LRD guides and handbook March 2018

The General Data Protection Regulation - a practical guide for trade unionists

Chapter 1

Territorial scope

[ch 1: page 8]

Geographically, the GDPR applies:

• where data is processed within the EU;

• where data is processed outside the EU for a data controller or processor that is within the EU;

• where the data controller or processor is outside the EU but offers goods or services or monitors behaviour within the EU (in this case the controller or processor must designate a representative in the EU); or

• where the domestic law of an EU state applies by virtue of international law.

It therefore applies regardless of whether the processing takes place within or outside the UK, so that employers who outsource functions such as IT or HR to other countries will still need to ensure that it is processed according to the principles of the GDPR. There are particular provisions relating to this in Articles 44 to 50.

The GDPR does not apply to processing carried out for purely personal or household activities with no connection to a professional or commercial activity. This could include correspondence and keeping addresses, or social networking and online activity. However, the GDPR does apply to those who provide the means for processing personal data for such activities, such as social media platforms.