With the GDPR coming into force in the UK on 25 May 2018 it is worth highlighting that the regulations have a broad territorial scope. For embassies and consulates in particular, non-compliance with GDPR could have serious repercussions not just for the organisation itself but also for the citizens and commercial enterprises that rely on embassy or consular services.
WHERE DOES GDPR APPLY? EU EMBASSIES WITHIN THE EU AND ABROAD
Article 3 of the GDPR deals with territorial scope. Where will the new rules apply? For a start the GDPR broadens the international reach of EU data protection rules. They will apply to:
- The processing of personal data in the context of the activities of an establishment of a controller or a processor in the Union, regardless of whether the processing takes place in the Union or not.
- The processing of personal data of data subjects who are in the Union by a controller or processor not established in the Union, where the processing activities are related to (1) the offering of goods or services, irrespective of whether a payment of the data subject is required, to such data subjects in the Union or (2) the monitoring of their behaviour as far as their behaviour takes place within the Union
- The processing of personal data by a controller not established in the Union, but in a place where Member State law applies by virtue of public international law.
Of particular note for embassies and consular offices the GDPR also states that:
“Where Member State law applies by virtue of public international law, this Regulation should also apply to a controller not established in the Union, such as in a Member State’s diplomatic mission or consular post.”
This means that even UK embassies or consular posts situated outside the EU will be caught by the new GDPR regime.
WHAT ABOUT NON EU EMBASSIES LOCATED WITHIN THE EU
Currently foreign embassies located in the UK are not subject to the full rigour of UK data protection law. This reflects their special status under international law. We cannot see any wording in Article 3 of GDPR that would change this.
HOW WE CAN HELP
Big Data Law is a London-based niche data protection law firm. We offer a range of GDPR compliance services to national and international bodies. For an initial conversation on your GDPR requirements call one of our specialist solicitors on 0203 670 5540.