Scope of the GDPR
The GDPR applies to all organizations that process personal data of individuals residing in the EU, regardless of whether the organization is based in the EU or not. This means that not only European companies are affected, but also companies outside the EU if they offer services or goods to EU citizens or monitor the behavior of EU citizens.
Affected organisations
The organizations affected include:
- Companies based in the EU: All companies based in the EU that process personal data must comply with the GDPR.
- Companies outside the EU: Companies that offer goods or services to EU citizens or monitor the behavior of EU citizens are also subject to the GDPR.
- Data processors and controllers: Both controllers who decide on the purposes and means of data processing and processors who process data on behalf of a controller must comply with the GDPR requirements.
Responsibility of data processors
The responsibility of the data processors includes:
- Compliance with GDPR requirements: Data processors must ensure that the processing of personal data is carried out in accordance with the GDPR.
- Ensuring data integrity and security: Data processors must take appropriate technical and organizational measures to ensure the security of the data.
- Reporting of data protection breaches: In the event of a data protection breach, data processors must report it to the competent supervisory authority immediately, but no later than within 72 hours.
Legal references
- Article 3 of the GDPR: This article defines the territorial scope of the GDPR.
- Articles 24 to 28: These articles describe the responsibilities of data processors and controllers, including obligations to comply with data protection principles and to ensure data security.
