With GDPR implementation date this Friday, May 25th, it's time to assess where your organization stands with the GDPR. This is the first in a series of short, easily digested blog posts addressing some GDPR basics.
The GDPR applies to personal data (Article 2.1) about any identified or identifiable natural person (Article 1.1) who is in Europe. It is, of course, a little more complicated than that - but not much.
If a data subject's data is being processed by a Data Controller or a Data Processor in Europe then it applies (Article 3.1) - which may mean that individuals who are not in the EU and have no situs with the EU other than having their data processed by an EU controller or processor are covered.
Separately, if a data subject's data is being processed by an organization outside Europe who EITHER markets goods or services to Europe (Article 3.2a) OR monitors natural people in Europe (Article 3.2b) then it applies.
The citizenship or residence of the individual is not contemplated by the GDPR. Note specifically Article 3.1 applies to the geography of the controller or processor, Article 3.2a applies "to such data subjects in the Union" and Article 3.2b applies "as far as their behaviour takes place within the Union."
Further, Recital 2 makes clear that the GDPR applies to Data Subjects "whatever their nationality or residence" and Recital 4 echoes that and makes clear that the GDPR is designed for everyone in the world, saying "The processing of personal data should be designed to serve mankind."