What is the GDPR?

So what actually is the GDPR? 

The General Data Protection Regulation (or GDPR) is a piece of legislation initially created by the European Commission. It has since been adopted by all EEA members and as part of the UK’s Data Protection Act in 2018. 

The GDPR governs the way in which we can use, process, and store information about an identifiable, living person (personal data). It applies to all organisations within the EU/UK, as well as those supplying goods or services to the EU/UK or monitoring EU/UK citizens.

 Consequently the GDPR alters how businesses and other organisations can handle the information of those that interact with them. It defines the limitations and expectations of personal data processing activities for companies and covers areas such as transfer mechanisms, data subject rights, and security expectations. 

For all applicable businesses, the GDPR is a legal obligation. It is the strictest data protection law in the world and introduced a standardised approach to data protection, introducing new fundamental rights for EU citizens with regards to their data. 

In doing so it superseded and unified many pre-existing national data protection laws and is seen as the ‘gold standard’ of data protection.  

What is the scope of the GDPR?  

The GDPR is applicable to any organisation processing EU/UK citizen or resident data, or if you offer goods or services to such people

It doesn’t matter if your organisation isn't located in the EU or UK, the GDPR will apply to you! 

Example: 

My organisation is located in the USA but it offers goods to the EU residents/citizens - does the GDPR apply to me? 

- Yes! You may also need further international transfer mechanisms if your organisation is not based in a EU/EEA territory OR a country with an ‘adequacy decision’. Keep reading to find out more about International Data Transfers  

What is the UK GDPR? 

Following the UK’s exit from the EU in 2021, the British government formally implemented the UK GDPR. At the point of its implementation this was a carbon copy of the EU GDPR and contains the same principles, rights, and all other requirements as its EU counterpart

Since the UK GDPR replicated the EU GDPR, the EU commission were able to grant the UK ‘adequacy status’. This meant that, although no longer a member of the EU/EEA, free transfers of personal data between the UK and EU/EEA territories were permitted. For more information on ‘adequacy’ decisions, please see the section on International Data Transfers. 

It is important to note however that the UK GDPR is a separate piece of legislation to the EU GDPR, and it is likely that the British government will make adjustments and changes to the legislations throughout its lifecycle. One example of this is the UK’s new International Data Transfer Agreement (IDTA). The UK government is also likely to pursue its own adequacy decisions. 

International Data Transfers 

The GDPR (EU/EEA) provides a standardised level of data protection that permits the free transfer of personal data between the EU/EEA member states. Within these transfer relationships your organisations is likely to be one of 3 roles: 

Data Controller - The person or legal entity (e.g. a business) who is legally responsible for deciding the purposes and means of data processing. The controller decides what data is collected, why it is collected and how it is processed. The controller is directly liable for maintaining GDPR compliance. 

Data Processor - The person or legal entity (e.g. a different business) who carries out the personal data processing on behalf of the data controller. The data processor also has legal liabilities.  

Sub-Processor - If the data processor uses another organisation or legal entity to carry out part of their processing, then the other organisation is called a ‘sub-processor’. The sub-processor also has the same legal liabilities as a processor. 

NOTE: If your organisation is sending personal data to another organisation then you should have a contract. The GDPR requires that your contracts have specific clauses regarding the protection of personal data. The GDPR sets legal obligations on what information must be included in these clauses. These clauses will depend on the nature of the transfer relationship; i.e is it a controller-controller relationship, or a controller-processor relationship. 

What are ‘adequacy’ decisions? 

Even if the country to which you are transferring personal data to is not a EU/EEA member, free transfers are still permitted if that country has been granted ‘adequacy status’. 

Since the GDPR’s inception, the European Commission has recognised a number of countries or territories as providing fully adequate data protection. These are territories where, although not beholden to the GDPR, their national data protection standards meet the criteria to allow personal data to flow from the EEA to that third country without any further safeguards being necessary.  In other words, the transfer is the same as if it was carried out within the EEA

The following are ‘Adequacy’ territories:  

  • Andorra  
  • Argentina  
  • Canada (commercial only)  
  • Faroe Islands  
  • Guernsey  
  • Israel  
  • Isle of Man  
  • Japan  
  • Jersey  
  • New Zealand  
  • Switzerland  
  • United Kingdom 
  • Uruguay  

The UK GDPR has also adopted these adequacy decisions, but is likely to extend their own adequacy decisions. 

What are ‘restricted transfers’? 

A transfer of personal data outside of the EEA or not to a territory with an adequacy decision is termed by the GDPR as a ‘restricted transfer’. 

Whilst these transfers are still permitted, the GDPR requires that additional safeguards are implemented. The primary safeguard used are ‘standard contractual clauses’ (SCCs).  

The European Commission has adopted standard contractual clauses as a safeguard to comply with GDPR ‘restrictive transfer’ rules. By using these clauses you may send personal data outside of the EEA. 

You MUST implement these clauses without alteration and without subtraction.  

The EU SCCs can be found here: 

European Commission Standard Contractual Clauses (SCCs)

Send us a message

Telephone: +44 20 4526 5699
Email: contact@tacita.io

To see how we use your data, see our Privacy Notice.