Foreign Laws Matter

Decoder von Tran, Zimo, D&H

Legal topics

Extraterritorial Application of GDPR

Veröffentlicht von Dr. Andreas Kaiser am 02.06.2018

The GDPR may apply on Japanese undertakings, when

  • The Japanese undertaking has an establishment in the Union that in the course of its business processes personal data of natural persons, whatever their nationality or residence and regardless of whether the processing itself takes place within the Union.

  • The Japanese undertaking is not established in the Union but carries out processing activity that are related to offering goods or services to natural persons who are in the Union (irrespective of whether a payment is required or not) or to the monitoring of the behaviour of such natural persons (profiling) in so far as their behaviour takes place within the Union.

  • The Japanese undertaking receives personal data via data transfer from a controller or processor located in the EU or from a third country (to which data from the EU was transferred).

Hence, EU and Non-EU undertakings alike must comply with GDPR, when offering their goods or services to customers or monitor their behaviour in the EU.

If a controller or processor plans to transfer personal data to its Japanese counterpart and no exception is applicable, it has to provide for appropriate safeguards. Such safeguards include the use of binding corporate rules in a group of companies, standard data protection clauses adopted by the Commission or by a supervisory authority or contractual clauses between the transferring and the receiving organisation authorised by a supervisory authority. The same applies if the undertaking located in Japan transfers personal data (that was received from the EU) to another “third country”.

Where an undertaking located in Japan falls within the GDPR’s scope of application, it must designate a so-called “representative in the Union”. This representative has to be established in one of the EU member states where the individuals whose personal data is processed are present. The representative shall be a point of contact for individuals and/or supervisory authorities with regard to GDPR related questions. Exceptions from the obligation to appoint a representative may apply, if data processing is only occasional and does not involve particularly sensitive data on a large scale.

We could be of help to clarify whether the GDPR is relevant for your business and what measures have to be implemented to be compliant. 

Zuletzt geändert am: 16.06.2018 um 10:08

Zurück zur Übersicht