As reported through sites such as Lexology.com, the guidelines help clarify, for non-EU based companies, whether GDPR covers their own operations. The site notes that per the draft guidelines, “not all companies that process personal data relating to individuals in the EU are necessarily subject to GDPR.” By way of example, if a company controller that is based in the EU designates a processor located outside the EU to perform services for that firm, the processor in turn need not be subject to the GDPR.
Firms that are located outside the geographic confines of the EU that process data related to individuals within the EU may be covered by GDPR if they have an establishment in the EU, and, per the draft guidelines, have activities in place that can be viewed as being “inextricably linked” to the EU-based entity. “The application of the GDPR to processing activities must be assessed per controller/processor,” noted Lexology.
In terms of individual company news, this past week saw the disclosure that Uber has been hit with fines from regulators based in the United Kingdom, as well as Dutch regulators. The fines stem from data breaches against the company that came in 2016.
Within the U.K., the fine was levied by the Information Commissioner’s Office (ICO) against Uber for nearly $491,000, while the Dutch Data Protection Authority fined the company nearly $679,000. The data breach exposed information about 57 million users, spanning names, mobile phone numbers and email addresses. As many as 2.7 million users had accounts in the United Kingdom. In addition, data on 82,000 drivers based in the U.K. was pilfered in the breach.