Does GDPR/Art 27 apply?

By answering to the following questions, you will assess whether GDPR and article 27 apply to your business:
Reference to articles and recitals are to those parts of the General Data Protection Regulation (GDPR).

1. Does your company control or process personal data related to people in the EU? [article 3(2) GDPR]

Definitions:

  • CONTROL: the ability to determine (either alone or with others) the purposes and manner in which any personal data is, or will be, processed (an organization with this discretion is defined as "DATA CONTROLLER")
  • PROCESS: any operation performed on personal data, whether directly or by automated means, including: collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction of personal data on behalf of the data controller (this organization is termed a "DATA PROCESSOR")
  • PERSONAL DATA: any information relating to a person (the 'data subject') who can be identified, directly or indirectly, in particular by reference to a name, an identification number, location data, an online identifier (e.g. IP address or email address) or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that person
  • PEOPLE IN THE EU: this does not identify just EU citizens, it includes people of other nationalities in the EU
     

NO - GDPR does not apply to your business
YES - GDPR may apply to your business 
If the answer is YES, please continue further in the questionnaire

2. Are you processing personal data for the offering of goods or services, regardless of whether payment is required, to those people in the eu or the monitoring of their behavior, if that behavior takes place in the EU? [article 3(2)]

Definitions:

  • GOODS OR SERVICES: whether a company offers their goods or services in the EU will depend on a number of factors, but if your company aims to, or makes available, sales to the EU (e.g. uses languages or currency particular to the EU) (see also Recital 23)
  • MONITORING: it occurs when persons are tracked on the internet, for example use of personal data in processing techniques that consist in profiling a person in order to take decisions or for analyzing/predicting their preferences, behaviors and attitudes (see also Recital 24)
     

NO - GDPR does not apply to your business
YES - GDPR applies to your business. Please note that this is not affected by where you are located globally. The GDPR carries a number of consequences which go well beyond the requirement of appointing a Data Protection Representative in the EU. For further information, please contact us at biuro@pdpgroup.pl in respect of GDPR consultancy.
If the answer is YES, please continue further to the next question 

3. Is the processing of personal data undertaken in the course of an activity that falls outside the scope of EU law? [article 2(2)(a)]

Definitions:

  • OUTSIDE THE SCOPE OF EU LAW: this exclusion applies to those areas where individual EU Member States retain control, including issues of fundamental rights and national security (Recital 16). Unless you are aware of a specific exemption, it would be best to assume the relevant activities will fall within the scope of EU law.
     

YES - Article 27 does not apply to your business
NO - Article 27 may apply to your business 
If the answer is NO, please continue further to the next question

4. Are you a public authority? [article 27(2)(b)]

Definitions:

  • PUBLIC AUTHORITY: this includes local and central government, as well as most publicly funded institutions (education, healthcare, judiciary), but may not extend to private education and healthcare, especially where sensitive data (e.g. medical, religion etc.) are being processed
     

YES - Article 27 does not apply to your business
NO - Article 27 may apply to your business
If the answer is NO, please continue further to the next question

5. Does the 'occasional' exemption apply to your business?

The exemption applies to occasional processing of personal data which (a) is not large scale processing of sensitive data or criminal offences and (b) which is not likely to result in a risk to the rights and freedoms of people [article 27(2)(a)].
 

Definitions:

  • OCCASIONAL: this is unclear. In general, where there is uncertainty, the EU courts have favoured the protection of the individuals' rights in respect of their data. A fair guess of how it might be viewed is: 'processing which (a) is more than incidental to the business activities of the data processor, or (b) without which the data processor would suffer a material negative impact in their activities'
  • LARGE SCALE: processing which could affect a large number of people (potentially not medical and legal data) (Recital 91)
  • SENSITIVE DATA: "personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade-union membership, and the processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person's sex life or sexual orientation" (Article 9(1))
  • CRIMINAL OFFENCES: information about criminal arrests, convictions and investigations (Article 10)
  • RISK TO THE RIGHTS AND FREEDOMS: where processing is "carried out systematically on a large scale" (Recital 91) (the "nature, context, scope and purposes of the processing" are considered when deciding if processing occurs on a large scale (Recital 80))
     

YES, the exemption applies - Article 27 does not apply to your business
NO, the exemption does not apply - Article 27 applies to your business and if you fail to appoint a Data Protection Representative you could be fined up to (the greater of) €10,000,000 or 2% of global turnover [Article 84(4)(a)]