Hi –
Chris Craig, here. As you know, I like to keep friends and colleagues abreast of the latest and greatest in the world of non-profit entities and related organizations. Today I am providing a very brief note about a change that will affect many US-based entities starting tomorrow: the implementation of the European Union (EU) General Data Protection Regulation (GDPR). These new rules are designed to enable EU-based individuals to better control their personal data. Below is SUMMARY ONLY, and not a deep dive into the rules, requirements or otherwise, and is not legal advice. As I note below, if you have specific inquiries I strongly urge you to consult counsel.
Complying with the EU GDPR standards will require you to UPDATE YOUR CURRENT Privacy Policy for data collected (over the internet and otherwise). Don’t have a policy? If you collect data, PLEASE be sure to adopt a policy in conformity with your local, state and US rules, and possibly EU rules. Read on . . .
Under the GDPR, if you collect personal data or behavioural information from someone in an EU country, you are subject to the requirements of the GDPR. The law only applies if the consumer or user is in the EU when the data is collected. In addition, a financial transaction doesn’t have to take place for the extended scope of the law to kick in. If the organization collects “personal data” (personally identifiable information or PII) as part of a marketing survey, then the data would have to be protected GDPR-style. The rules would apply, therefore, to a U.S. company with no physical presence in an EU country that collects personal data belonging to an EU user over the internet. However, such collection would have to target a user in an EU country. Say, for example, the outreach is written in the native language of an EU user. Other transactions such as accepting payment would also tip the balance in favour of coverage. Generic marketing doesn’t count.
For entities who fall into the “covered” category, it is imperative that they update their privacy policy and/or internet Terms of Use so that it either meets EU standards or excludes them in some fashion. Otherwise, such entities may be subject to EU enforcement.
Features of the new policy include requiring users to opt IN before collecting data, rather than opting out; requiring notification, within 72 hours, of any data breach; providing users with the right to have their data permanently removed (Right to be Forgotten). This is list not exhaustive.
Among practitioners, it is believe that there are several reasons to becoming compliant, even if you don’t think you are subject to the GDPR regulations. Such reasons include, but are not limited to:
If you have any questions or require further information, please feel free to contact me.
Searching for a disability discrimination attorney near me? If you have been discriminated against due…
Hiring a lawyer is a big step in legal proceedings. You want to choose the…
Given the political environment, the possibility of political tensions spilling over into workplaces is increasingly…
Many people avoid thinking about estate planning and retaining an estate planning attorney. While the…
All employees in Virginia have rights and protections when it comes to wage theft, regardless…
What are some examples of racial harassment? Racial harassment can include racial slurs, jokes,…