European Jurisdictions outside GDPR

European Jurisdictions with Lesser Known Internet Privacy Laws Outside of GDPR

Privacy has long been recognized as a fundamental human right in many societies. And in this new age of global interconnectivity enabled by the Internet, a growing number of countries are regulating the massive data collection and privacy of its residents.

The rules governing data privacy vary from one country to another. Some particular privacy laws are noted for their stringency or wide breadth of application to most businesses. While most are aware of the comprehensive privacy laws passed in the European Union (EU) and California state in the United States, many are unaware of other jurisdictions with privacy laws. For instance, the General Data Protection Regulation (GDPR) is not applicable law in all European countries. Some countries have implemented their own version of GDPR or have otherwise passed a data privacy law heavily based on GDPR principles.

The following are some European countries where the EU GDPR does not apply, but nevertheless has some data privacy law in place:

United Kingdom

The United Kingdom is no longer a member of the European Union. It left the EU on December 31, 2020. The GDPR no longer applies domestically to the UK, as it had since May 2018, while the UK was still a member state.

While the GDPR has been repealed for the UK after Brexit, this does not mean that the UK no longer has a data privacy law. The UK has its version of the EU’s GDPR that took effect on January 31, 2020. It governs all personal data processing by individuals within the United Kingdom, along with the Data Protection Act of 2018 and the Privacy and Electronic Communications Regulations (PECR).

The EU has now classified the UK as a “third nation” outside the scope of GDPR, for which transfers of data to the UK must be examined for legitimacy. However, the EU issued an adequacy decision for the UK on June 28, 2021. This decision maintains that personal data can continue to flow freely from the EU to the UK. It is a limited four-year process and will need to be renewed after expiration in June 2025.


Iceland has had data privacy legislation in place for quite some time. Although it is not a member of the European Union, Iceland’s legislation has been updated to largely meet the GDPR’s standards, such that its citizens are likely to get the same degree of protection as their European counterparts.

To implement the GDPR, Act 80/2018 on Privacy and Processing of Personal Data (the “Act”) was passed by the Icelandic Parliament in July 2018. The Data Protection Authority oversees compliance by companies with the Act and looks for ways to improve data policies.


Norway is another country that values privacy. Like the UK and Iceland, Norway is not a member country of the EU, but a member state of the European Economic Area (EEA) where GDPR also has jurisdiction.

The GDPR was made part of Norwegian law in July 2018 by the Law on the Processing of Personal Data (Personal Data Act) of 15 June 2018.

The Norwegian Data Protection Authority (“Datatilsynet”) is an independent public authority that protects individual privacy. Datatilsynet enforces data protection regulations such as the Personal Data Act and holds organizations and others to comply with them. It can impose financial sanctions and penalties for non-compliant entities.


Switzerland has a well-deserved reputation for protecting the privacy of its residents’ information.

Switzerland protects its citizens’ privacy through its constitution and regulations. The Federal Act on Data Protection 1992 (FADP) was passed to protect people’s privacy. It prohibits the processing of personal data without consent from the person to whom it relates. These regulations are similar to GDPR and have been deemed adequate by the EU.

According to FADP, personal data is protected and cannot be processed unless the subject or the law allows it to be done so.

Final Thoughts

It is becoming more common for governments and business organizations to move services to the Internet to enhance efficiency and accessibility. However, these improvements will likely have a significant impact on data privacy.

More and more countries are passing some version of a comprehensive or omnibus data privacy law, while others have no such data privacy regulations. Although it is impossible to provide 100 percent security online, business owners can take initial steps to improve the secure collection and processing of information, such as first determining which laws may apply to them.

Checklist for GPDR Compliance

US Businesses’ Checklist for GPDR Compliance

General Data Protection Regulation (GDPR) is legislation that consists of one of the world’s strictest rules for personal data protection. If you’re a US-based business that does business with individuals in the European Union, you need to comply with this regulation. A checklist will be helpful to keep you on track!


GDPR is a European Union data privacy law that mandates organizations to keep data safe. The regulation was implemented in May 2018. Moreover, the data privacy law allows people to have more control over how their data is used. Failure to comply with the law is subject to large fines. 

US Companies & GDPR Compliance

It’s easy to think that the GDPR law only applies in Europe. However, it applies to companies outside the EU as well due to its extra-territorial scope. 

Any company that collects personal data of people in the EU is required to comply with the GDPR. 

However, GDPR also recognizes that some non-EU companies work with EU citizens only an incidental basis. Therefore, based on Recital 23, foreign companies are only required to comply with GDPR if they target EU residents with their marketing. 

Collection of Personal Data

There are two categories in personal data under GDPR: 

  • Data controllers: A data controller is a public authority, individual, agency, or another body that determines the purpose and means of personal data processing. The controller is the one who decides how personal data will be processed. 
  • Data processor: A data processor is anyone or any organization or agency that processes personal data on behalf of the controller. In this case, they don’t make decisions about how personal data is handled. 

GDPR Compliance Checklist for US Companies

If you are a US-based company that deals with EU clients, having a GDPR checklist will help you stay on track with your GDPR compliance. That way, you can prevent large fines that can be detrimental to your finances. 

This checklist will help ensure GDPR compliance:

Information Audit for EU Personal Data

Determine what personal data you need to process and whether it belongs to people in the EU. If you find you process EU data information, determine which activities the information is related to, such as offering goods or services to data subjects regardless of whether connected to a payment. 

Let Your Clients Know

Keep in mind that using consent will involve other duties. You need to let your clients know you’re processing their data, and the easiest way to do this is through consent. Furthermore, you also need to provide clear and transparent information about activities to your data subjects, which involves updating your privacy policy. 

Evaluate Your Data Processing Activities

When you evaluate your data processing activities, you’ll be able to understand the security and privacy risks of the data you process. Through this, you can implement ways to mitigate the risks

Improve Your Protection

When you have determined your data processing activities, it’s time to start implementing data security practices, like end-to-end encryption, that will help limit your exposure to data breaches. 

Have a Data Processing Agreement with Your Vendors

You are accountable for your third-party clients should they violate their GDPR obligations. Therefore, a data processing agreement between you and your vendors is crucial. The agreement must detail the rights and responsibilities of each party. 

Have a Representative in the European Union

Non-EU organizations must appoint a representative based in one of the EU member states. On the other hand, you won’t need a representative if you only process occasionally, doesn’t include processing, on a large scale, and is unlikely to risk the rights and freedoms of natural persons. 

If you need a representative, the representative will act on your behalf and may be addressed by any supervisory authority. Keep in mind that a representative doesn’t affect your responsibility or your liability. 

Some of the tasks of the representative include cooperating with the supervisory authorities regarding actions taken to ensure compliance with GDPR. 

Have a Plan If There’s a Data Breach

Having a proper plan in place if there’s a data breach is crucial. Hackers are all over the internet and a minor vulnerability can breach your data that will affect your GDPR compliance. Don’t let this happen to you; therefore, you need to have this included in your checklist to ensure you’re prepared should anything go wrong. 

Complying with GDPR may seem like another tedious task you need to do. Instead of looking at it that way, consider this an opportunity for you to strengthen your relationship with your customers. Moreover, being GDPR-compliant can prepare you for regulations in other countries like, Japan, Brazil, and South Korea. 

Other Tips To Be GDPR-Compliant

Your GPDR compliance must be taken seriously. It’s essential you know all the data you collect and how it flows through your internal systems. You should remember that IP addresses are classified as personal data as well. So, if you’re unsure if the IP addresses you collect are personal data, refer to the supervisory authority in the EU state to be sure. 

Another thing to help you be GDPR compliant is to have a Data Register, which is a comprehensive record of how your company is practicing GDPR compliance. The day register should map the flow of data through the company, and the more details are in it, the better. So, in the event of an audit, your data register can be used as proof of compliance. Furthermore, if you suffer a data breach, the data register can be used as proof of progress towards improved data security. 

Speaking of data breaches, you should report it immediately, as this is also a mandatory GDPR requirement. Data processors should report data breaches to controllers, and the controllers will be the ones to report to a supervisory authority.

It’s crucial you evaluate your data collection requirements as well. Make sure you are gathering the data you need because when you acquire sensitive data without good reason, this can be an alarm bell for the supervisory authority. 

Be GPDR Compliant Today

If you haven’t worked on your GPDR compliance as a US business owner yet, you do business with individuals in the EU; it’s time that you do it before you face big penalties. Use this checklist to help you out. 

GDPR Enforced In The US

How Will GDPR Be Enforced In The US

The General Data Protection Regulation (GDPR) is a law that protects the privacy of most Europeans. The GDPR protects in part by imposing limitations on the free movement of personal data between the European Union (EU) and other countries. It took effect in May 2018.

This ground-breaking data protection and privacy regulation goes well beyond the boundaries of the European Union’s physical borders. Furthermore, it requires companies based outside of the EU to safeguard the personal data of their people.

Extra-Territorial Scope of GDPR

The GDPR’s scope goes beyond the boundaries of the EU. That means that websites outside the EU that handle personal data about EU citizens are also obliged to comply with the GDPR’s requirements.

The text of the General Data Protection Regulation (GDPR) provides an essential compliance checklist that companies should follow if they are subject to GDPR. This “checklist” contains particular requirements that are unique to countries outside of the EU, such as American companies and organizations.

You may be wondering how the laws of the European Union might be enforced  in an area over which the EU supervisory authorities have no jurisdiction. The reality is complicated, but in short, there are avenues in which United States (US) courts might enforce agreements referencing GDPR and apply guidance of the EU Commission or EU supervisory authorities.

Enforcement of GDPR in the US

The General Data Protection Regulation (GDPR) is being implemented in the EU and EEA by the many supervisory authorities situated across the region. The GDPR does, however, apply to companies situated outside of Europe.

Businesses subject to GDPR that do not have a physical presence or establishment in any EU member-states may need to have a physical representative located inside the region to comply with the GDPR. For those who have violated the General Data Protection Regulation, EU supervisory authorities may address this representative for complaints or for levying fines.

EU enforcement agencies may take disciplinary actions against those who violate the rules. These organizations are likely to get support from government officials in the country where the company is based. Noncompliance may be pursued by EU enforcement agencies, especially against multinational or large corporations, by stop processing orders or regulatory investigations Furthermore, EU data protection authorities may fine companies that continue to do business with US organizations that violate GDPR, effectively preventing US companies from getting customers in the EU.

Finally, EU and US companies may pursue US companies for breach of contract, if GDPR compliance is written into the underlying agreement. These contractual claims may be adjudicated in US courts, depending on the contract, even if they relate to EU compliance.  

GDPR and US-EU Data Sharing

The General Data Protection Regulation (GDPR) defines, in Article 45, the circumstances under which personal data may be transferred outside of the EU. It states that data transfers beyond the EU are permitted if the receiving country has an adequacy agreement with the EU. It is also applicable if the data processor or controller demonstrates an adequate level of data privacy safeguards inside the EU. The EU previously acknowledged the EU-US Privacy Shield as an acceptable mechanism for transfer; however, with the recent “Schrems II” decision from the Court of Justice of the European Union, the Privacy Shield framework has been invalidated for data transfers.

Since the US as a whole does not feature on the European Union’s list of countries with a sufficient level of data protection law, businesses should consult with their privacy counsel as to the best alternative mechanisms for international data transfers

GDPR Compliance Requirements for US Companies

Any US company obliged to comply with the GDPR may be subject to strict requirements as companies located in the EU.

Suppose your website collects or processes personally identifiable information (PII) of EU citizens. In that case, you should do so based on a lawful basis. The following is a checklist that companies in the United States may use as a starting point toward compliance with the General Data Protection Regulation, subject to the advice of their local privacy counsel:

  • Identify and appoint a data protection officer to oversee the processing of EU personal data;
  • Inform your customers about the reasons for which you are processing their data;
  • Make sure you have a data processing agreement in place with your suppliers;
  • Evaluate your data processing operations and improve the level of protection;
  • Determine what to do in the case of a data breach in your organization;
  • Comply with all applicable rules governing cross-border data transfers; and
  • Designate a representative in the European Union;

With the GDPR compliance checklist and retention of local privacy counsel, you may be able to mitigate the risk of enforcement actions brought by EU regulatory authorities. Moreover, a consent management platform (often referred to as a CMP) may help you make your website GDPR compliant.

GDPR Fines for US Companies

The General Data Protection Regulation (GDPR) has significant enforcement penalties to incentivize compliance. There is the possibility of substantial fines for noncompliance with the law, which may reach 4 percent of global sales or €20 million, depending on the severity and circumstances of the violation.

As reported by the US International Trade Commission, since May 2018, data protection authorities in EU member states have collectively penalized US companies for more than $417 million under the General Data Protection Regulation (GDPR).


The General Data Protection Regulation (GDPR) is applicable based on the location of the data subject when their data is processed, not on their citizenship or country. Any company in the United States that provides services or monitors customers in the European Union (EU) should determine their obligations under GDPR, if any apply, and how to comply with the GDPR.

All companies based in the United States should work toward complying with the guidelines of GDPR, if they are subject to it. It is not just to protect the data being transferred and to avoid being fined. But, it is also to protect companies’ integrity and the US in dealing with data protection.

Learn more about the General Data Protection Regulation (GDPR) implications for your business’s marketing strategies. Metaverse Law specializes in data privacy, data protection, and cybersecurity laws. It continues to provide practical solutions for today’s online businesses, including GDPR compliance. To learn more about our services, please contact us now!

GDPR for small businesses

GDPR For Small Business

In May 2018, the General Data Protection Regulation (GDPR) went into effect, strengthening the rights of EU residents regarding data privacy and protection. Essentially, these rights comprise two things:

  • Besides transparency, organizations must provide individuals with the ability to review, amend, or challenge the processing of their personal information.
  • To protect individual data, organizations should implement security measures and manage the liability for any breach or misuse of this information.

This article will discuss how GDPR may applyies to small businesses and some of the essential tasks these businesses need to determine whether the data privacy of their clients is being protected and whether they are GDPR compliant.

GDPR and Small Businesses

Small Businesses with 250-500 Employees

A small company is generally considered as one with fewer than 500 employees in the United States. It is a requirement under GDPR for companies to keep a record of all data processing operations, if they meet certain thresholds. If subject to GDPR, the GDPR’s record-keeping requirements apply to every business with 250-500 employees.

Whether a Data Protection Officer (DPO) is needed is not determined by the business’ size but by the scale and sensitivity of its core processing operations. DPOs are knowledgeable about data protection legislation and processes. A person in this position is also responsible for notifying the authorities of any data breaches.

Small Businesses with Fewer Than 250 Employees

Generally speaking, Article 30 of the GDPR exempts small businesses with less than 250 workers from the need to maintain records of their processing operations, whether as a controller or processor. The size exemption does not apply, however, if the businesses are processing data in any of the following activities:

  • The data processing operations may jeopardize an individual’s rights and freedoms.
  • The information to be processed may involve an individual’s racial origin; political, religious, or philosophical opinions; union membership; genetic or biometric data; or the individual’s health or sexuality.
  • The personal data involved are related to criminal offender, conviction, or arrest-related.
  • The personal data is processed regularly.

As long as these minor requirements are met, small businesses should consider themselves equivalent to larger firms under GDPR for Article 30 compliance requirements.

Small businesses are generally understood to have fewer resources than large corporations. Thus, the Information Commissioner Office (ICO) will consider any smaller company’s challenges in complying with the new legislation. 

GDPR Compliance of Small Businesses

In most instances, your personal data, client information, and company connections will all have this kind of information in some manner. Therefore, let us examine the GDPR’s fundamental principles and how you will be required to comply with them.


privacy policy compliance

Prepare to add more check-the-boxes to your systems since enhanced consent demands getting permission for each use of a customer’s data. Suppose your business requests an email address and permission to deliver purchase information. In that case, it might need permission once more before utilizing that email for marketing reasons. Businesses should phrase all permission requests in a manner that is understandable to the company’s targeted customers.

Access and Control

Data owners should be given control over their information, including the right to delete, receive and reuse their data. It also includes the ability to move, copy, or transfer their data securely. As a business owner, you may need to provide a system for customers to control the use of their personal data, from data entry to data deletion.

Data Breach Reporting

Businesses may have to notify data owners if a security breach occurs. While this may conjure up visions of large-scale attacks, it also encompasses minor errors such as granting access to your data to a contractor or an employee losing a laptop. No matter how minor the breach is, the business might have to inform the data owner about it if it poses risks to the data owner.


After the data is provided, you’ll need security measures in place to preserve it. Merely said, you should see that data is appropriately protected. Thus, it would be best if you consider encrypting any database that holds your clients’ data rather than simply password protecting it.


You may need to provide proper surveillance to third-party applications and organizations that are involved in the data processing. When using online newsletter services, the use of mailing lists should be in GDPR compliance. 

Additional GDPR Compliance

The following factors may help illustrate the most critical actions that US small businesses will need to do to be GDPR compliant:

Audit the Data

Proper auditing of data for GDPR compliance is not a simple undertaking. Thus, businesses must make wise decisions. They may be required to do Data Protection Impact Assessments (DPIAs) before initiating any data processing. It proactively protects data and assesses potential risks to data subjects associated with any new data processing. Most European data protection authorities provide guidelines on their websites on DPIAs and when they should be conducted.

Audit the Service Providers

Auditing your service provider’s compliance is a chore that many US businesses struggle with and may be the source of your business’s most significant risk. Businesses need to evaluate and execute data processing agreements with third-party service providers that handle personal data on your behalf. GDPR requires the data controller to enter contracts, and the data processor may only act on the controller’s orders. A service provider that does not comply with GDPR may be subject to non-compliance and put the controller at risk.

What Happens To Non-Compliant Small Businesses?

Investing the effort to design a GDPR-compliant privacy policy may significantly assist small businesses in showing compliance. Those who have not done so may be deemed non-compliant. They may face reprimands, temporary or permanent data processing limits, data restriction or deletion orders, and suspension of data transfer to third countries from supervisory authorities.

Article 83 of the GDPR alerts enterprises to infractions and imposes discretionary fines. It incentivizes enterprises to handle personal data legally and responsibly. 

GDPR Compliance is Important for Small Businesses

GDPR compliance is crucial for both small and large businesses. Many businesses have hired a Data Protection Officer (DPO) to monitor GDPR compliance. 

Inadequate comprehension is a poor excuse for GDPR non-compliance. Whether it is a sole proprietor or a global corporation, businesses should review how they handle personal data and verify that suitable processes and policies are in place. Systems for granting data access requests and systems for detecting and reporting data breaches may need to be in place. Businesses should also implement appropriate technical and organizational protections to oversee the safety and security of data.

To comply with the GDPR requirements, your business must work with experts in data privacy and protection. Contact Metaverse Law today and learn more.

Business Affected By GPDR?

GDPR and Its Impact on Business – Find Out Here!

Over the years, the internet has changed the way we communicate and how we handle day-to-day tasks. There are so many things that we can do via the internet, from sharing documents to paying our bills. All of these are convenient, but these tasks require us to enter personal details.

With so much information that we share online, how can you guarantee that your information will be kept safe? Have you ever wondered what happened to the information you share online, like your bank details, addresses, contacts, etc.

Companies say that they collect this information to serve you better to provide you with more targeted and relevant communication. In turn, you get better customer experience in the end.

The question is, what do they do with that data?

That’s where the GDPR comes in.

The General Data Protection Regulation (GDPR) took effect on May 25, 2018 and many companies have taken steps to comply with it; otherwise, they could face fines and other consequences. But what is GDPR and what are the companies that are strongly affected by this change? 

GDPR Compliance: What is it? 

GDPR is the set of rules designed for EU individuals that allow them to have more control over their data. The main goal of this regulation is to make the digital environment simple so that businesses and their customers in the EU can benefit from a digital economy, yet still protect individual privacy. 

The GDPR applies to all companies that sell to the EU, store personal information about EU residents, including EU B2B personal information collected from companies on other continents. 

Which Companies are Affected by GPDR?

As mentioned, companies that sell to the EU, store personal information about EU residents, and have customers in the EU are affected by this.

In addition, GDPR applies to all companies established in the EU, regardless of where their data processing takes place. In fact, even non-EU established companies will be subject to GDPR, as long as the business offers goods and/or services to EU citizens. Therefore, this puts consumers from the EU in the driver’s seat, and businesses must comply with the regulation.

Here are some of the industries that are most hit by GDPR: 

Social Media

Ever since GDPR took effect, social media users have noticed changes in the privacy policies of social platforms they frequent, and they were notified of these changes via email. The reason behind these changes is the GDPR and other privacy laws. 

Companies in the social media marketing industry are one of the most affected by this new regulation. Therefore, social media marketers must disclose and ensure that users know how their data are being used

In addition to that, they need to request full consent from users to use their data outside of what is strictly necessary to provide the social media information society services. 

There are also other strict rules that GDPR expects social media companies to do, such as: 

  • Users have the right to be forgotten, which means that users now have the right to delete all their data. 
  • Companies that collect information directly from users must inform users within 72 hours after a data or security breach is detected. 
  • Plain language must be used in all privacy policies and explanations regarding users’ data. 

Despite this drastic change in the social media industry, users can highly benefit from this shift in data privacy rights. 

Online Retail

GDPR has become a challenge for online retail companies as it urges them to make changes that make many brands rethink their strategies. Due to GDPR restrictions, like limitations with the use of third-party information, or limitations on sharing of user information to third parties, it has become a challenge for online retailers to thrive. 

However, these changes have its advantages as well because it puts online retailers on better standing with consumers. This will help them build a more trustworthy relationship with consumers today, which is crucial in today’s digital environment. 

Digital Banking

Undeniably, the effects of GDPR to financial services are significant. GDPR has made the privacy of users their primary concern. The main principle of GPDR is “incorporating privacy and data protection” considerations into all sectors that use personal information, which is critical for the digital banking industry

Your Business Affected By GPDR

Although GPDR encourages best practice and data compliance, it comes with a side effect. Digital bank owners see the new regulation as costly and can affect their projects further. Therefore, many have their reservations that lead to them to be hesitant to invest because they fear they would get it all wrong. 

However, there are many benefits when digital banks comply with data privacy law. For one, it will provide them with more opportunities for innovation and investment because it’s more than regulatory compliances. In fact, it’s a profitable strategy in which bank owners can make bolder decisions and enter new territories due to the integration of data protection into core development strategies. 

Secondly, GPDR compliance allows digital bank owners to more ethically handle data—a huge advantage in the industry. 

Finally, GPDR provides digital defense by considering internal and vendor security, and reinforcing good data handling processes that banks can follow should there be a security breach. 

Cloud Computing

Cloud computing companies are also affected by GPDR, due to the sensitivity of customers’ information in the cloud. Since cloud service providers host various types of data, they often deal with sensitive and classified information, which could fall under the wrong hands.

Another challenge is the externalization of privacy because businesses that get a cloud service expect privacy agreements and commitments that they shared with their customers and staff will still work. However, if the cloud service provider operates in various locations, the rights of data owners may be subject to different regulations and requirements. Therefore, it’s advisable to have a customized agreement with a cloud computing company when it comes to privacy commitments. 

In a Nutshell

It’s been years since GPDR came into effect. Today, it still remains as a rigorous compliance process. However, GPDR has brought many opportunities that can improve strategies and deliver more innovation in the market. 

Even if you’re not in any of the industries listed above, as long as you operate a business that sells products online to EU individuals, you need to consider GPDR -compliance; otherwise, you could risk facing hefty fines or lose customers.

So, if you’re unsure whether your company is GPDR compliant, contact someone with GDPR experience to assess your GDPR compliance.

1 2 3