TrustArc Blog

GDPR Applicability – Three Examples You Should Know About

May 15, 2018

GDPR Compliance - computer keyboard


As the GDPR compliance deadline approaches, we have seen companies assess their readiness and prioritize the areas that need additional processes, technology, and controls. While helping companies to prepare, we have seen several companies’ interpretations around GDPR applicability. The following three common scenarios highlight a few misconceptions around GDPR applicability. This blog post will discuss those misconceptions, and suggest a few things to consider in your company’s GDPR applicability analysis.

Example 1

The Scenario

We’ve heard the belief that GDPR does not apply to personal data obtained from public sources that is not collected directly from the data subject, making the company obtaining it neither a processor or a controller. Moreover, because the data was obtained from fully public sources, the company doesn’t have a contract with anyone. For example, a company provides a website where people can search for business names, the owners, contact information, and any people associated with that business. The company found all of the information it provides from public data sources.

Applicability of GDPR

While this idea seems appealing, GDPR Article 2 states that the regulation “applies to the processing of personal data” and Article 4(2) defines processing as “any operation or set of operations which is performed on personal data or on sets of personal data…” There are no loopholes or exit ramps based upon the source of the data; if it is the personal data of an individual that the company is processing, GDPR applies. Moreover, because GDPR Article 4(7) defines a controller, in part, as the entity who “determines the purposes and means of the processing of personal data,” when the company in this example collects the names, job titles, and business contact information such as addresses, phone numbers and email addresses from individuals located in the  EU — even if it is being extracted from a public source — the company is effectively taking on the role of a controller with regard to processing that data. Although we used business contact information in this example, it should be noted that GDPR does not differentiate between business and non-business contact information.

Example 2

The Scenario

We’ve also heard the idea that if data is masked from internal teams, it is just as good as erasing the data and meets requirements for Article 17 – Right to erasure (‘right to be forgotten’) because no one can see it or use it if it is masked.

Applicability of GDPR

However, this idea doesn’t quite work because the data erasure requirement is just that – a requirement to erase data under certain circumstances. Masking data still leaves the data in place – it is just that some people are not able to see it. Masked data can be unmasked, and even masked data still exists in an identifiable form, so the requirement for erasure has not been met.

Example 3

The Scenario

Likewise we’ve heard the thought that moving the data center that stores the data out of the EU, getting a vendor to collect the data for the company, or baking in contract terms that the company does not need to comply with the Regulation will allow a company to escape GDPR applicability.

Applicability of GDPR

The GDPR still broadly applies, see Article 3, and moving data from the EU does not eliminate the necessity for complying; in fact, it may add requirements (like requirements for legal basis for transborder data flow). Also, the GDPR is designed to prevent organizations from outsourcing responsibility. Even in cases where a controller customer outsources work like data collection, each party – the controller and the processor – have direct responsibilities regardless what is in the contract between the two organizations.


TrustArc has a large team of privacy experts that are here to help your company through this analysis. To speak to a privacy expert, click here; or, to see how TrustArc solutions can assist with GDPR compliance, request a demo.