The European General Data Protection Regulation (GDPR) will come into effect on 25 May 2018 and will apply to all entities that process the personal data of individuals residing within the European Union (EU).

Australian entities will fall within the scope of the GDPR where they:

  • Offer goods or services to individuals located in the EU (regardless of whether or not the entity has an establishment in the EU);
  • Have an establishment in the EU; or
  • Monitor the behaviour of individuals within the EU.

If you determine your business falls within the scope of the GDPR, you will need to update your Privacy Policy and/or Statement to ensure it complies with the European regulations. The European GDPR requirements are largely similar to those established under the Australian Privacy Act, however there are some differences which need to be considered, for example, the right for an individual to be “forgotten”.

What is meant by “offering goods or services to individuals in the European Union”?

The Office of the Australian Information Commissioner (OAIC) has provided examples of where Australian entities may fall within the GDPR. Examples include but are not limited to:

  • Having an office in the EU;
  • Having a website which targets EU customers e.g. having a website which enables customers to order goods or services in a European language (other than English) or enabling customers to make payment in Euros;
  • Having a website which mentions customers or users located within the EU.

What is personal data?

The GDPR defines personal data as “any information relating to an identified or identifiable natural person”. This definition includes different pieces of information, which when put together, can lead to the identification of an individual.

Examples of personal data includes but is not limited to:

  • First name and/or surname;
  • Location data;
  • IP address; and
  • Residential address.

The European GDPR delegates supervisory authorities the power to issue fines for contraventions of the regulations. Supervisory authorities have the power to issue fines to the value of €20 million or 4% of annual worldwide turnover (whichever is greater).

The OAIC has published a business resource which provides further information on circumstances where Australian entities may fall within the scope of the GDPR, specific detail on the differences between the current Australian privacy regime and the GDPR and general information in relation to compliance with the GDPR.

For any questions in relation to the content of this post, please contact Sophie Grace.

Sarah Murray

Sarah works with the Compliance Team with a particular focus on compliance and legal services. Sarah also works with the Legal Team providing ongoing assistance in drafting and reviewing documentation as well as legal research. Sarah assists clients with AFSL and ACL applications, variations and also assists in the implementation of compliance reviews. She provides ongoing compliance support in the form of compliance program implementation and reviews.