In the last few days before the deadline for compliance with the General Data Protection Regulation (GDPR), data protection advisor Jon Baines is here to answer your questions.
Today, Jon was asked:
Q: "If you're an EU citizen and you leave the EU to live in Asia, are you still protected under GDPR?"
"One of the misconceptions about the GDPR is that it applies only to 'EU citizens'. In fact, if you search the text of the GDPR you won't find one use of the word 'citizen'.
"GDPR actually applies, in a territorial context, in two different ways. First, it applies to processing of personal data by a controller or processor established in the European Union, regardless of where the processing takes place, and also regardless of who the data subject is – so, for instance, a charity established in the UK, which processes the personal data of people in Africa, is still subject to GDPR.
"Second, it applies to processing of personal data by a controller or processor outside the European Union, if the data subjects are in the Union, and if the controller or processor is offering goods and services to those in the Union, or monitoring the behavior of those in the Union – so a US website, offering products for sale priced in Euros, would be caught.
"In answer to the question, then, one's data would still be 'protected' by GDPR if one had moved to Asia and the organization doing the processing were established in the EU. If it were established outside the EU, probably not.
"However, it's important to note that European data protection law is increasingly seen as a benchmark, and as a result there are signs of a move towards harmonization globally, with increasing numbers of countries adopting similar laws."
Originally published InfoSecurity
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.
