EU GDPR

  • Updated on Feb 28, 2023
  • Published on Feb 15, 2023
  • 2 minute(s) read
Prev Next

Who is this article for?

Any organization in the EU
Any organization that deals with people in the EU

The Complete EU GDPR can be found here.

The EU General Data Protection Regulation (GDPR) is adopted in the following countries:

  • Countries in the EU
  • Countries in the European Economic Area (EEA) - Norway, Iceland, and Liechtenstein

The GDPR also applies to any country that has business dealings in the EU and EEA, offers goods and services in the EU, and collects data from citizens in these areas.

The best practice for companies is to appoint an EU, EEA, and UK representative(s) to be knowledgeable and up-to-date with changes in regulations and to ensure compliance with the legislation.

Areas of Jurisdiction

  • If you are operating solely in the UK, you will need to comply with the UK GDPR and DPA.
  • If you are operating solely in the EU, you will need to comply with the EU GDPR.
  • If you are operating both in the UK and EU, you will need to comply with both the UK and EU GDPR, in addition to the UK DPA.

Adequacy Decisions and Other Policies

  • The EU has given adequacy decisions to some non-EU countries that they have deemed to have strong data protection policies.
  • An adequacy decision is used by the European Commission to determine whether a third country (non-EU and non-EEA) offers a comparable level of protection of personal data to that of the EU GDPR. Countries with adequacy decisions will be able to receive data from the EU and EEA freely, without additional safeguards than necessary. This means that personal data can flow from the EU and EEA to these countries.
    • These include the UK (with Northern Ireland) and Switzerland.
  • Since Brexit, the UK has also adopted the Data Protection Act (DPA). The DPA works alongside the UK GDPR. For additional information, see our UK GDPR article.
  • Switzerland, part of the Single Market and a member of the European Free Trade Area (EFTA), has adopted a policy analogous to the GDPR, the Federal Act on Data Protection (FADP). For additional information, see our Switzerland FADP article.

GDPR Compliance Checklist

  • You will need at least one lawful reason/basis to collect and process personal data.
    • Legitimate interest will be the most common nonprofit lawful basis.
    • The lawful basis is to be stated on your privacy notice.
    • It is valuable to consider the lawful basis as it applies to the data's processing (use and keeping), not the data itself. When you run out of any of the six lawful bases to process it, you can't use or keep it anymore.
  • You will need a GDPR Privacy Policy
  • You will need a GDPR Privacy Notice
    • A best practice is to have the privacy notice on your website and a link to the notice in your email signature.
    • You can check out the EU Compliance check list for US companies here.

For additional guidance on GDPR compliance, see our GDPR Compliance Guide. Take note that this is an abridged version of what an organization needs to know to be GDPR compliant. Though we vet as many of our resources as possible, consult your attorney before implementing compliance or legal advice.

Related articles