IRMI Online Talk With Us

Category Focus
Claims, Case Law, Legal

Commercial Auto

Commercial Liability

Commercial Property

COVID-19

Personal Lines and Small Business

Risk Financing and Captives
Risk Management

Specialty Lines

Workers Compensation

White Papers

Free Articles

Videos
Industry Focus
Agribusiness Industry

Construction Industry

Energy Industry
Transportation Industry

Insurance Industry
Conferences
Agribusiness Conference

Construction Risk Conference

Energy Risk and Insurance Conference
Transportation Risk Conference

Sessions On Demand
Insurance Education
Certifications

Agribusiness and Farm Insurance Specialist

Construction Risk and Insurance Specialist

Energy Risk and Insurance Specialist

Management Liability Insurance Specialist
Manufacturing Risk and Insurance Specialist

Transportation Risk and Insurance Professional

Continuing Education

Insurance Industry Training

IRMI Webinars
Subscribe
Plans and Pricing

Catalog

Request a Demo

IRMI Tutorials

Product Updates

Enterprise Subscriptions
Free Newsletters

White Papers

Product Tour

Podcast

How-To Videos
About IRMI
Our Mission

Our Story

Our Team

Our Brands
Press Releases

Careers

Contact Us

Advertise
Glossary
Terms
Acronyms
Membership
IRMI Webinars

Newsletters
White Papers

Join for Free

Home Articles Expert Commentary Application of EU's General Data Protection Regulation

Cyber and Privacy Risk and Insurance

Application of EU's General Data Protection Regulation

Melissa Krasnow | March 9, 2018

A close-up image of Europe on a blue globe with light streaks circling the globe

The EU's General Data Protection Regulation (GDPR) becomes enforceable on May 25, 2018. Business partners and service providers are asking organizations about whether the GDPR applies to them (for example, in agreements). This article provides a brief overview of when the GDPR applies to an organization.

Key definitions in the GDPR are as follows.¹

Data controller. A person, which, alone or jointly with others, determines the purposes and means of the processing of personal data. Art. 4(7).
Data processor. A person that processes personal data on behalf of the data controller. Art. 4(8).
Data subject. A natural person to whom the personal data relates. Art. 4(1).
Processing. Any operation performed on personal data, whether by automated means, including collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction. Art. 4(2). Examples of processing include staff management and payroll administration, access to/consultation of a contacts database containing personal data, sending promotional emails, shredding documents containing personal data, posting/putting a photo of a person on a website, and storing Internet Protocol (IP) addresses, MAC addresses, or video recording (closed-circuit television).²
Personal data. Any information that relates to an identified or identifiable living individual. Art. 4(1). Examples of personal data include name and surname, home address, an email address such as [email protected], identification card number, location data, Internet Protocol address, cookie ID, or advertising identifier of a phone and data held by a hospital or doctor, which could be a symbol that uniquely identifies a person.³ Examples of data not considered to be personal data include company registration number, an email address such as [email protected], and anonymized data.⁴

When the GDPR Applies

The GDPR applies if a data controller or a data processor has an establishment in the European Union and processes personal data, regardless of whether the processing takes place in the European Union. Art. 3(1). One example is a company with an establishment in the European Union that provides travel services to customers based in the Baltic countries and in that context processes personal data of natural persons.⁵

The GDPR also applies if a data controller or a data processor is not established in the European Union and processes personal data of data subjects who are in the European Union, where the processing activities relate to (a) offering goods or services to such data subjects in the European Union, whether for payment or for free or (b) monitoring their behavior within the European Union. Art. 3(2).

A data controller or a data processor is offering goods or services to data subjects who are in the European Union where it is apparent that the data controller or data processor envisages offering goods or services to a data subject in the European Union. Using a language or currency generally used in the European Union with the possibility of ordering goods and services in such language or mentioning customers who are in the European Union may make this apparent. However, the mere accessibility of a website in the European Union, an email address of or other contact details, or use of a language generally used in the third country where the data controller is established is insufficient.⁶

Monitoring the behavior of data subjects means tracking natural persons on the Internet, including the potential subsequent use of personal data processing techniques that consist of profiling a natural person, especially for decisions concerning them or for analyzing or predicting their personal preferences, behaviors, and attitudes.⁷

Opinions expressed in Expert Commentary articles are those of the author and are not necessarily held by the author's employer or IRMI. Expert Commentary articles and other IRMI Online content do not purport to provide legal, accounting, or other professional advice or opinion. If such advice is needed, consult with your attorney, accountant, or other qualified adviser.

Footnotes

¹ See the full text of the GDPR.

² European Commission, "What Constitutes Data Processing?"

³ European Commission, "What Is Personal Data?" and GDPR, Recital (30).

⁴ European Commission, "What Is Personal Data?"

⁵ European Commission, "What Does the General Data Protection Regulation (GDPR) Govern?"

⁶ European Commission, "Who Does the Data Protection Law Apply to?" and GDPR, Recital (23).

⁷ Recital (24).