Anthony Tripolino FIPA: Lessons from teenage side hustles
Having proven his entrepreneurial flair as a teenager, Anthony Tripolino FIPA was taught lessons around work ethic by...
READ MORE
You may think you’re not affected by the European Union’s new General Data Protection Regulation because you don’t advise clients in the EU. Think again.
Even if you merely monitor your clients’ behaviour when they are travelling in the EU, you’ll need to comply with the GDPR.
The GDPR expands the privacy requirements
The GDPR is a much expanded privacy law. Since 25 May 2018, it gives consumers new rights to require their data to be erased or transferred to another entity. These rights don’t currently exist under Australian privacy laws (although it is likely that they will be implemented as part of the open banking regime).
The GDPR’s extensive extra-territorial provisions mean that many businesses outside the EU are caught by it even if they don’t actually trade in the EU.
This is because it also applies to companies, no matter where they are located, who use any means to monitor their customers’ behaviour when they are in the EU. More particularly, it applies where companies:
In order to:
Monitoring happens in many ways
Many technologies have inbuilt monitoring devices, of which users may not be aware, let alone deploy. Consider these scenarios, all of which will bring you within the ambit of the GDPR if your customers travel to the EU:
The GDPR requirements are similar but more extensive
If you provide services to clients or monitor them via the internet while they are in the EU, at a minimum, you will need to do the following to comply with the GDPR obligations:
If you regularly monitor people on a large scale or manage large amounts of sensitive information, you will also need to appoint a representative in an EU member state and appoint a data protection officer with expert knowledge of data protection law.
Data breaches which are likely to result in a risk to individuals’ rights and freedom must be notified to the EU member state your representative is in within 72 hours after you become aware of the breach. There is no need to notify breaches that do not pose that risk.
What this means for you
For most businesses, it will be sufficient to amend your privacy documents and enhance your consent regimes. The Fold Legal can assist with this – we are updating our privacy materials to assist you to comply.
But businesses who regularly monitor people in the EU on a large scale or manage large amounts of sensitive information collected in the EU will need also representation in the EU.
Chris Deeble, associate – Sydney, The Fold Legal