The GDPR (General Data Protection Regulation) refers to the European data privacy and security law, effective as of 25 May 2018. It is one of the toughest privacy laws in the world, with:

  • extensive rights for individuals;
  • restrictions on those processing and controlling personal data; and 
  • some very large fines.

It is not only businesses that are located within the EU that need to comply with the GDPR. It also applies to businesses and organisations outside of Europe if certain conditions are met. This article will discuss some of the different ways that a New Zealand organisation might be caught within the scope of the GDPR. If the GDPR covers your business and you do not comply, your business could face serious fines.

What Is the GDPR? 

GDPR stands for General Data Protection Regulation. 

The European Union (EU) developed rules to harmonise personal data protection laws across the Union. Under the GDPR, personal data has quite a broad definition. Personal data is any information that connects or relates to a person in the EU who can be identified either directly or indirectly. This data includes anything from:

  • a name;
  • a photo;
  • an email address; 
  • employment details;
  • financial details;
  • medical records;
  • interactions on social media platforms; or
  • an IP (internet protocol) address.

Personal data is protected by a comprehensive set of obligations imposed on entities within the scope of the GDPR.

Who Does the GDPR Apply To?

The GDPR has an extraterritorial scope. This means that the GDPR is not just applicable to entities based in an EU member state. However, not all businesses outside of the European Union come within this scope. 

It is essential to be aware of whether your New Zealand business comes under the following two categories. If it does, your business will be subject to comply with the GDPR. 

European Union Based Entities

Any business that processes personal information in the European Union must comply with the GDPR. This category includes businesses with staff either living or working in the EU, even if you do not solely base your business in the European Union. 

Non-European Union Based Entities

Non-EU based businesses may still come under the scope of the GDPR. Your business may be subject to the GDPR if it:

  • sells goods to persons that live in the EU, such as supplying New Zealand-made clothing to an international customer base;
  • provides services to persons that live in the EU; or 
  • monitors the behaviour of EU residents. For example, your business might be interested in expanding to the European market. To determine whether this would be successful, your business uses a web analytic tool to determine the current amount of European interest in your website and products. In this scenario, your business would have to comply with the GDPR.

Does My Business Fall Within the Scope of the GDPR?

If your organisation is established within the EU, you will need to comply with the GDPR, even if your:

  • customers are located outside of the EU; or
  • customer’s personal data is stored outside of the EU. 

The GDPR will apply to an organisation located outside of the EU if:

1. You Offer Goods or Services to People in the EU

A person from Europe visiting your site or purchasing something from your online store is not typically enough to constitute “offering goods and services to people in the EU”. It would be unreasonable to hold businesses in New Zealand accountable to the requirements of the GDPR just because someone from France stumbles across your website.

There must be an element of targeting people in the EU. Activities that are indicative of offering goods or services to people in the EU include:

  • allowing Euros as a payment option at checkout;
  • having a European website domain; or
  • running advertisements in a European language.

2. You Monitor the Behaviour of People in the EU

It is fairly common practice for most websites to use cookies to track website visitors’ usage of their site, as well as for targeted advertising. To determine whether an activity amounts to the monitoring of behaviour, it should be considered whether the person is tracked on the internet, including potential subsequent use of personal data for profiling and making decisions based on personal preferences, behaviours and attitudes.

Targeted advertising is a good example of this. When considering monitoring, it may be relevant to consider whether EU individuals are targeted, rather than just incidentally monitored as casual website visitors. You should speak to a privacy lawyer to discuss your specific data collection and monitoring practices to understand whether your activities constitute “monitoring the behaviour of people in the EU”.

What About the UK?

The UK is still subject to the GDPR until the end of the Brexit transition period of 31 Dec 2020. After this date, a data subject located in the UK will not attract GDPR rights.

However, the UK is enacting its own legislation that is substantially similar to the GDPR. 

My Business Does Fall Within the Scope of GDPR, What Next?

Businesses whose current practices put them within the scope of the GDPR have two options. If your current practices are integral to your business strategy, like Germany being a key market, you should speak to a privacy compliance lawyer who has expertise in GDPR compliance. This will assist you to understand what you need to do to comply. 

GDPR compliance is about more than just updating your privacy policy. You will need to make sure:

  • you are providing data subjects with appropriate notification of the collection and use of their information;
  • your processing of personal data is lawful; and 
  • any party you transfer personal data to is subject to similar privacy and data security obligations.

You will need to take additional measures to comply with the GDPR if you deal with:

  • health data;
  • biometric data; or
  • data that deals with a person’s sexual orientation, race or religion.

If your business is at the startup or early stages, you may want to consider whether you want to invest in compliance, knowing that GDPR compliance comes as a time and monetary cost. 

Some businesses may not want to invest in compliance or risk the large fines, so may choose to adapt their online activities so that they are no longer caught by the GDPR. 

For example, they may withdraw an advertisement intended for a Dutch audience.

Even if the GDPR does not apply to you, your customers may expect you to comply with the GDPR. Organisations in New Zealand need to comply with the New Zealand Privacy Act, and any other applicable privacy laws.

How Does My Business Comply With the GDPR?

To comply with the GDPR, there are two processes that you and your business should engage.

1. Evaluate How and Why Your Business Currently Processes Data 

To be compliant with the GDPR, an individual living in the EU must have consented to your use of their personal data. This consent must be freely given, specific, informed and unambiguous. This individual may have given their consent to use a free search engine that your business provides, or through agreeing to the use of cookies on your website. 

If you use an EU resident’s personal information, your business cannot use that data for a matter other than what was specified. 

Your business may only process personal data if it has legal grounds to do so. Otherwise, you risk breaching the GDPR. Be clear as to the legal ground(s) on which your business processes personal information. 

Some of the grounds for processing personal data include:

  • to perform a contract; 
  • when the individual has given their express consent; 
  • when there is a statutory obligation to collect and retain information. For example, some employers are deemed to be a data controller and are required to process personal data; or
  • for the protection of the vital interests of that individual. 

2. Implement Processes or Appoint an Individual to Ensure Compliance

Compliance with the GDPR is a consistent obligation on businesses that fall in the rule’s scope.

To ensure compliance, your business may have to:

  • provide individuals with access to the personal data that your business collected;
  • correct any inaccuracies in the data; 
  • (in certain circumstances) erase data. An individual has the right to ask for their data to be erased if, for example, you no longer need the data for its intended purpose; or
  • to report a data breach without undue delay. 

A failure to comply with the GDPR can result in enormous fines of up to 20 million euros or 4% of your business’ annual worldwide turnover, or court proceedings. Therefore, you must implement processes to ensure compliance with the GDPR. The best plan of action is to appoint someone to oversee the area of privacy and data protection within your business. 

Key Takeaways

If your organisation is located in Europe, offers goods or services to individuals in Europe, or monitors the online behaviour of individuals in Europe, your New Zealand organisation will be caught by the GDPR. As the GDPR is a strict privacy law with heavy fines, you either need to make sure you are compliant. You may also need to assess whether you need to shift your business focus away from Europe until you can invest in compliance. If you have any questions about the GDPR, contact LegalVision’s privacy lawyers on 0800 005 570 or fill out the form on this page.

FAQs

What is the GDPR?

The GDPR (General Data Protection Regulation) refers to the European data privacy and security law, effective as of 25 May 2018. The GDPR is known for being one of the toughest privacy laws in the world, with extensive rights for individuals, restrictions on those processing and controlling personal data, and some very large fines. 

When do I need to comply with the GDPR?

If you are located outside of the EU, you need to comply with the GDPR if you:
offer goods or services to people in the EU; or
monitor the behaviour of people in the EU.

How do I ensure I am compliant with the GDPR?

To comply with the GDPR, will need to make sure you are providing data subjects with appropriate notification of the collection and use of their information. Your processing of personal data also must be lawful and any party you transfer personal data to is subject to similar privacy and data security obligations. There are other obligations for compliance, so make sure to obtain legal advice from a privacy lawyer.

About LegalVision: LegalVision is a tech-driven, full-service commercial law firm that uses technology to deliver a faster, better quality and more cost-effective client experience.

The majority of our clients are LVConnect members. By becoming a member, you can stay ahead of legal issues while staying on top of costs. For just $199 per month, membership unlocks unlimited legal consultations, faster turnaround times, free legal templates and members-only discounts.

Learn more about LVConnect

Need Legal Help? Get a Free Fixed-Fee Quote

If you would like to receive a free fixed-fee quote or get in touch with our team, fill out the form below.

Our Awards
  • 2019 Top 25 Startups - LinkedIn 2019 Top 25 Startups - LinkedIn
  • 2020 Fastest Growing Law Firm - Financial Times APAC 500 2020 Fastest Growing Law Firm - Financial Times APAC 500
  • 2020 Law Firm of the Year Finalist - Australasian Law Awards 2020 Law Firm of the Year Finalist - Australasian Law Awards
  • Most Innovative Law Firm - 2019 Australasian Lawyer 2019 Most Innovative Firm - Australasian Lawyer