RGPD: This is how the European Union can fine your Digital Platform

¿What is the GDPR?

The General Data Protection Regulation (GDPR) was adopted in 2018. It is the most advanced and strictest regulation globally. It is applicable to digital platforms such as websites.

Since its entry into force, it has fined multiple companies, including Google, Facebook or Tik Tok. You can learn more about the topic hereYour Startup may also be subject to fines, which as contemplated by the Regulation, are US$20 million or 4% of its global annual revenue, whichever is higher.

¿Is it mandatory for countries outside the EU and how can I be fined?

Within International Law, there are principles that allow States (countries) to exercise jurisdiction outside their territories in case their national interests are involved.

The EU is made up of a number of states and has international personality. In addition, it has a legal framework in which it establishes its principles, among which are security and respect for the rights of citizens of countries belonging to the Union.

With the use of telecommunications, a company can provide services to European citizens without being established in the EU territory. More specifically, your website or platform can have users who are nationals of an EU country and at the same time be established in Mexico.

This situation, in order to provide security in the use of its citizens' data, provides the Union with the legal powers to pursue and enforce its regulations. Even if it has to impose fines to do so.

Extraterritoriality of the GDPR ¿Is it mandatory for countries outside the EU?

Within International Law, there are principles that allow States (countries) to exercise jurisdiction outside their territories in case their national interests are involved.

This situation, in order to provide security in the use of its citizens' data, provides the Union with the legal powers to pursue and enforce its regulations. Even if it has to impose fines to do so.

Extraterritoriality in the GDPR

In this context, Article 3 of the Regulation refers to the processing of data by controllers not established in the Regulation but in a place where the law of a Member State applies by virtue of public international law..

This Regulation applies to the processing of personal data of subjects who are in the EU by a controller or processor not established in the Union, if the processing activities relate to:

Whether the offer of goods or services, regardless of whether any payment is required from the data subject.
Monitoring the conduct of users, as long as their conduct is within the Union.

Therefore, the EU as a Member State can prosecute a violation of its data use regulations. It should be recalled that Members are in a constant process of legal homologation with the Union's regulations. At the same time, in the event that the law of the Union and the law of a Member contradict each other, principles such as the principle of conferred powers or the principle of primacy,which give superiority to the EU legal framework, apply.

¿How to comply with the GDPR?

In general terms, the most important steps are transparency with the user and data processing security mechanisms within your startup's organization. To comply with transparency towards the user, we recommend you to have a Privacy Notice, Cookie Policy and Legal Notice optimized within the framework of the Regulation.

To learn more about the requirements that your startup must meet, we invite you to contact us.

¡Here you can download the basic documents to start complying with the GDPR!

Sources:

EUR-Lex: GDPR

Martin Dixon: Book on International Law

Oscar Perez