Time to overcome denial


A few months after the General Data Protection Regulation became enforceable (25 May 2018), local supervisory authorities in Member States are buried in complaints about data protection violations.

In the first few months, such major legislative game changers as GDPR normally cause certain amount of stress and chaos throughout the world of business. However, the level of confusion triggered by the new Regulation exceeded all expectations.

Media focuses mostly on data security problems of giant, multimillion or even multibillion companies, unintentionally sending the wrong message: data protection should not bother small and medium-sized enterprises.

Our clients often contact us with “yes or no” questions, gravitating around the hope that their companies are not subject to the new data security rules:

  • Does GDPR apply for companies with less than 250 employees?
  • Our company is based in the US, should we do anything about the data we collect?
  • Isn’t GDPR there to regulate social media?
  • Our company does not sell anything online, so GDPR is not our concern. Right?

This attitude is more than understandable given the fact how much work it takes to achieve GDPR compliance.

However, denying the need to get on track with the new rules only slows down one mandatory and inevitable process.

This is the reason we decided to outline some (bitter) truths.


Truth number 1: No business in the EU is exempted from the scope of GDPR

GDPR offers minimal relief (but not exemption from all data protection rules) for micro, small and medium-sized enterprises. GDPR requires written record to be kept about all data processing activities that happen within a company. In certain, very rare cases, enterprises or organizations employing fewer than 250 persons may be exempted from this kind of paperwork. Practically this relief applies almost never, because it is related to additional conditions, such as data processing in the company to be just occasional.

To sum up: GDPR applies to any business in the EU – the number of employees does not matter, the size of your business does not matter and the nature of your business activities does not matter.

As long as your business collects and uses /or otherwise processes/ personal information about living people, your business should make sure data processing happens in lawful and transparent manner and in full compliance with GDPR.


Truth number 2: Even if your business is established outside the European Union, it may also fall into the scope of GDPR

GDPR has the mission to watch over the rights of the EU citizens, regardless whether their personal data is processed in the EU, or in US, China, South Africa or anywhere else in the world.

Exempting non-EU based companies from the Regulation may easily become a great loophole in the new rules. Just imagine – individuals may enter their personal data into any website, without actually knowing where their data will be processed. Because of the troubles GDPR may cause, businesses may start intentionally collecting data through companies, based outside the EU.

This is perhaps the main reason, for which GDPR’s territorial scope covers also non-EU companies, if the following additional conditions are in place:

  1. The individuals, whoso personal data is being processed, are in the Union;
  2. Data processing is related to the offering of goods or services, irrespective of whether a payment of the data subject is required, OR data processing is related to the monitoring of the behavior of such data subjects (as far as their behavior takes place within the Union).


Truth number 3: GDPR applies, regardless whether your business operates online or not

The last myth we intend to bust here is the one about the relevance of GDPR only for business activities carried out online.

Internet is the place where you usually get all these privacy notices, consent declarations and miles-long privacy policies. But company’s online activities are just a small percentage of the data processing activities, governed by GDPR.

Here is a simple example:

There are many businesses, involved strictly in B2B relations, having minimum online presence and zero interactions with individual customers /e.g. wholesale trade, export/transportation of goods etc./. But let’s not forget that such businesses interact with individuals internally – within the employment relations in the company, where the personal data of hundreds or even thousands of employees is being used, stored and transferred on daily basis.

GDPR compliance adjustments should happen in each and every business. Such adjustments are not always visible in a company’s online presence, but equally important and needed in all cases.

In the next article, we will tell you some more about how to take care of the employment relations in your company. Don’t forget to subscribe!


This publication is written in the context of EU legislation, effective on August 31, 2018. Please note that future amendments in the relevant legislative acts, court decisions or opinions of official authorities or other sources of legal obligations, which became effective after the quoted date, may affect the accuracy of the information above. This is one-time publication and Prosperamo is not responsible to keep it up-to-date. For more information – please read the following disclaimer.


Sharing is caring!


Social media & sharing icons powered by UltimatelySocial