Please can you help settle a debate. In a UK company with overseas customers, does the GDPR apply to the personal data of customers outside the EU (for instance customers in Canada) by virtue of the fact that their data is being processed by an establishment in the UK?
I know it’s been said, but yes, unequivocally yes. The company is, or has, “an establishment” “in the United Kingdom” (Art. 3(1) UK GDPR) and therefore the law applies to its processing of personal data, irrespective of the location of processing or the location of the data subjects.
There may be other laws that apply extraterritorially by virtue of the data subjects’ location, for example the EU GDPR applies to a UK entity offering goods or services to data subjects in the EU, in addition to the UK GDPR, meaning the entity would additionally be regulated by an EU supervisory authority.
In a word – Yes.
Plus, practically, can you imagine a situation where every time the operational or marketing team wants to do something they have to interrogate the data to determine how to behave.
The UK GDPR has adopted the extra-terrotorial scope that the EU GDPR has. So my opinion is that data being processed in the UK is subject to UK GDPR safeguards, regardless of where the ‘data subject’ is located. Article 3 para 1 states: –
“1. This Regulation applies to the processing of personal data in the context of the activities of an establishment of a controller or a processor in the United Kingdom, regardless of whether the processing takes place in the United Kingdom or not.”