- GDPR is enacted to safeguard the privacy of European Union citizens.
- The law is still unclear on whether all European residents irrespective of their nationalities come under the purview of law.
- Best approach for the organisations will be to include all European residents within the definition of âdata subjectsâ.
Article excerpts from my forthcoming book – 99 Articles on the GDPR
The GDPR was instituted to regulate the use of personal data of European Union (EU) citizens wherever they are domiciled around the world. However, an interesting situation arises regarding EU residents who are not EU citizens. The GDPR protects the personal data that is processed for activities and transactions that occur within the EU but is a bit vague as to whether these EU residents (i.e. students, ambassadors, etc.) fall under the umbrella of the regulation.
The GDPR applies protection to âdata subjectsâ. But what is a âdata subjectâ and are residents assigned specific protection as well? To better understand this question, we have to look at how the GDPR deals with citizenship in the EU Article and the GDPR in conjunction.
The EU Article 20(1) describes EU Citizenship as such:
âCitizenshipÂ of the Union is hereby established. Every person holding the nationality of a Member State shall be aÂ citizenÂ of the Union.
The GDPRâs scope on the EU website states:
âThe EUÂ General Data Protection Regulation (GDPR) replaces theÂ Data Protection Directive 95/46/EC and was designed to harmonize data privacy laws across Europe,Â toÂ protect and empower all EU citizens data privacy and to reshape the way organizations across the region approach data privacy.â
However, recital 14 says:
âThe processing of personal data is designed to serve man; the principles and rules onÂ the protection of individuals with regard to the processing of their personal dataÂ should,Â whatever the nationality or residence of natural persons,Â respect theirÂ fundamental rights and freedoms, notably their right to the protection of personal data.â
Thereâs a clear lack of clarity as to what a company should do with regards to protecting data of EU citizens or EU citizens and residents. However, as this is new territory for all parties involved, you should assume a conservative outlook to the GDPR. With such a perspective, an EU resident would fall under the purview of âdata subjectâ so treat their personal data the same way you would treat an EU citizen which includes the right of erasure and data portability. One may argue that these two new regulations in the GDPR should be reserved for EU citizens alone but designing privacy into a system in such a short amount of time is already difficult, why complicate the process by adding even greater levels of scrutiny for companies that use personal data of the EU community. The role of the Data Privacy Officer (DPO) is already hard enough to sort through the nuances of the GDPR so I believe in simplifying and taking a conservative outlook.