GDPR Compliance: What Companies Doing Business With EU Citizens Need to Know

by Stephanie Gomez | September 2019

Charles PonziIf you are a company that does business with European Union (EU) citizens, read carefully. Companies that collect data on citizens in EU countries must comply with strict new rules intended to protect customer data.1 “The EU General Data Protection Regulation (GDPR) is the most important regulation in data privacy regulation in 20 years.”2 The GDPR was approved by the EU Parliament on April 14, 2016 and has been enforced for slightly over a year, since May 2018.

One of the biggest changes that came with GDPR was its extended jurisdiction as it applies to all companies processing the personal data of companies residing in the EU, regardless of where the company is located. In other words, the GDPR applies to not only companies located within the EU, but also to companies located outside of the EU if they offer goods or services to, or monitor the behavior of, EU data subjects.3 For example, the GDPR applies to:

1. A company or entity that processes personal data as part of the activities of one of its branches established in the EU, regardless of where the data is processed; and

2. A company established outside of the EU that is offering goods/services (paid or for free) or is monitoring the behavior of individuals in the EU.4

Penalties for non-compliance of the GDPR include fines up to 4% of annual global turnover or €20 million.5 These maximum fines can be imposed for the most serious types of infringements, including lacking sufficient customer consent to process data. Moreover, there is a tiered approach to fines, such as a 2% fine for a company’s records not being in order.

GDPR complaints have been filed against Amazon, Apple, Spotify, YouTube, Netflix and other online streaming companies for violations of the “right to access” provision in Article 15 of the GDPR.6 The “right to access” provision grants all EU citizens the “right to get a copy of all raw data that a company holds about the user, as well as additional information about the sources and recipients of the data, the purpose for which the data is processed or information about the countries in which the data is stored and how long it is stored.”7 The European privacy enforcement non-profit organization that filed these GDPR complaints on behalf of users is noyb. According to noyb’s Director, all of these defendants were tested to check their compliance of the “right to access” provision, and some of the companies, for example, provided users the raw data, but not the information about who the data was shared with.8

It is of import to note that if processing personal data is not a core part of a business and its activity does not create risks for individuals, then some obligations of the GDPR will not apply to that business.9 Either way, if you are a company that does business in Europe, you want to make sure that you comply with the CDPR to avoid being fined. The GDPR, which is available in 24 languages, can be accessed via the Official Journal of the European Union at this website.

1 Michael Nadeau, General Data Protection Regulation (GDPR): What You Need to Know to Stay Compliant, CSO (May 29, 2019),
2 EU GDPR, (last visited Aug. 16, 2019).
3 Frequently Asked Questions About GDPR, EU GDPR,
4 What Does the Data Protective Law Apply To?, EUROPEAN COMMISSION,
5 Supra note 3.
6 Sergiu Gatlan, Amazon, Apple, Others Hit with GDPR Complaints, €18.8B Maximum Penalties, BLEEPING COMPUTER (Jan. 18, 2019),
7 Id.
8 Id.
9 Supra note 4.