20 August 2018
On some occasions, an EU subject may require a Subject Access Request (SAR) which involves a transaction outside of the EU. Therefore, data processors must be aware that a data controller outside of the EU will not necessarily give up any or many obligations to the General Data Protection Regulation (GDPR).
So, the question is whether data processors need to address the Subject Access Request without the controller or not?
According to Article 28, the usual process involved in dealing with Subject Access Requests is that the Data Processor must defer Subject Access Requests to the Data Controller as soon as they are received, and if need be, the Data Processor will assist with the request. This process should be recorded in a contractual agreement (Data Processor Agreement) including the procedures and responsibilities, as well as stating whether or not a Data Processor should assist with an SAR.
It also comes down to territorial scope, as a data may have provided their personal data to a non-EU controller outside of the EU territory. Therefore, the data processing might not comply with GDPR, which means the data subject cannot submit an SAR.
However, if the data subject was in the EU when the personal data was given then the Data Controller - who is processing an EU subject’s data - must comply with GDPR in accordance with the Territorial Scope outlined in Article 3.
An example of this is if a British citizen visits and makes a transaction in the US then there should be no GDPR requirement. However, if the British citizen purchases something on a US-based website whilst in the EU, then this requires GDPR ‘compliance’.
It is also important to remember that GDPR protects the data of EU residents, regardless of whether they are EU citizens or not.
To find how our friendly and knowledgeable solicitors can help you, contact us today.
Make a free enquiry - Call now - 0151 659 1070
