The GDPR was instituted to regulate the use of personal data of European Union (EU) citizens wherever they are domiciled around the world. However, an interesting situation arises regarding EU residents who are not EU citizens. The GDPR protects the personal data that is processed for activities and transactions that occur within the EU but is a bit vague as to whether these EU residents (i.e. students, ambassadors, etc.) fall under the umbrella of the regulation.
The GDPR applies protection to “data subjects”. But what is a “data subject” and are residents assigned specific protection as well? To better understand this question, we have to look at how the GDPR deals with citizenship in the EU Article and the GDPR in conjunction.
The EU Article 20(1) describes EU Citizenship as such:
“Citizenship of the Union is hereby established. Every person holding the nationality of a Member State shall be a citizen of the Union.
The GDPR’s scope on the EU website states:
“The EU General Data Protection Regulation (GDPR) replaces the Data Protection Directive 95/46/EC and was designed to harmonize data privacy laws across Europe, to protect and empower all EU citizens data privacy and to reshape the way organizations across the region approach data privacy.”
However, recital 14 says:
“The processing of personal data is designed to serve man; the principles and rules on the protection of individuals with regard to the processing of their personal data should, whatever the nationality or residence of natural persons, respect their fundamental rights and freedoms, notably their right to the protection of personal data.”
There’s a clear lack of clarity as to what a company should do with regards to protecting data of EU citizens or EU citizens and residents. However, as this is new territory for all parties involved, you should assume a conservative outlook to the GDPR. With such a perspective, an EU resident would fall under the purview of “data subject” so treat their personal data the same way you would treat an EU citizen which includes the right of erasure and data portability. One may argue that these two new regulations in the GDPR should be reserved for EU citizens alone but designing privacy into a system in such a short amount of time is already difficult, why complicate the process by adding even greater levels of scrutiny for companies that use personal data of the EU community. The role of the Data Privacy Officer (DPO) is already hard enough to sort through the nuances of the GDPR so I believe in simplifying and taking a conservative outlook.