Q&As

Will the processing of personal data relating to US citizens by a UK company in the UK be subject to the GDPR (once that applies) (and assuming the personal data relates to US citizens only, not EU citizens)?

read titleRead full title
Produced in partnership with Shobana Iyer of Swan Chambers
Published on LexisPSL on 17/05/2017

The following Information Law Q&A produced in partnership with Shobana Iyer of Swan Chambers provides comprehensive and up to date legal information covering:

  • Will the processing of personal data relating to US citizens by a UK company in the UK be subject to the GDPR (once that applies) (and assuming the personal data relates to US citizens only, not EU citizens)?

Although the General Data Protection Regulation, Regulation (EU) 2016/679 (GDPR) does not necessarily apply to every organisation in the world, it applies to all organisations that are ‘established’ in the EU, and/or for non-EU ‘established’ organisations who target or monitor EU data subjects. The territorial scope of the GDPR is addressed in Recitals 22 and 23 and Article 3, which extends the reach of the EU data protection regime.

Practice Note: UK GDPR and EU GDPR—extra-territorial reach explains the territorial scope of the GDPR in greater detail and the narrow range of exemptions available in respect of certain types of data processing.

Aside from the application of public international law provisions (ie an organisation that is not established in any Member State, but is subject to the laws of a Member State by virtue of public international law is also subject to the GDPR (Recital 25; Article 3(3)), Article 3 contains three tests for the application of the GDPR:

  1. an ‘establishment test’ that is broader than the equivalent test under Directive 95/46/EC (the Data Protection Directive), and

  2. two tests that apply to the data proces

Popular documents