The European Data Protection Board has issued long-awaited final guidelines for the extraterritorial application of the General Data Protection Regulation (GDPR).
Key changes:
- GDPR can apply extraterritorially to some streams of data processing and not others, and not to the entire entity.
- GDPR applies to many non-EU data processors, including cloud storage providers for data processing activities captured by GDPR. This will mean non-EU data processors will need to look for compliance with the GDPR data processor obligations not subsumed in the Article 28 data processing addenda, including (i) Art 27 representative in the Union and (ii) Article 30 record of processing activities.