A guide to the new General Data Protection Regulation (GDPR) – Part 2 of 5

26 July, 2016
This article has been reviewed and is up to date as of 5 May, 2017

Territorial Scope

One of the most significant changes introduced by the GDPR relates to the territorial scope of the legislation, and in particular concerns data controllers (who make decisions about how to use personal data) and data processors (who carry out those decisions) based outside of the EU.


Under the current Directive, only data controllers based within EU member states have to be concerned by the legislation. In contrast, the GDPR will apply to both data controllers and data processors operating outside of EU member states, providing that any data processing activities which they carry out, either relate to the offering of goods or services to EU residents (even if it is for free) or the monitoring of the behaviour of data subjects within the EU (e.g. via the use of cookies in web pages).


The GDPR states that in determining whether a non EU organisation is offering goods to data subjects outside the EU, for the purposes of the legislation, the following should be taken into consideration:

  • whether the business is offering goods or services in a language or currency of a member state.
  • whether the business is allowing EU citizens to place orders in the language of that member state; and
  • whether the business is referring to EU customers in its publications.


This increased territorial scope is likely to affect non-EU online companies if they process the data of EU customers during the course of a sale or in situations where online providers use cookies or tracking devices on equipment used by EU citizens.



The current regime under the Directive allows data controllers to process data providing that they have the express or implied consent of the data subject. It may also be allowed if any processing is deemed to be required the ‘legitimate interests’ of the controller and if the processing of the data will not harm the data subject.


In contrast the GDPR requires that data subjects must expressly consent to the processing of their data and that any consent must be ‘freely given, informed, specific and unambiguous’. In relation to sensitive data any consent must be ‘explicit’ and this consent can be withdrawn at any time. It should be noted that the data controller must also be able to show how and when consent was granted by the data subject. As a general principle this means that any consent given requires a clear statement of intent or affirmative action from the data subject, it should not be merely implied by the conduct of the individual. Silence, pre-ticked boxes or inactivity does not constitute consent.


Additionally it is worth noting that parental consent will be required for the processing of any personal data relating to children under the age of 16. EU member states will be able to lower this age limit to 13 at their own discretion.


Data Processors

The current Directive only regulates data controllers and not data processors.


However, the GDPR places direct obligations on data processors such as implementing appropriate security standards, appointing a data protection officer and notifying the data controller of data breaches without undue delay. As with data controllers, data processors may also be liable for fines of up to 4% of worldwide turnover or €20m (whichever is the greater) for certain breaches of the GDPR.


Notification of data breaches

The GDPR places obligations on data controllers to notify the majority of data breaches to the national data protection authority (which in the UK is the Information Commission’s Office (ICO)). In particular, the new legislation requires the data controller to notify any breaches without ‘undue delay’ and in all cases within 72 hours of becoming aware of any breaches which may result in a risk to the data subject. As a direct result of this requirement, controllers will have to have continuous monitoring and reporting systems in place at all times in order to avoid breaching the GDPR.


Although this obligation may appear onerous, many sectors already have legal obligations to report such breaches and the ICO already expects data controllers to report any ‘serious breaches’ that arise.


In the case of data loss or security breaches which are deemed sufficient to adversely affect the data subject’s privacy or personal data, any such breaches must be reported to the data subject without undue delay, unless the controller can show that the data is unintelligible to third parties.