Reading time: 5 minutes

Just when you thought you had mastered compliance with Australian privacy law, one of your customers in the European Union (EU) requests that you consider requirements under the General Data Protection Regulation (GDPR).

This article will:

  • explain when the GDPR applies; 
  • outline the GDPR’s requirements for processors and for controllers; and
  • provide some practical tips for compliance.

What Is the GDPR and When Does It Apply?

The GDPR is an EU regulation that regulates how businesses handle the personal data of individuals. They apply to businesses which satisfy the following two criteria.

1. An EU Link

For GDPR to apply to your business, you must either:

  • have an establishment in the EU; or
  • offer goods or services or target your goods or services to EU-based individuals. For example, you may accept payment in Euros, or have a website in the language of an EU member state; or
  • monitor the behaviour of EU-based individuals, such as monitoring the behaviour of EU individuals through payroll software.

2. Processor or Controller Status

Your business must also fall into one of the following categories:

  • controller: A controller is a business that determines how users’ personal data will be used. For example, an e-commerce business may use personal data to send marketing emails to their customers;
  • processor: A processor is a business that processes personal data on behalf of a controller. For example, Mailchimp holds personal data for e-commerce businesses that send marketing emails to their customers;
  • processor and controller: A business may act in both roles. For example, Mailchimp may also send marketing emails to their own customers.

A processor must comply with the GDPR even if they do not process the personal data within the EU.

Why Does My Customer Want Me to Comply With the GDPR?

If You Are a Processor

By servicing an EU-based customer, you may become a processor. If you are a processor, your EU-based customers may be concerned with some of your GDPR requirements in order to comply with theirs. 

For example, customers who are controllers have an obligation to make sure the personal data they handle is secure. This includes when processors, such as yourself, handle data. 

Controllers are liable if a processor handles data inconsistently with the GDPR – unless it can be shown that the controller was not in any way responsible. To ensure the processor’s compliance, controllers must sign a data processing agreement with processors which sets out the parties’ obligations.

By Request

You may also choose to comply with the GDPR because your customers request it and it makes commercial sense to do so. 

For example, you may operate a business in Australia and work only with Australian customers. You may not process or control any information about EU individuals. 

However, your customer may prefer you to comply with GDPR requirements:

  • because it believes you are a processor;
  • as a precaution; 
  • to observe an internal policy; or 
  • to comply with best practice.

Privacy compliance can be onerous; you should weigh up the cost of compliance against the benefit of your relationship with your customer.

What Are Your Requirements Under the GDPR?

If you are a processor, the GDPR requires your data processing agreement to include, and for you to comply with, the following statements that you as a processor, will:

  • take appropriate measures to ensure the security of processing;
  • keep records of processing activities;
  • only engage sub-processors with the prior consent of the controller and under a written contract;
  • promptly notify the data controller of any data breaches after becoming aware of the personal data breach;
  • cooperate with supervisory authorities;
  • only act on the written instructions of the controller;
  • ensure that people processing the data are subject to a duty of confidence to keep the information confidential;
  • assist the controller in providing data subjects with access and allowing data subjects to exercise their rights under the GDPR;
  • assist the controller in meeting its GDPR obligations in relation to the security of processing and data protection impact assessments;
  • delete or return all personal data to the controller as requested at the end of the contract;
  • submit to audits and inspections; and
  • provide the controller with whatever information it needs to ensure the company and controller are both meeting their Article 28 obligations. Here, tell the controller immediately if it is asked to do something infringing the GDPR or other data protection law of the EU or a member state.

It is best practice to prepare your own data processing agreement to ensure you understand what you agree to. If your customer supplies the agreement, it is important to ensure that you understand your obligations under the agreement and how they work in practice. 

Key Takeaways

EU-based companies are increasingly requiring non-EU-based service providers to comply with GDPR requirements. If you are a processor, your customer may require you to sign and comply with a data processing agreement in order to comply with its own requirements under the GDPR. Even if you are not legally required to, you may choose to comply with your customers’ demands for commercial purposes. You should ensure that you understand these obligations before committing to them, especially as privacy costs can be onerous relative to the commercial gain.

LegalVision cannot provide legal assistance with this topic. We recommend you contact your local law society.

Webinars

Redundancies and Restructuring: Understanding Your Employer Obligations

Thursday 7 July | 11:00 - 11:45am

Online
If you plan on making a role redundant, it is crucial that you understand your employer obligations. Our free webinar will explain.
Register Now

How to Sponsor Foreign Workers For Your Tech Business

Wednesday 13 July | 11:00 - 11:45am

Online
Need web3 talent for your tech business? Consider sponsoring workers from overseas. Join our free webinar to learn more.
Register Now

Advertising 101: Social Media, Influencers and the Law

Thursday 21 July | 11:00 - 11:45am

Online
Learn how to promote your business on social media without breaking the law. Register for our free webinar today.
Register Now

Structuring for Certainty in Uncertain Times

Tuesday 26 July | 12:00 - 12:45pm

Online
Learn how to structure to weather storm and ensure you can take advantage of the “green shoots” opportunities arising on the other side of a recession.
Register Now

Playing for the Prize: How to Run Trade Promotions

Thursday 28 July | 11:00 - 11:45am

Online
Running a promotion with a prize? Your business has specific trade promotion obligations. Join our free webinar to learn more.
Register Now

Web3 Essentials: Understanding SAFT Agreements

Tuesday 2 August | 11:00 - 11:45am

Online
Learn how SAFT Agreements can help your Web3 business when raising capital. Register today for our free webinar.
Register Now

Understanding Your Annual Franchise Update Obligations

Wednesday 3 August | 11:00 - 11:45am

Online
Franchisors must meet annual reporting obligations each October. Understand your legal requirements by registering for our free webinar today.
Register Now

Legal Essentials for Product Manufacturers

Thursday 11 August | 11:00 - 11:45am

Online
As a product manufacturer, do you know your legal obligations if there is a product recall? Join our free webinar to learn more.
Register Now

About LegalVision: LegalVision is a commercial law firm that provides businesses with affordable and ongoing legal assistance through our industry-first membership.

By becoming a member, you'll have an experienced legal team ready to answer your questions, draft and review your contracts, and resolve your disputes. All the legal assistance your business needs, for a low monthly fee.

Learn more about our membership

Nathalie King

Our Awards

  • 2020 Innovation Award 2020 Excellence in Technology & Innovation Finalist – Australasian Law Awards
  • 2020 Employer of Choice Award 2020 Employer of Choice Winner – Australasian Lawyer
  • 2020 Financial Times Award 2021 Fastest Growing Law Firm - Financial Times APAC 500
  • 2020 AFR Fast 100 List - Australian Financial Review
  • 2021 Law Firm of the Year Award 2021 Law Firm of the Year - Australasian Law Awards
  • 2022 Law Firm of the Year Winner 2022 Law Firm of the Year - Australasian Law Awards