What’s GDPR’s real scope?
By now, everyone in the business world should know about the GDPR. But, do you know the scope of the GDPR?
Perhaps you still have some unanswered questions:
- Which European countries does the law apply to?
- How broad is the scope of this law?
- How do countries manage and apply GDPR fines to companies that don’t comply?
Here we’ll answer all these questions so you can better understand how the GDPR works.
Which countries are covered by the GDPR?
The countries that must comply with the GDPR are the ones within the EU (European Union) and the EEA (Europe Economic Area).
Curiosity: Switzerland is neither part of the EU or the EEA, but its citizens have the same work rights as Europeans.
European Union
So the countries in the European Union are:
- Austria
- Belgium
- Bulgaria
- Croatia
- Czech Republic
- Denmark
- Estonia
- Finland
- France
- Germany
- Greece
- Hungary
- Ireland
- Italy
- Latvia
- Lithuania
- Luxembourg
- Malta
- Netherlands
- Poland
- Portugal
- Republic of Cyprus
- Romania
- Slovakia
- Slovenia
- Spain
- Sweden
- UK (until Brexit takes effect)
European Economic Area
All the above countries plus:
- Iceland
- Liechtenstein
- Norway
The geographical scope of the GDPR
The geographical scope of the GDPR is worldwide.
What does it mean worldwide? Isn’t it only for those countries listed above?
The countries mentioned earlier must comply with the law. But the truth is, if someone outside of the EU wants to handle personal data from citizens of those countries, they must comply as well with the rules.
For example, someone from Canada can treat data from people in the USA without any concerns about the GDPR.
But if a company based in Canada wants to treat personal data from Spain or France, they need to collect their data according to GDPR norms.
So, basically, the GDPR is a European regulation for European countries, but all non-European countries that interact or collect personal data from Europeans must comply with GDPR.
How do countries manage and apply GDPR fines?
Each country has its own DPA (Data Protection Authority), which deals with the complaints.
Complaints can come from companies, organs of state, or anyone who finds irregularities.
You can find the list of DPA’s (Data Protection Authorities) here.
To complain, you should email your country’s DPA with all the necessary information about the company and why it’s not respecting the data they collected.