Foley Hoag looks at the European Union’s General Data Protection Regulation, warning that it has been expensive to comply with, has potentially serious penalties attached to it, and is more broadly applicable than one might assume.
A company falls within the GDPR’s territorial scope in two main situations. The first is when the company processes data in the context of its EU establishment. The second is when the company performs certain processing activities that target data subjects located in the EU. In late 2019, the EU’s lead data protection regulator, the European Data Protection Board, issued its final guidelines on the GDPR’s territorial scope. Enforcement bodies are familiar with them, and companies should be too.
