(no title)
mmazurki | 4 years ago
Customers don't have to be in EU for GDPR to apply, it applies everywhere as long as the data subject is an EU citizen. You're probably already not compliant unless you can 100% guarantee that none of your users in the US are EU citizens.
The goal of GDPR is not to enforce a technical choice of a provider/technology but to ensure the existence of processes and the validity of data collection and usage by companies on EU citizens. In essence, no it is not required to host your data in Europe but that is a possible interpretation.
First lawyer up, identify which data items are PII and what is not, make sure you have a process for article 17 (right to data erasure), appoint a DPO, make a real privacy policy stating the full extend and intent of data collection. Depending on the type of data you process different regulations will apply in addition to GDPR (PDSG, HDS for health data BaFin/AMF for finance in Germany/France) they vary based on industry and country, that will impact your overall technical design so this is prep work for everything else.
Technically I would definitely suggest having a separate database in EU and be prepared to potentially split your data among different countries as well. The processing of that data also might need to be split between US/EU and EU countries.
If you deal with data aggregation between EU/US you might not be allowed to run some analytics that contain personal data and will need to anonymize it and justify of that process to your DPO.
weirdy_DPO|4 years ago
DPO for a small UK charity here. The UK GDPR, which is now a separate article of legislation to the EU GDPR by the way, specifies in Article 3 that it applies; "to the [(F2) relevant] processing of personal data of data subjects who are in [(F3) the United Kingdom] by a controller or processor not established in [(F3) the United Kingdom]..." Link to source; https://www.legislation.gov.uk/eur/2016/679/article/3
This to me suggests that even a US citizen, who happens to be in a UK airport at the time, who has data collected, falls under the UK GDPR. But it's more likely that it applies to people resident in the country, rather than just transiting.
However, the law is irrespective of nationality, opting instead to apply depending on where the data-subject is. I believe the only changes to the UK GDPR from the EU GDPR, is the territory to which it applies. So if your data-subject are in the EU, their data is subject to the EU GDPR, or if they're in the UK, the UK GDPR.
Note also, that the UK GDPR does not make the UK Data Protection Act (DPA) redundant, but just adds a layer on top of it. So you may want to look at the UK DPA if you're going to be handling UK data-subjects data. Also, the UK legislation can be found at; GDPR: https://www.legislation.gov.uk/eur/2016/679/contents UK DPA: https://www.legislation.gov.uk/ukpga/2018/12/contents
mytailorisrich|4 years ago
The GDPR applies to anyone located in the EU.
mmazurki|4 years ago
https://gdpr-info.eu/art-3-gdpr/
3-1: if you're EU citizen in the US using only a US service then GDPR does not apply it falls under US data protection however if that US service is using an EU subprocessor then GDPR does apply
3-2: if you're a US citizen in EU you're under GDPR regardless of the service you're using
Also https://gdpr-info.eu/recitals/no-23/ if you're a US company targeting EU residents you fall under GDPR
newscracker|4 years ago
I’ve only read articles that said that the GDPR applies to EU residents (not necessarily citizens).