Two types of people are affected by the General Data Protection Regulation. Individuals, who enjoy certain rights under the GDPR and legal persons, who have duties.
The main objective of GDPR compliance is to improve the protection of our personal data, and therefore by extension, the protection of natural persons. Since the GDPR is a European law, its scope primarily covers European citizens.
However, we observe that a significant benefit of the GDPR can be brought to non-EU citizens, because the companies concerned better secure personal data and sometimes give them the possibility of exercising the same rights as European citizens.
Real law of ethics and hygiene of the practices related to personal data, the RGPD allows to give back the power to their owners: We, European citizens! Indeed, European citizens benefit from rights which they can exercise (Articles 15, 16, 17, 18, 20 and 21 of the RGPD), satisfied thanks to the various RGPD compliance processes of companies, ensuring the proper use of their personal data.
Regarding the obligation of compliance with the GDPR of a legal person, 2 criteria make it possible to identify the companies concerned:
The GDPR concerns all companies established in the territory of the European Union, processing personal data. This applies, regardless of the size of the company, its turnover, or its activity.
Company subcontractors, who process personal data for which the company is responsible, are also subject to the GDPR, even if these subcontractors are not located in European territory.
Indeed, the GDPR establishes a principle of co-responsibility between the data controller (the company) and its subcontractors, concerning personal data, to which service providers have access.
The GDPR has an extraterritorial scope. Companies located outside the European Union that directly target consumers located in the EU are also affected. Whether the offer concerns goods or services, the GDPR applies to the processing of the data of these consumers.
These companies must designate a representative in the European Union, in order to facilitate relations between the European authorities for the protection of personal data and foreign companies subject to the GDPR.