Expert Commentary

Application of EU's General Data Protection Regulation

The EU's General Data Protection Regulation (GDPR) becomes enforceable on May 25, 2018. Business partners and service providers are asking organizations about whether the GDPR applies to them (for example, in agreements). This article provides a brief overview of when the GDPR applies to an organization.


Cyber and Privacy Risk and Insurance
March 2018

Key definitions in the GDPR are as follows.1

Data controller means a person, which, alone or jointly with others, determines the purposes and means of the processing of personal data. Art. 4(7).

Data processor means a person that processes personal data on behalf of the data controller. Art. 4(8).

Data subject means a natural person to whom the personal data relates. Art. 4(1).

Processing means any operation performed on personal data, whether by automated means, including collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction. Art. 4(2). Examples of processing include staff management and payroll administration, access to/consultation of a contacts database containing personal data, sending promotional emails, shredding documents containing personal data, posting/putting a photo of a person on a website, and storing Internet Protocol (IP) addresses, MAC addresses, or video recording (closed-circuit television).2

Personal data means any information that relates to an identified or identifiable living individual. Art. 4(1). Examples of personal data include name and surname, home address, an email address such as [email protected], identification card number, location data, Internet Protocol address, cookie ID, or advertising identifier of a phone and data held by a hospital or doctor, which could be a symbol that uniquely identifies a person.3 Examples of data not considered to be personal data include company registration number, an email address such as [email protected], and anonymized data.4

When the GDPR Applies

The GDPR applies if a data controller or a data processor has an establishment in the European Union and processes personal data, regardless of whether the processing takes place in the European Union. Art. 3(1). One example is a company with an establishment in the European Union that provides travel services to customers based in the Baltic countries and in that context processes personal data of natural persons.5

The GDPR also applies if a data controller or a data processor is not established in the European Union and processes personal data of data subjects who are in the European Union, where the processing activities relate to (a) offering goods or services to such data subjects in the European Union, whether for payment or for free or (b) monitoring their behavior within the European Union. Art. 3(2).

A data controller or a data processor is offering goods or services to data subjects who are in the European Union where it is apparent that the data controller or data processor envisages offering goods or services to a data subject in the European Union. Using a language or currency generally used in the European Union with the possibility of ordering goods and services in such language or mentioning customers who are in the European Union may make this apparent. However, the mere accessibility of a website in the European Union, an email address of or other contact details, or use of a language generally used in the third country where the data controller is established is insufficient.6

Monitoring the behavior of data subjects means tracking natural persons on the Internet, including the potential subsequent use of personal data processing techniques that consist of profiling a natural person, especially for decisions concerning them or for analyzing or predicting their personal preferences, behaviors, and attitudes.7


1 See the full text of the GDPR.

2 European Commission, "What Constitutes Data Processing?"

3 European Commission, "What Is Personal Data?" and GDPR, Recital (30).

4 European Commission, "What Is Personal Data?"

5 European Commission, "What Does the General Data Protection Regulation (GDPR) Govern?"

6 European Commission, "Who Does the Data Protection Law Apply to?" and GDPR, Recital (23).

7 Recital (24).


Opinions expressed in Expert Commentary articles are those of the author and are not necessarily held by the author's employer or IRMI. Expert Commentary articles and other IRMI Online content do not purport to provide legal, accounting, or other professional advice or opinion. If such advice is needed, consult with your attorney, accountant, or other qualified adviser.

Like This Article?

IRMI Update

Dive into thought-provoking industry commentary every other week, including links to free articles from industry experts. Discover practical risk management tips, insight on important case law and be the first to receive important news regarding IRMI products and events.

Learn More