IBA Compliance Connection

Your go to source for compliance!

As a state-chartered bank, are we subject to the EU’s General Data Protection Regulation (GDPR)? For example, we have just one CD customer in Ireland.

by

admin

Yes, we believe that the GDPR would apply to your bank because you have one customer who resides in the European Union (EU).

The GDPR applies to businesses outside of the EU that process personal data when offering goods or services to a natural person who is located in the EU. This is a very broad standard of application; we believe that it would cover your bank, which provides CD services to a natural person located in the EU and almost certainly processes that person’s personal data.

For resources related to our guidance, please see:

  • European Commission FAQs, Who does the data protection law apply to? (“The law applies to: . . . (2) a company established outside the EU offering goods/services (paid or for free) or monitoring the behaviour of individuals in the EU.”)
  • European Commission FAQs, Who does the data protection law apply to? (“Your company is service provider based outside the EU. It provides services to customers outside the EU. Its clients can use its services when they travel to other countries, including within the EU. Provided your company doesn’t specifically target its services at individuals in the EU, it is not subject to the rules of the GDPR.”)
  • Regulation (EU) 2016/679 (GDPR), Article 3, Territorial Scope (“1. This Regulation applies to the processing of personal data in the context of the activities of an establishment of a controller or a processor in the Union, regardless of whether the processing takes place in the Union or not.”)
  • Regulation (EU) 2016/679 (GDPR), Article 3, Territorial Scope (“2. This Regulation applies to the processing of personal data of data subjects who are in the Union by a controller or processor not established in the Union, where the processing activities are related to: (a) the offering of goods or services, irrespective of whether a payment of the data subject is required, to such data subjects in the Union; or (b) the monitoring of their behaviour as far as their behaviour takes place within the Union. . . .”)
  • Regulation (EU) 2016/679 (GDPR), Article 4, Definitions (“‘personal data’ means any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person; . . .”)