GDPR: What Happens When It's Applied Extraterritorially? Explaining How to Respond
The General Data Protection Regulation (GDPR) is a set of rules established by the EU to protect personal information and regulate its handling. If you are offering goods or services within the EU, there is a possibility that the GDPR may apply to your business. However, some may not know whether their company falls under the scope of the GDPR or what to do if it does.
This article will explain the scope of the GDPR, what actions to take if it applies to you, and the required responses. There is also a Q&A section on GDPR compliance, so please use it as a reference.
Scope of Application of the GDPR
The conditions under which the GDPR applies are stipulated in Article 3 ‘Territorial Scope’ of the GDPR. The scope of application of the GDPR is divided into two cases: when there is an establishment within the EU and when there is not.
The provisions for cases where there is an establishment within the EU are as follows:
“It applies to the processing of personal data in the context of the activities of an establishment of a controller or processor in the Union, regardless of whether the processing takes place in the Union or not.”
Reference: Personal Information Protection Commission | ‘General Data Protection Regulation (GDPR) Provisional Japanese Translation[ja]‘
In other words, this indicates that the GDPR applies when there is an establishment of a controller or processor within the EU.
| Controller | Entity that determines the purposes and means of processing personal data |
| Processor | Entity that processes personal data on behalf of the controller |
For cases without an establishment within the EU, the scope of application includes the following two situations:
- When offering goods or services to individuals in the EU
- When monitoring the behavior of individuals in the EU
The GDPR imposes strict restrictions on non-EU countries, and to freely transfer data, an ‘adequacy decision’ is required. An adequacy decision is a certification determined through discussions by the European Commission, granted to countries or regions that ensure an adequate level of protection for personal data.
Countries or regions without an adequacy decision must follow procedures such as SCCs or BCRs for data transfers outside the EU.
| SCC (Standard Contractual Clauses) | Mandatory provisions that must be included in data transfer agreements |
| BCR (Binding Corporate Rules) | Policies and rules for protecting personal data obtained from the European Economic Area (EEA) and sharing it with affiliated companies outside the EEA |
The difference with an adequacy decision is that there is no need to go through procedures such as SCCs or BCRs.
An adequacy decision for Japan was announced in July 2018 during the regular Japan-EU summit, where efforts to operationalize the framework for the transfer of personal data were discussed. Subsequently, on January 23, 2019, Japan received an adequacy decision, and it was announced that “the EU and Japan have adopted a decision recognizing each other as providing an equivalent level of protection for personal data.”
What Must Companies Do to Comply with the GDPR?
Companies subject to the GDPR must undertake the following two key actions:
- Appoint a representative in the EU/UK
- Include specific information in their Privacy Policy
Let’s delve into the details of each requirement.
Appointing a Representative in the EU/UK
Article 27 of the GDPR mandates that companies subject to the regulation’s extraterritorial application must designate a representative within the EU or UK.
The term ‘representative’ refers to a person appointed in writing by the controller or processor to act on behalf of the controller or processor with respect to their obligations under the GDPR.
Not all companies operating within the EU are required to appoint a representative. The obligation to appoint a representative does not apply to companies in the following situations (Article 27 of the GDPR):
- Processing that is not occasional, and does not include processing of special categories of data or personal data relating to criminal convictions and offences on a large scale, and considering the nature, context, scope, and purposes of the processing, is unlikely to result in a risk to the rights and freedoms of natural persons
- When the entity is not a public authority or body
Reference: Personal Information Protection Commission | ‘General Data Protection Regulation (GDPR) Provisional Japanese Translation[ja]‘
Specifying in the Privacy Policy
Companies subject to the GDPR are required to specify in their Privacy Policy that they have appointed a representative.
Penalties for Not Appointing a Representative
It is important to note that failing to appoint a representative, despite being within the scope of the GDPR, subjects an entity to penalties. The fines can amount to either a maximum of 1,000 euros or up to 2% of the entity’s total worldwide annual turnover, whichever is higher (GDPR Article 84, Paragraph 4).
Duties Required of a Representative
When falling within the scope of the GDPR, it is generally required to appoint a representative. But what exactly are the duties expected of a representative? Here, we will explain in detail the responsibilities of a representative.
Article 30 Record Processing
Administrators or processors who place representatives in EU countries must share their processing records with their representatives. Furthermore, representatives are required to maintain these records in the same manner as the administrators or processors (GDPR Article 30).
The following are examples of the information that must be recorded:
- Names and contact details of the administrator, DPO (Data Protection Officer), and others
- Purposes of processing
- Categories of data subjects and types of data processed
- Retention periods
- Deletion schedules
A data subject is an identified or identifiable natural person to whom the personal data relates.
In the event of a request from a supervisory authority, these processing records must be made available for use.
Handling Inquiries from Data Subjects or Supervisory Authorities
When inquiries are received from data subjects or supervisory authorities, the representative must respond on behalf of the administrator or processor (GDPR Article 27(3)). For example, if a data subject makes a request, the administrator must provide the information within one month (GDPR Article 12(3)). Additionally, representatives are required to cooperate with supervisory authorities and respond to their requests (GDPR Article 31).
Q&A on the Application of the GDPR
We will answer some of the most common questions regarding the application of the GDPR below.
Is GDPR Compliance Necessary If There Are No Plans for International Expansion?
Generally, if there are no plans to expand internationally, compliance with the GDPR (General Data Protection Regulation) is not necessary. However, caution is required if there is a possibility of acquiring data from individuals within the EU, even without international expansion.
Consider the following scenarios:
- Operating an e-commerce site and receiving inquiries or orders from individuals within the EU
- Acquiring online identifiers (such as IP addresses or cookies) of individuals within the EU through site visits
- Obtaining email addresses when responding to inquiries from individuals within the EU
Even if you inadvertently acquire personal data from individuals within the EU, it does not necessarily mean you fall within the geographical scope of the GDPR, so there is no issue with non-compliance.
Remember, GDPR compliance is necessary only if you have a base within the EU, or even without a base, if either of the following two conditions applies:
- You are offering goods or services to individuals within the EU
- You are monitoring the behavior of individuals within the EU
What Measures Are Necessary When Launching a Cross-Border E-Commerce Site Targeting the EU Region?
When launching a cross-border e-commerce site that includes the EU region as a target, there is a possibility of acquiring personal information from within the EU. The types of information that may be collected include:
- Name
- Email address
- Address
- Credit card information
- Purchase history
- Location data
- IP address & Cookie ID
If you collect this information, it is considered personal data under the General Data Protection Regulation (GDPR), and therefore, you must handle it in accordance with GDPR rules.
First, it is advisable to review and revise your privacy policy to ensure GDPR compliance and to publish a privacy notice.
Related article: Explaining Key Points for Creating a GDPR-Compliant Privacy Policy![ja]
Then, follow these steps:
- Establish a cookie policy and obtain consent for the use of cookies from first-time visitors to your e-commerce site
- When collecting personal information, obtain consent for the ‘handling of personal data’
- Implement security measures to protect personal data and prevent data breaches
- Appoint a representative
Additionally, as needed, review internal rules and create manuals for GDPR compliance, and revise contracts with outsourced service providers.
What are the differences between the GDPR and the UK GDPR?
The UK GDPR refers to the United Kingdom’s General Data Protection Regulation. The UK GDPR was enacted on January 1, 2021 (2021), following the UK’s departure from the EU. The GDPR is an EU regulation and does not apply within the UK.
The UK GDPR applies in the following cases:
- When offering goods or services to individuals within the UK
- When monitoring the behavior of individuals within the UK
If you are conducting business within the UK and the EU, it is necessary to comply with both the GDPR and the UK GDPR.
Summary: Consult an Expert When in Doubt About the Scope of GDPR
If your company has a base within the EU, or even if it does not but provides goods or services to individuals in the EU or monitors their behavior, you fall within the scope of the GDPR. Companies subject to GDPR must designate a representative within the EU and clearly state this in their privacy policy.
Failing to appoint a representative can result in substantial fines. Companies that are operating or considering expanding into the EU should comply with GDPR by designating a representative.
If you are unsure whether your company falls under the scope of GDPR, we recommend consulting with an expert knowledgeable in international legal affairs.
Guidance on Measures by Our Firm
Monolith Law Office is a legal practice with extensive experience in IT, particularly in both the internet and legal fields. In recent years, global business has been expanding increasingly, and the need for legal checks by specialists is growing more than ever. Our firm provides solutions related to international legal affairs.
Areas of practice at Monolith Law Office: International Legal Affairs & Overseas Business[ja]
Related Articles
Explaining the Creation and Verification of Electronic Signatures: What is their Legal Effect?
General Corporate
Legal Issues with Real-Name Reporting of Arrest Records and Criminal History: Does it not Consti.
General Corporate
What is the Duration of Patent Rights? Explaining the Purpose of the Law and Extension Registrat.
General Corporate
