Now that the post-Brexit Transition period has ended, organisations established in the UK will need to consider urgently whether their data processing activities mean that they are still subject to the GDPR.
Although GDPR is EU law, not UK law, the GDPR does not just apply to organisations (ie controllers and processors) that are established in the EU. It can also apply to data processing being carried out by organisations that have no physical EU presence at all.
Article 3 sets out the territorial scope of the GDPR. There are two essential criteria.
Art 3 (1) ( the “Establishment criterion”) states that the rules apply in full to all processing “in the context of the establishment of a controller or a processor in the Union”
So the first question, now that the Transition period has ended, is  – do you process personal data in the context of your establishment “in the Union”? Do you have an “establishment” in the EU? If you meet this criterion, the rules will apply regardless of where the relevant processing takes place (and regardless of where the data subjects are), if the processing is “in the context of your establishment”.
Article 3(2) (the so-called “Targeting criterion”) is one that might surprise some UK- based organisations. It applies the GDPR to certain processing of data relating to persons “who are in the Union” which is carried out by a controller or processor which is not established in the Union.
The processing will be caught by this provision if, but only if, the processing activities are related to
           (i)        the offering of goods or services to data subjects in the Union (whether paid for by the data subject or not) or
           (ii)       the monitoring of the behaviour of data subjects (as far as their behaviour takes place in the Union)
The targeting criterion has another sting in the tail: Article 27 goes on to impose an obligation on the controller (or processor) to designate an authorised representative in the EU.
If you are a controller or processor processing under article 3 (2) you will need to designate an EU representative unless –
            (a)       the processing is occasional, does not include, on a large scale, processing of special categories of data… or…. data relating to criminal convictions and offences… and is unlikely to result in a risk to the rights and freedoms of natural persons… or
            (b)       the controller or processor is a public body;
If a representative needs to be appointed, the appointment must be in writing. The representative’s key role is to be the main point of contact in the EU for the supervisory authority and for the data subjects concerned so as to ensure there is effective compliance. Although each Member State has its own supervisory authority, it is not necessary to appoint a representative in each Member State; it is possible to appoint just one. They will, however, need to be in a Member State in which you target individuals.
Remember also that, as well as the generally applicable rules under the GDPR, there may be local laws (or permitted variations of GDPR) of individual Member States that apply to your particular processing.
The supervisory authorities can impose very significant fines on controllers and processors that fall foul of the relevant laws.
In order to work out whether any of your processing is caught by the GDPR, it is first essential that you have an in depth understanding of all the different types of processing you carry out as a controller or as a processor. Are you clear about the establishment rules or whether or not you target individuals in the EU/EEA? Merely having a website which can be viewed by persons who happen to be in the EU will not amount to targeting. But do you take other marketing activities, analytics or other steps that suggest a business focus on individuals in the EU? Establishing a clear picture is not always straightforward and needs considerable care.
Tim Heywood, Data Protection and Information Law Partner, gunnercooke llp.
The contents of this blog are intended as guidance only. They are not intended as legal advice and must not be relied upon as such. Specific advice should be sought in relation to your particular circumstances.