The European Union’s (EU) General Data Protection Regulation (GDPR) has caused quite a stir in the EU, but its reach extends far beyond Europe. As brick and mortar locations in the US close due to COVID-19, many companies are moving online and going global. GDPR compliance for US companies may be a new consideration for your company, but the unique privacy implications related to collecting and sharing international data under GDPR must be considered if you’re planning to do business in the EU.
These are the factors that need to be considered when developing a compliance program for a US-based company that is complying with EU laws.
Does GDPR apply to us?
GDPR applies to all companies that collect data belonging to EU citizens. However, it isn’t always easy to tell who is an EU citizen and who is not. GDPR protections apply to EU citizens regardless of their location in the world. Even though your company collects data in the US, you may also be collecting data belonging to EU citizens. Some companies choose to apply GDPR protections across the board in order to prevent complications from making unique rules for users based on location. Other organizations provide service to a more narrow segment of users, whose location they may be able to identify with some confidence.
Because you can never know for sure what citizenship a user has, a conservative approach is to apply GDPR protections to all users. We see this on websites like Facebook and Google.
Compliance requirements for Joint Controllers vs. Group of Undertakings
International companies with locations in the EU and the US have unique compliance obligations. International companies will need to determine how their GDPR compliance program is governed. Will it be governed globally and include both locations? Or is each location responsible for their own compliance program? That depends on whether the companies are a Group of Undertakings or Joint Controllers.
Group of Undertakings
An organization is considered a group of undertakings if the controlling organization can exert a dominant influence over the other organizations by, for example, virtue of ownership, financial participation, the rules which govern it or the power to have personal data protection rules implemented. For example, a large US company and their wholly owned subsidiary based in the EU are likely a group of undertakings.
For a Group of Undertakings, GRDP compliance for US companies consists of:
- One set of policies and procedures to cover all organizations within the Group of Undertakings,
- One GDPR compliance program,
- Only one (qualified) Data Protection Officer needs to be appointed for the group (more is permitted, but not required),
- Claim one lead Data Protection Authority,
- Legitimate Interest can be used as grounds for sharing information between entities within the European Economic Area,
- Binding Corporate Rules or Standard Contractual Clauses for data transfers between entities to outside the EEA are needed
- If no data is transferred from the EEA to outside the EEA, this is not needed.
- If transfers are made to locations outside the EEA, besides the US, Binding Corporate Rules (BCR) are needed.
- Noncompliance action is taken against the organization as a whole which could result in higher fines,
- May need some unique policies for different member states based on local laws.
Joint Controller
A group of organizations are considered Joint Controllers if two or more controllers jointly determine the purposes and means of processing, and the essence of the arrangement between the Joint Controllers is made available to the data subject. An organization is likely to be a Joint Controller if the businesses in the EU and the US are independent business entities.
For Joint Controllers, GDPR requirements for US companies is as follows:
- Each entity is required to have their own policies and procedures, their own compliance program and their own Data Protection Officer.
- Each entity needs to report to their own Data Protection Authority.
- An agreement must define each entity’s role in processing and GDPR compliance obligations.
- (Same as above) Binding Corporate Rules or Standard Contractual Clauses for data transfers between entities to outside the EEA are needed
- If no data is transferred from the EEA to outside the EEA, this is not needed.
- If transfers are made to locations outside the EEA, besides the US, Binding Corporate Rules (BCR) are needed.
- Noncompliance actions can be taken against each entity
- Each entity can process data that is not shared with the other entities, but there should be an amount of shared data that each entity has a responsibility for processing.
Determining whether your organizations are a Group of Undertakings or Joint Controllers can involve considering existing agreements, contracts in place, percentages of ownership and how the companies have been described in other legal matters.
Wondering if your companies are Joint Controllers or a Group of Undertakings? Need to learn more about GDPR compliance for US companies? Give us a call at 503-389-5666 and we can talk you through it! Or contact us through our web form.