In today’s digital age, the protection of personal data has become a critical issue for all businesses, regardless of size or geographical location. The General Data Protection Regulation (GDPR) of the European Union applies not only to companies within the EU but also affects any organization processing data of EU citizens. This means that even Vietnamese businesses or small enterprises need to be aware of and comply with GDPR if they have customers or partners in the EU.
1. Brief overview of GDPR
The General Data Protection Regulation (GDPR) is a pivotal document in the field of data protection and privacy globally. Adopted by the European Union (EU) in 2016 and officially implemented on May 25, 2018, GDPR marks a significant advancement in updating and harmonizing data protection regulations across the EU. The primary objective of GDPR is to enhance individuals’ control over their personal data and simplify the regulatory environment for businesses operating within the region.
GDPR builds upon the foundation of the EU’s 1995 Data Protection Directive but expands its scope to align with the modern digital era. This regulation introduces a series of new principles, rights, and obligations, including the right to be forgotten, the right to data access, and requirements for data breach notifications.
The complexity of GDPR is evident in its application to all organizations processing EU citizens’ data, regardless of where the organization is headquartered. This has created a global impact, compelling businesses worldwide to review and improve their data protection practices. Moreover, GDPR imposes severe penalties for non-compliance, with fines of up to 4% of annual global turnover or €20 million, whichever is higher.
Notable GDPR violation cases for reference:
- Meta (Facebook): Fined €1.2 billion in 2023 for transferring EU user data to the US without adequate safeguards.
- Amazon: Fined €746 million in 2021 for violating regulations on advertising and user tracking.
- WhatsApp: Fined €225 million in 2021 for lack of transparency in personal data processing.
- Google: Fined €50 million in 2019 for lack of valid consent in personalized advertising.
- H&M: Fined €35 million in 2020 for excessive employee monitoring.
These cases emphasize the importance of strict GDPR compliance, particularly in areas such as international data transfers, transparency in data processing, and ensuring valid consent from users.
2. Subjects required to comply with GDPR
GDPR has significantly expanded the scope of EU data protection regulations, encompassing the following entities:
- Organizations with an establishment in the EU processing personal data will fall within the scope of GDPR when the data processing occurs in the context of their activities. The interpretation of “in the context of the activities” is quite broad, and the threshold for what constitutes an “establishment” is relatively low.
- Even without a presence in the EU, GDPR applies to the following organizations:
- Organizations processing personal data of EU citizens in relation to offering goods or services to them.
- Organizations processing personal data of EU citizens to monitor the behavior of individuals in the EU.
Determining whether an organization falls under these categories can be complex. Therefore, the European Data Protection Board has issued detailed guidelines for specific cases, which relevant parties should carefully consider to ensure compliance.
Some important guidelines include:
- The concept of “establishment” was examined by the Court of Justice of the European Union (CJEU) in the Weltimmo v NAIH case (C-230/14) in 2015. This ruling confirmed that “establishment” is a term interpreted “broadly” and “flexibly,” not dependent on legal form. An organization may be considered to have an “establishment” in the EU if it conducts “any real and effective activity – even a minimal one” through “stable arrangements” in the EU. Even the presence of a single representative may be sufficient to be considered an establishment under GDPR.
- For the provision of goods and services (excluding monitoring activities), organizations need to clearly demonstrate “intention” to direct their activities to data subjects in the EU. Accordingly, merely being able to access a website from the EU is not sufficient for GDPR to apply.
- Unlike the provision of goods and services, monitoring activities (“monitoring”) do not necessarily require clear indications of the organization’s intention. However, EDPB guidance indicates that “the use of the word ‘monitoring’ implies that the data controller has a specific purpose in mind for the collection and subsequent reuse of the relevant data about an individual’s behavior within the EU.” This means that any activity aimed at analyzing or predicting the behavior of EU users, whether intentional or not, may be considered “monitoring” and therefore subject to GDPR compliance.
However, GDPR also refers to exceptions where compliance with GDPR regulations is not required, including some cases such as:
- For activities outside the scope of EU law (e.g., activities related to national security);
- Related to the EU’s common foreign and security policy;
- Carried out by competent authorities for the purposes of prevention, investigation, detection, or prosecution of criminal offenses and related matters;
- Carried out by individuals or as part of “purely personal or household activities”.
3. Principles of personal data protection under GDPR
GDPR establishes a series of important principles and requirements for personal data protection that businesses must comply with. Implementing these requirements demands significant investment in time, resources, and commitment from businesses.
Some of the overarching principles set forth by GDPR include:
- Personal data must be processed lawfully, fairly, and transparently in relation to the data subject. This requires organizations to have a clear legal basis for data processing, ensure fair processing procedures, and provide comprehensive, understandable information to users about how their data is used.
- Businesses are only permitted to collect data necessary for specified purposes and must not store data longer than necessary. Implementing this requires an effective data management system capable of tracking the lifecycle of data and automatically deleting it when no longer needed.
- Businesses must ensure data accuracy and allow data subjects to exercise their rights, such as the right to access, rectify, and erase data. Implementing processes to meet this requirement can be costly and complex, especially when data is stored across multiple systems.
- Obligation to protect data against risks such as loss, unauthorized access, or disclosure.
- Businesses must maintain detailed records of data processing activities and conduct Data Protection Impact Assessments (DPIAs) when necessary.
Compliance with GDPR is not only a legal requirement but also an opportunity to enhance reputation and build trust with customers. By implementing stringent data protection measures, businesses can create a competitive advantage, especially in a context where consumers are increasingly concerned about their privacy.
Disclaimers:
This article is for general information purposes only and is not intended to provide any legal advice for any particular case. The legal provisions referenced in the content are in effect at the time of publication but may have expired at the time you read the content. We therefore advise that you always consult a professional consultant before applying any content.
For issues related to the content or intellectual property rights of the article, please email cs@apolatlegal.vn.
Apolat Legal is a law firm in Vietnam with experience and capacity to provide consulting services related to Data and contact our team of lawyers in Vietnam via email info@apolatlegal.com.