Yes, we believe the GDPR would apply to your bank because you process personal data for individuals residing in the European Union (EU) that identifies them or could be used to identify them.
The GDPR applies to businesses outside of the EU that process personal data when offering goods or services to a natural person who is located in the EU. This is a very broad standard of application; we believe that it would cover your bank, which provides IRA and safe deposit box services to natural persons located in the EU and almost certainly processes their personal data in connection with those services. We note that although the IRA owners may not reside in the EU, their beneficiaries residing in the EU are entitled to the protections of the GDPR if you are processing their personal data.
For resources related to our guidance, please see:
- European Commission FAQs, Who does the data protection law apply to? (“The law applies to: . . . (2) a company established outside the EU offering goods/services (paid or for free) or monitoring the behaviour of individuals in the EU.”)
- European Commission FAQs, Who does the data protection law apply to? (“Your company is service provider based outside the EU. It provides services to customers outside the EU. Its clients can use its services when they travel to other countries, including within the EU. Provided your company doesn’t specifically target its services at individuals in the EU, it is not subject to the rules of the GDPR.”)
- Regulation (EU) 2016/679 (GDPR), Article 3, Territorial Scope (“1. This Regulation applies to the processing of personal data in the context of the activities of an establishment of a controller or a processor in the Union, regardless of whether the processing takes place in the Union or not.”)
- Regulation (EU) 2016/679 (GDPR), Article 3, Territorial Scope (“2. This Regulation applies to the processing of personal data of data subjects who are in the Union by a controller or processor not established in the Union, where the processing activities are related to: (a) the offering of goods or services, irrespective of whether a payment of the data subject is required, to such data subjects in the Union; or (b) the monitoring of their behaviour as far as their behaviour takes place within the Union. . . .”)
- Regulation (EU) 2016/679 (GDPR), Article 4, Definitions (“‘personal data’ means any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person; . . .”)
- GDPR, Regulation (EU) 2016/679, Article 83, Administrative Fines (“4. Infringements of the following provisions shall, in accordance with paragraph 2, be subject to administrative fines up to 10 000 000 EUR, or in the case of an undertaking, up to 2 % of the total worldwide annual turnover of the preceding financial year, whichever is higher: . . . 5. Infringements of the following provisions shall, in accordance with paragraph 2, be subject to administrative fines up to 20 000 000 EUR, or in the case of an undertaking, up to 4 % of the total worldwide annual turnover of the preceding financial year, whichever is higher: . . .”)