Includes information on data privacy that U.S. firms should be aware of when exporting to the market.
Last Published: 8/29/2019
The EU General Data Protection Regulation (GDPR), which governs how personal data of individuals in the EU may be processed and transferred, went into effect on May 25, 2018. GDPR is a comprehensive privacy legislation that applies across sectors and to companies of all sizes. It replaces the Data Protection Directive 1995/46. The overall objectives of the measures are the same – laying down the rules for the protection of personal data and for the movement of data.
GDPR is broad in scope and uses broad definitions.  “Personal data” is any information that relates to an identified or identifiable living individual (data subject) such as a name, email address, tax ID number, online identifier, etc.  “Processing” data includes actions such as collecting, recording, storing and transferring data.
A company that is not established in the Union may have to comply with the Regulation when processing personal data of EU and EEA residents (EEA countries are Norway, Lichtenstein and Switzerland):
a) If the company offers goods or services to data subjects in the EU; or,
b) If the company is monitoring data subjects’ behavior taking place within the EU.
The mere accessibility of a company’s website in the EU is insufficient to subject a company to GDPR, but other evidence of the intent to offer goods or services in the EU would be relevant. 
As a general rule, companies that are not established in the EU but that are subject to GDPR must designate in writing an EU representative for purposes of GDPR compliance.  There is an exception to this requirement for small scale, occasional processing of non-sensitive data. 
Fines in case of non-compliance can reach up to 4% of the annual worldwide revenue or 20 million euros – whichever is higher.  Companies of all sizes and sectors should consider GDPR as part of their overall compliance effort with assistance of legal counsel.
The European Commission and Data Protection Authorities are releasing official guidelines to help companies with their compliance process.  These documents relate, for instance, to the role of the data protection officer, personal data breach notification, data protection impact assessment.
Note: the EU is currently updating its e-privacy legislation governing confidentiality of communications.  This legislative instrument once enacted will add several requirements in addition to the GDPR.  We encourage U.S. exporters to monitor this situation as it evolves through the EU legislative process.
For more information:
Full GDPR text
Official Press Release
European Commission guidance:
https://ec.europa.eu/info/law/law-topic/data-protection_en
https://ec.europa.eu/commission/priorities/justice-and-fundamental-rights/data-protection/2018-reform-eu-data-protection-rules_en
https://edpb.europa.eu/edpb_en
https://edpb.europa.eu/our-work-tools/general-guidance/gdpr-guidelines-recommendations-best-practices_en
 
Prepared by the International Trade Administration. With its network of more than 100 offices across the United States and in more than 75 markets, the International Trade Administration of the U.S. Department of Commerce utilizes its global presence and international marketing expertise to help U.S. companies sell their products and services worldwide. Locate the trade specialist in the U.S. nearest you by visiting http://export.gov/usoffices.


More Information

Germany Finance Law