The European Union's General Data Protection Regulation ("GDPR") is arguably the most comprehensive - and complex - data privacy regulation in the world.  Although the GDPR went into force on May 25, 2018, there continues to be a great deal of confusion regarding the requirements of the GDPR.

To help address that confusion, BCLP is publishing a multi-part series that discusses the questions most frequently asked by clients concerning the GDPR.

Question: Does a European service provider have to comply with the GDPR, even if its client is not subject to the regulation?

Answer: Yes.

The GDPR applies to companies that process data “in the context of the activities of an establishment . . . in the Union.”¹  To the extent that a service provider processes data in the context of its establishment in the European Union it is, therefore, subject to the GDPR regardless of whether its client (i.e., the data controller) is itself subject to the GDPR.  So, for example, if an American company that is not subject to the GDPR transmits data to a service provider in Europe, the European service provider is independently “required to comply with the obligations imposed on processors by the GDPR.”²

The net result is that data sent to a European processor by an American company that is not subject to the GDPR receives the GDPR’s processor-imposed protections, but does not receive the GDPR’s controller-imposed protections.  From a functional standpoint this means that the processor should:

• Enter into a contract with its client that satisfies the requirements of Article 28 of the GDPR (except that the contract does not need to include provisions that are designed to help a controller satisfy controller-imposed obligations under the GDPR).
• Not process data except on instructions from its client, unless required to do so by Union or Member State law.
• Maintain a record of all categories of processing carried out on behalf of its client pursuant to Article 30(2) of the GDPR.
• Cooperate with European supervisory authorities upon request.
• Implement technical and organizational measures to ensure an appropriate level of security.
• Notify its client without undue delay after becoming aware of a personal data breach.
• Designate (if needed) a data protection officer.
• Take steps to comply with restrictions on the cross-border transfer of information.³

1. GDPR, Article 3(1) (emphasis added).

2. EDPB, Guidelines 3/2018 on the territorial scope of the GDPR (Article 3) – Version for public consultation (16 Nov. 2018) at 9.

3. EDPB, Guidelines 3/2018 on the territorial scope of the GDPR (Article 3) – Version for public consultation (16 Nov. 2018) at 11.

[View source.]