance (and that compliance affects ALL of its global operations). Of course, how the EU chooses to enforce these rules remain to be seen.
Again, this is definitely a legal question to consider.