Examples of businesses affected
Examples of types of business to which the GDPR may apply immediately can be split into four broad categories:
1. Controllers that provide goods or services directly to EU residents or monitor the behaviour of EU residents.
For example:
- E-gaming sites
- Insurance or financial services
- Companies offering tax and National Insurance minimisation schemes
- Apps or websites that use cookies or other means of tracking behaviour
- Websites accepting payment in Euros or targeted at residents of a particular EU country or countries
2. Processors that receive, and process, personal data relating to EU residents on behalf of businesses located anywhere in the world.
For example:
- Cloud service providers
- An Island company providing staff administration services to its Group’s cross-EU staff
- Telecoms companies
- Use of an IOM company by a non-EU company to offer its goods and services to EU residents
3. Controllers that transfer personal data relating to EU residents to other controllers inside the EU.
For example:
- Intra-Group cross-EU transfers of personal data
- CSPs and TSPs
- Marketing database and list generators
4. Controllers who receive inward transfers of personal data from controllers in EU member states.
For example:
- Motor insurers (e.g. access to Motor Insurance database)
- Credit reference agency checks
- Access to UK systems, such as DVLA, DBS, PNC
- Health reports