[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"article_57882":3},{"tableOfContents":4,"markDownContent":5,"htmlContent":6,"metaTitle":7,"metaDescription":8,"wordCount":9,"readTime":10,"title":11,"nbDownloads":12,"excerpt":13,"lang":14,"url":15,"intro":16,"featured":4,"state":17,"author":18,"authorId":19,"datePublication":23,"dateCreation":24,"dateUpdate":25,"mainCategory":26,"categories":42,"metaDatas":48,"imageUrl":49,"imageThumbUrls":50,"id":58},false,"The General Data Protection Regulation (GDPR) applies not only to the majority of companies, but also to associations and public organizations.\r\n\r\nIn this practical guide, we address a common question about the GDPR: Who is affected? Our goal is to dispel any uncertainties so that you can obtain clear answers to your questions.\r\n\r\n## Who is affected by the GDPR?\r\n\r\nThe GDPR applies to any entity, whether it be companies, associations, or public organizations, that collects, stores, or uses personal data of residents of the European Union, regardless of where it is located.\r\n\r\nHere are the key points:\r\n\r\n- **Geographical location**: The entity's location does not matter. A company located in the EU but not using personal data of European residents is not affected. Conversely, a company outside the EU that processes personal data of European residents is affected.\r\n- **Extraterritorial application**: The GDPR also applies to large international companies such as Google, Amazon, Facebook, Apple, and Microsoft (GAFAM), demonstrating its extraterritorial scope.\r\n\r\nIn summary, almost all entities, regardless of their size, are affected by the GDPR, whether they are small businesses, medium-sized enterprises, large companies, public administrations, hospitals, small shops, or hair salons, as long as they process personal data of European residents.\r\n\r\n>Attention!\r\nThe GDPR also applies to individuals as soon as they process personal data outside of their personal or domestic activities. \r\nFor example, this applies to individuals who install cameras filming the exterior of their home or who employ a worker within their home. \r\nSimilarly, the GDPR applies to individuals who publish personal data of other individuals on publicly accessible social networks.\r\n\r\n## Personal data and processing, what is it about?\r\n\r\nThe GDPR applies to companies that process personal data\r\n\r\nAccording to Article 4 of the GDPR, personal data is defined as \"any information relating to an identified or identifiable natural person\".\r\n\r\nIn other words, personal data is any information that allows the recognition or identification of a natural person, such as a name, first name, email address, telephone number, social security number, address, IP address, identifier, etc.\r\n\r\nAny company that holds such data (whether it concerns personnel, partners, suppliers, customers, users...) holds personal data and is subject to the GDPR.\r\n\r\nThe European Regulation adopts a very broad understanding of the concepts of \"personal data\" and \"processing\". Data processing encompasses any activity involving the collection, storage, modification, or use of data.\r\n\r\nTherefore, even if you only store the personal data you collect without using it, you are subject to the GDPR.\r\nAs soon as this data is stored in your information system, a database, or an Excel sheet, you are considered to be carrying out \"processing of personal data\".\r\n\r\n## Clarifications on the scope of the GDPR\r\n\r\nHere are some key points to better understand the scope of application of the GDPR in a company.\r\n\r\n### The GDPR is not limited to customer data\r\n\r\nThe GDPR covers all personal data stored by your company and related to European residents, including your customers, users, suppliers, employees, prospects, and candidates.\r\n\r\n### Understanding the notion of \"European residents\"\r\n\r\nThe GDPR governs the processing of personal data of \"European residents\" or \"European citizens\".\r\nThis means that:\r\n\r\n- The GDPR applies to personal data of European citizens living abroad.\r\n- It also applies to data of foreign individuals residing in one of the countries of the European Union.\r\n- The GDPR therefore concerns all individuals residing in the EU, regardless of their nationality.\r\n\r\n### The GDPR & companies\r\n\r\nFor companies, two important points should be noted:\r\n\r\n1. The data related to the \"company\" entity (such as the SIRET number, turnover, number of employees) is not personal data. However, information regarding contacts within the client company (name, first name, position, phone number, email) is personal data and falls under the GDPR.\r\n\r\n2. The GDPR seems to be less strict regarding the processing of B2B data, especially regarding obtaining consent during collection or storage of data. However, this point remains unclear in the GDPR text, and companies exploit this legal uncertainty. Nevertheless, recent developments suggest that rules regarding B2B data could tighten in the coming years.\r\n\r\n### Attention to subcontracting\r\n\r\nIf you outsource data processing, such as using a web analytics tool, you must:\r\n\r\n- Verify that the service provider complies with GDPR rules.\r\n- Assume joint responsibility with the subcontractor in case of non-compliance with the processing.\r\n\r\n## Who is not affected by the GDPR\r\n\r\nThe GDPR does not apply to personal data of individuals who do not reside in the EU or who are not European citizens.\r\n\r\nOutside of this obvious case, there are a few exceptions:\r\n\r\n- Processings carried out strictly privately, such as creating a personal contact directory.\r\n- Processings carried out for the protection of fundamental rights and freedoms.\r\n- Processings carried out within the framework of preventing criminal offenses.\r\n\r\n## Check if your organization is affected by the GDPR\r\n\r\nMost large companies have already complied with the GDPR, but this is not always the case for small businesses and individual companies.\r\nMany of them have not yet taken any measures, and some SMEs have still not started their GDPR compliance process.\r\n\r\nIf you are a company, an association, or any other type of organization and you want to know if the GDPR applies to you, we invite you to [contact one of our experts](https://www.dastra.eu/en/contacts)!\r\nThey can answer all your questions, conduct an audit of your data, determine if you are affected, and, if necessary, support you in your GDPR compliance process.\r\n\r\nIt is important to remember that the penalties for non-compliance with the GDPR are severe and the supervisory authority (in France, the CNIL) is now less tolerant.\r\nFines can reach up to 20 million euros. Therefore, it is crucial not to take this risk lightly.","\u003Cp>The General Data Protection Regulation (GDPR) applies not only to the majority of companies, but also to associations and public organizations.\u003C/p>\r\n\u003Cp>In this practical guide, we address a common question about the GDPR: Who is affected? Our goal is to dispel any uncertainties so that you can obtain clear answers to your questions.\u003C/p>\r\n\u003Ch2 id=\"who-is-affected-by-the-gdpr\">Who is affected by the GDPR?\u003C/h2>\r\n\u003Cp>The GDPR applies to any entity, whether it be companies, associations, or public organizations, that collects, stores, or uses personal data of residents of the European Union, regardless of where it is located.\u003C/p>\r\n\u003Cp>Here are the key points:\u003C/p>\r\n\u003Cul>\r\n\u003Cli>\u003Cstrong>Geographical location\u003C/strong>: The entity's location does not matter. A company located in the EU but not using personal data of European residents is not affected. Conversely, a company outside the EU that processes personal data of European residents is affected.\u003C/li>\r\n\u003Cli>\u003Cstrong>Extraterritorial application\u003C/strong>: The GDPR also applies to large international companies such as Google, Amazon, Facebook, Apple, and Microsoft (GAFAM), demonstrating its extraterritorial scope.\u003C/li>\r\n\u003C/ul>\r\n\u003Cp>In summary, almost all entities, regardless of their size, are affected by the GDPR, whether they are small businesses, medium-sized enterprises, large companies, public administrations, hospitals, small shops, or hair salons, as long as they process personal data of European residents.\u003C/p>\r\n\u003Cblockquote>\r\n\u003Cp>Attention!\r\nThe GDPR also applies to individuals as soon as they process personal data outside of their personal or domestic activities.\r\nFor example, this applies to individuals who install cameras filming the exterior of their home or who employ a worker within their home.\r\nSimilarly, the GDPR applies to individuals who publish personal data of other individuals on publicly accessible social networks.\u003C/p>\r\n\u003C/blockquote>\r\n\u003Ch2 id=\"personal-data-and-processing-what-is-it-about\">Personal data and processing, what is it about?\u003C/h2>\r\n\u003Cp>The GDPR applies to companies that process personal data\u003C/p>\r\n\u003Cp>According to Article 4 of the GDPR, personal data is defined as \"any information relating to an identified or identifiable natural person\".\u003C/p>\r\n\u003Cp>In other words, personal data is any information that allows the recognition or identification of a natural person, such as a name, first name, email address, telephone number, social security number, address, IP address, identifier, etc.\u003C/p>\r\n\u003Cp>Any company that holds such data (whether it concerns personnel, partners, suppliers, customers, users...) holds personal data and is subject to the GDPR.\u003C/p>\r\n\u003Cp>The European Regulation adopts a very broad understanding of the concepts of \"personal data\" and \"processing\". Data processing encompasses any activity involving the collection, storage, modification, or use of data.\u003C/p>\r\n\u003Cp>Therefore, even if you only store the personal data you collect without using it, you are subject to the GDPR.\r\nAs soon as this data is stored in your information system, a database, or an Excel sheet, you are considered to be carrying out \"processing of personal data\".\u003C/p>\r\n\u003Ch2 id=\"clarifications-on-the-scope-of-the-gdpr\">Clarifications on the scope of the GDPR\u003C/h2>\r\n\u003Cp>Here are some key points to better understand the scope of application of the GDPR in a company.\u003C/p>\r\n\u003Ch3 id=\"the-gdpr-is-not-limited-to-customer-data\">The GDPR is not limited to customer data\u003C/h3>\r\n\u003Cp>The GDPR covers all personal data stored by your company and related to European residents, including your customers, users, suppliers, employees, prospects, and candidates.\u003C/p>\r\n\u003Ch3 id=\"understanding-the-notion-of-european-residents\">Understanding the notion of \"European residents\"\u003C/h3>\r\n\u003Cp>The GDPR governs the processing of personal data of \"European residents\" or \"European citizens\".\r\nThis means that:\u003C/p>\r\n\u003Cul>\r\n\u003Cli>The GDPR applies to personal data of European citizens living abroad.\u003C/li>\r\n\u003Cli>It also applies to data of foreign individuals residing in one of the countries of the European Union.\u003C/li>\r\n\u003Cli>The GDPR therefore concerns all individuals residing in the EU, regardless of their nationality.\u003C/li>\r\n\u003C/ul>\r\n\u003Ch3 id=\"the-gdpr-companies\">The GDPR & companies\u003C/h3>\r\n\u003Cp>For companies, two important points should be noted:\u003C/p>\r\n\u003Col>\r\n\u003Cli>\u003Cp>The data related to the \"company\" entity (such as the SIRET number, turnover, number of employees) is not personal data. However, information regarding contacts within the client company (name, first name, position, phone number, email) is personal data and falls under the GDPR.\u003C/p>\r\n\u003C/li>\r\n\u003Cli>\u003Cp>The GDPR seems to be less strict regarding the processing of B2B data, especially regarding obtaining consent during collection or storage of data. However, this point remains unclear in the GDPR text, and companies exploit this legal uncertainty. Nevertheless, recent developments suggest that rules regarding B2B data could tighten in the coming years.\u003C/p>\r\n\u003C/li>\r\n\u003C/ol>\r\n\u003Ch3 id=\"attention-to-subcontracting\">Attention to subcontracting\u003C/h3>\r\n\u003Cp>If you outsource data processing, such as using a web analytics tool, you must:\u003C/p>\r\n\u003Cul>\r\n\u003Cli>Verify that the service provider complies with GDPR rules.\u003C/li>\r\n\u003Cli>Assume joint responsibility with the subcontractor in case of non-compliance with the processing.\u003C/li>\r\n\u003C/ul>\r\n\u003Ch2 id=\"who-is-not-affected-by-the-gdpr\">Who is not affected by the GDPR\u003C/h2>\r\n\u003Cp>The GDPR does not apply to personal data of individuals who do not reside in the EU or who are not European citizens.\u003C/p>\r\n\u003Cp>Outside of this obvious case, there are a few exceptions:\u003C/p>\r\n\u003Cul>\r\n\u003Cli>Processings carried out strictly privately, such as creating a personal contact directory.\u003C/li>\r\n\u003Cli>Processings carried out for the protection of fundamental rights and freedoms.\u003C/li>\r\n\u003Cli>Processings carried out within the framework of preventing criminal offenses.\u003C/li>\r\n\u003C/ul>\r\n\u003Ch2 id=\"check-if-your-organization-is-affected-by-the-gdpr\">Check if your organization is affected by the GDPR\u003C/h2>\r\n\u003Cp>Most large companies have already complied with the GDPR, but this is not always the case for small businesses and individual companies.\r\nMany of them have not yet taken any measures, and some SMEs have still not started their GDPR compliance process.\u003C/p>\r\n\u003Cp>If you are a company, an association, or any other type of organization and you want to know if the GDPR applies to you, we invite you to \u003Ca href=\"https://www.dastra.eu/en/contacts\">contact one of our experts\u003C/a>!\r\nThey can answer all your questions, conduct an audit of your data, determine if you are affected, and, if necessary, support you in your GDPR compliance process.\u003C/p>\r\n\u003Cp>It is important to remember that the penalties for non-compliance with the GDPR are severe and the supervisory authority (in France, the CNIL) is now less tolerant.\r\nFines can reach up to 20 million euros. Therefore, it is crucial not to take this risk lightly.\u003C/p>\r\n","Who is affected by the GDPR- Dastra","The GDPR applies to any entity, whether a company, association or public body, that collects, stores or uses personal data.",957,5,"European Regulation: whom does it apply to?",0,null,"en","european-regulation-whom-does-it-apply-to","The GDPR applies to any entity, whether it is a company, association, or public organization, that collects, stores, or uses personal data of residents of the European Union, regardless of its location.","Published",{"id":19,"displayName":20,"avatarUrl":21,"bio":13,"blogUrl":13,"color":13,"userId":19,"creationDate":22},10458,"Marine Boquien","https://static.dastra.eu/tenant-19/avatar/10458/logo-icon-primary-150.png","2023-10-02T14:39:10","2024-08-07T06:00:00","2024-08-07T07:41:03.6173812","2024-09-23T07:13:08.8130447",{"id":27,"name":28,"description":29,"url":30,"color":31,"parentId":13,"count":13,"imageUrl":13,"parent":13,"order":12,"translations":32},2,"Blog","A list of curated articles provided by the community","article","#28449a",[33,36,39],{"lang":34,"name":28,"description":35},"fr","Une liste d'articles rédigés par la communauté",{"lang":37,"name":28,"description":38},"es","Una lista de artículos escritos por la comunidad",{"lang":40,"name":28,"description":41},"de","Eine Liste von Artikeln, die von der Community verfasst wurden",[43],{"id":27,"name":28,"description":29,"url":30,"color":31,"parentId":13,"count":13,"imageUrl":13,"parent":13,"order":12,"translations":44},[45,46,47],{"lang":34,"name":28,"description":35},{"lang":37,"name":28,"description":38},{"lang":40,"name":28,"description":41},[],"https://static.dastra.eu/content/a7da7ce2-e9a8-4333-8552-b329798080d7/visuel-anglais-7-original.png",[51,52,53,54,55,56,57],"https://static.dastra.eu/content/a7da7ce2-e9a8-4333-8552-b329798080d7/visuel-anglais-7-1000.webp","https://static.dastra.eu/content/a7da7ce2-e9a8-4333-8552-b329798080d7/visuel-anglais-7.webp","https://static.dastra.eu/content/a7da7ce2-e9a8-4333-8552-b329798080d7/visuel-anglais-7-1500.webp","https://static.dastra.eu/content/a7da7ce2-e9a8-4333-8552-b329798080d7/visuel-anglais-7-800.webp","https://static.dastra.eu/content/a7da7ce2-e9a8-4333-8552-b329798080d7/visuel-anglais-7-600.webp","https://static.dastra.eu/content/a7da7ce2-e9a8-4333-8552-b329798080d7/visuel-anglais-7-300.webp","https://static.dastra.eu/content/a7da7ce2-e9a8-4333-8552-b329798080d7/visuel-anglais-7-100.webp",57882]