Are Australian Companies, that employee EU Citizens for example on an Sponsorship Visa living in Australia required to comply with GDPR?
The short answer is yes.
As EU citizens, they are entitled to GDPR protections so technically speaking, there is an obligation on an Australian business to be GDPR compliant.
http://blog.isc2.org/isc2_blog/2018/09/free-gdpr-course-for-members.html might also be of benefit for you. Its a fantastic GDPR training course for (ISC)2 members that is available to you, free of charge, that will help educate on the finer points of GDPR.
Any questions, let me know.
Thanks for the reply.
I am enrolled and currently going through the training and why the curiosity for the question came up.
I understand the compliance for companies that trade globally either with presence in the EU, or if only externally but also offer services or goods to EU citizens living in EU countries, but I am still intrigued on how SME all over the world that have EU citizens living in a country other than on EU member states, would be required to be compliant and pay fines to the EU, when their own countries don't even have anything signed with EU to enforce the strict requirements.
Australia for example has implemented the NDB Scheme based on the Australian Privacy Act but is still a separate compliance. It does mention compliance requirements to the GPDR as follows:
"Some Australian businesses covered by the Australian Privacy Act 1988 (Cth) (the Privacy Act) (known as APP entities), may need to comply with the GDPR if they:
Where would you say is the obligation coming from based on my original question?
This may be a question best asked of a lawyer but I'll do the best I can.
GDPR and NDB are not mutually exclusive.
Notifiable Data Breaches in Australia covers a data breach of any data held by eligible organisations (turning over $5m and not State or Local Government organisations). For SMB's under this turnover number, NDB does not apply.
Technically speaking, the EU could pursue a non-EU based organisation if the data of an EU citizen is compromised through a breach. If that organisation has a formal presence in the EU, its much more likely to do so and that organisation will need to have ensured GDPR compliance (and that compliance affects ALL of its global operations). Of course, how the EU chooses to enforce these rules remain to be seen.
Again, this is definitely a legal question to consider.
Hi ideal world speaking
1. The EU-GDPR applies to all PII data stored within the EU (so for EU citizens and non-EU-citizens)
2. The EU-GDPR applies to all EU-Citizen PII data any where in the world.
3. Now the get-out-of-jail free card is for companies to ask for consent to do what ever they want with your data. And in 99% everybody clicks agree.
Now point 2 is very difficult to enforce if point 3 is inplace and you clicked agree.Even without point 3 it is difficult to enforce. So it comes done to the individual to evaluate.
So back to your question - they must comply - but it is difficult to enforce. Even within Australia the maturity of privacy between the status is huge.
so you have to fall back into EU-GDPR complaince statements, via a thirdparty message. Now companies that take cybersecurity and privacy serious will give this on their website.
Now what I do for example, when I apply for a position and am not a successful candidate I will ask the company to securely delete my data and confirm this and I cc the privacy officer from the privacy statements. This to avoid any future data loses in a breach. Some professional companies confirm, some of them don't and some of them ask questions why I am doing this. And you will see that the last two groups have poor privacy statements or even copies form other companies and they forgot to change the details.
Just read the privacy statements have a talk with them and let your gut feeling do the rest.
As a very last resort - report the company to one of the European privacy authorities. They will file and register the company. This might be handy - not for your situation, but for future situations. E.g. if they try to open shop in the EU. But then again do you want all this effort/trouble.
I would only do this if they made copies of your passport / ID's. Identity theft is a serious problem in Australia.