Adatvédelem mindenkinek / Data protection for everyone

Exporting the GDPR

2018. szeptember 17. 08:00 - poklaszlo

One of the important novelties of GDPR was that it applies not only to the processing of personal data in the context of the activities of an establishment of a controller or a processor in the Union, but also to the processing of personal data of data subjects who are in the Union by a controller or processor not established in the Union, where the processing activities are related to:

(a) the offering of goods or services, irrespective of whether a payment of the data subject is required, to such data subjects in the Union; or

(b) the monitoring of their behavior as far as their behavior takes place within the Union.

Article 27 of the GDPR stipulates that controllers and processors subject to the extraterritorial effect shall designate in writing a representative in the Union.

Based on these provisions, GDPR has a clear impact on non-EU organizations as well. One side effect of this extraterritorial effect was that some data controllers outside the EU, fearing the risks of non-compliance with GDPR, ceased their activity in the EU.

However, the impact of GDPR can be experienced not only directly but also indirectly since the GDPR serves as an example of data protection rules for legislators in many countries around the world. This may be justified by the fact that cross-border flow of personal data requires a harmonized set of rules that could have a beneficial impact on the transfer of personal data to third countries using provisions similar to the rules of the GDPR. (A trend towards comprehensive national privacy / data protection rules can be experiences in the last years.) 


In Brazil, the new General Data Protection Law was recently adopted, which will become applicable in 2020. The Brazilian General Data Protection Law reminds us of GDPR in many points: it has extraterritorial scope, the concept of personal data can be widely interpreted, it uses the concept of special categories of data, processing may be based on the legitimate interest of the controller, data subjects have similar rights as under the GDPR, including the right to data portability. The Brazilian law provides for the rules of data breach reporting, data protection impact assessments and the appointment of data protection officers. The amount of fines that can be imposed is also very high (2 % of the company's, group's or conglomerate's annual turnover in Brazil, limited in the amount of 50 million realis).


One of the most recent examples of this phenomenon of exporting GDPR can be found in India, where recently a proposal for a new data protection law was published.

There are several elements in the proposal that show the impact of the GDPR. For example, there is an intention for extraterritorial application, the rights of data subjects include data portability, and the right to be forgotten, the concept of privacy by design and a system for data breach notification have also been introduced. The maximum amount of the penalty is 4% of global turnover. 

In addition to the similarities, there are, of course, differences as well. The age limit for child protection is higher than in the GDPR (18 years). A mandatory registration requirement has been imposed on data controllers who conduct high risk processing and these data controllers should implement additional data protection measures. A copy of the processed personal data shall be stored in India, or, in case of certain categories of data, data processing can only take place in India.


Japan could also be an example where data protection reform took place in May 2017. The new Japanese data protection act contains provisions similar to the rules of the GDPR in many cases. (A comparison is available here.)

The example of Japan is also interesting since there has been a lively dialogue between the EU Commission and Japan over the past period of time, which has resulted in an agreement between the parties in mid-2018 on the mutual recognition of each other as areas that provide mutually adequate level of protection.

South Africa

GDPR has not yet been adopted at the time of the adoption of the South African data protection act, although it was already available as a draft. We can find familiar elements in the South African data protection act as well, but due to the fact that the text of the GDPR has also changed during the legislation process, there may be a number of differences. (Comparison between GDPR and South African data protection laws is available here.) An interesting difference is, for example, that the rules on the protection of personal data cover not only natural persons but also legal persons (as it was the case in Austria in the past).