Most businesses should be aware by now that the General Data Privacy Regulation (GDPR) takes effect this week in the territory of the European Union, and extends its effect to certain overseas businesses. In their attempts to achieve compliance, many companies that know or suspect that they will be transferring data from the EU to third country locations have already begun requesting that their business partners sign data privacy addenda (DPA’s). These DPA’s include the European Commission’s Standard Contractual Clauses (SCC’s), which were originally designed for the 1995 Data Directive.
A business located overseas should look very carefully at any DPA’s they are being requested or demanded to sign. The SCC’s included in many of these DPA’s specifically require the overseas company to consent to the jurisdiction of European courts and the application of European law. This is meant to protect the rights of the original European data subject. However, the mere fact that an overseas business exchanges data with a business that handles data from Europe, does not make compliance with the GDPR necessary. The overseas business may very well be outside the GDPR’s reach.