Think GDPR Doesn’t Apply? Think Again

When people think about the GDPR, they tend to picture European regulators, European consumers, and European businesses. So, it seems logical that a company based in New Zealand, Australia, or the United States, with no offices in Europe and no European customers, can safely ignore it.

However, the GDPR was deliberately designed to reach beyond Europe's borders. Whether it applies is not determined solely by where your organisation is located or where your customers are based. Instead, it focuses on the personal information being processed, the people it relates to, and the role your organisation plays in that processing.

Many organisations immediately think about customers. For example, if a New Zealand software company actively markets its services to people in Germany, prices its products in Euros, or ships goods directly to customers in France, most people can see why GDPR might apply. The organisation is deliberately engaging with individuals in Europe, even if it operates from the other side of the world.

However, customer data is only one piece of the picture. GDPR can apply to information relating to employees, contractors, job applicants, suppliers, business contacts, and other individuals located in Europe. For example, a New Zealand company may have no European customers at all, but it may employ staff who live in Germany, recruit candidates in Ireland, or maintain personnel records for employees working remotely from France. The fact that those individuals are employees rather than customers does not automatically remove GDPR from consideration. Employment data is personal data too.

Similarly, some organisations have no direct presence in Europe but maintain a branch office, subsidiary, representative office, or local team there. Others may have salespeople, consultants, or business development staff operating from European countries. Once an organisation has activities taking place through an establishment in Europe, the GDPR analysis changes significantly. The regulation can apply to processing carried out in the context of those activities, even where the actual processing takes place elsewhere in the world.

Managed service providers, software developers, cloud providers, payroll companies, customer support providers, marketing agencies, analytics firms, and business process outsourcing companies all commonly operate as processors.

For example, a New Zealand company providing customer support services to an Australian software vendor. The New Zealand company has no European customers, no European offices, and no marketing activities aimed at Europe. On the surface, GDPR appears completely irrelevant. But what if the Australian software vendor sells its product globally and has thousands of customers in Germany, France, and Spain? The support team in New Zealand now has access to those customer records. They can see account information, process support requests, investigate issues, and update customer data. Although the New Zealand company never set out to do business in Europe, it is processing personal information relating to individuals in Europe as part of a service provided to a client whose activities are directed at the European market.

Businesses often focus on who they have a contract with. Privacy regulators tend to focus on whose information is being processed and why. The result is that a company can find itself participating in a GDPR-regulated processing chain without ever having signed a contract with a European organisation or sold a single product into Europe.

At the same time, there are plenty of situations where organisations assume GDPR applies when it doesn't. Using a cloud provider based in Europe does not automatically bring every customer under the GDPR. Having a supplier in Europe is not enough on its own. Likewise, occasionally receiving enquiries from European residents does not necessarily mean you are targeting the European market. The assessment depends on the specific circumstances, the nature of the processing, and how that processing relates to activities occurring within the European Union.

This is one reason GDPR scope assessments can be surprisingly nuanced. It is entirely possible for one part of a business to be subject to GDPR obligations while another part is not. The analysis is often tied to particular processing activities rather than the organisation as a whole.

For controllers, the critical considerations are do you have an establishment in Europe, whether you are offering goods or services to people in Europe, or whether you are monitoring their behaviour. For processors, the issue is often whether you are processing personal information as part of a wider activity that falls within GDPR's reach.