UK GDPR鈥攅xtra-territorial reach


Produced in partnership with Aaron Simpson of Hunton Andrews Kurth and Bridget Treacy of Hunton Andrews Kurth
Practice notes

UK GDPR鈥攅xtra-territorial reach


Produced in partnership with Aaron Simpson of Hunton Andrews Kurth and Bridget Treacy of Hunton Andrews Kurth

Practice notes
imgtext

This Practice Note discusses the territorial scope of the regime established by the United Kingdom General Data protection Regulation, Assimilated Regulation (EU) 2016/679 (UK GDPR). It also considers the regime requiring the appointment of UK representatives in certain circumstances. For a higher-level introduction to those topics, see Practice Note: UK GDPR and EU GDPR鈥攅xtra-territorial reach.

For higher-level introductions to UK and EEA data protection laws generally, see Practice Notes: Data protection law鈥攏ew starter guide and Introduction to the EU GDPR and UK GDPR.

The Data protection toolkit collates further general guidance on those regimes and is a recommended starting point for research.

In brief

In summary, and subject to certain exceptions, the UK GDPR may apply:

  1. to the processing of personal data in the context of the activities of an establishment of a controller or a processor in the UK, regardless of whether that processing takes place in the UK or not

  2. the processing of personal data of data subjects who are in the UK by a controller

Aaron Simpson
Aaron Simpson

Hunton Andrews Kurth

Aaron Simpson is a partner at Hunton Andrews Kurth and leader on the firm鈥檚 Global Privacy and Cybersecurity team. He advises clients on a broad range of complex data protection, privacy and cybersecurity matters, including international and US federal and state privacy and data security requirements. His work ranges from advising clients on large-scale cybersecurity incidents to the development of cross-border data transfer solutions, compliance with existing and emerging data protection requirements in Europe, and negotiating data-driven commercial agreements. Aaron is well known as a top privacy professional and has been recognized by Chambers and Partners, Computerworld and The Legal 500 for his work on behalf of clients. Aaron is the only lawyer listed in both The Legal 500 United Kingdom and The Legal 500 United States guides, providing clients with a broad and unique transatlantic perspective on privacy, data protection and cybersecurity matters. He is a sought-after media resource on privacy issues and has been quoted in such publications as Bloomberg BNA, Businessweek Magazine, Computer Weekly, Corporate Secretary, DataGuidance, Law360, SC Magazine, The Times and TIME Magazine. Aaron is a frequent speaker and has written and co-written numerous articles, book chapters and handbooks on data protection, privacy and information security issues.

Read moreRead more
Bridget Treacy
Bridget Treacy

Partner, Hunton Andrews Kurth

Bridget Treacy is a partner at Hunton Andrews Kurth. Her practice focuses on all aspects of privacy, data protection, information governance and e-commerce issues for multinational companies across a broad range of industry sectors. She advises clients on the EU General Data Protection Regulation that is transforming Europe鈥檚 privacy landscape. Other key experience includes big data and analytics, cloud computing, cross-border data transfers and BCRs, behavioural targeting and data breach. She has structured and implemented global privacy and data management compliance programs. Bridget is one of the few UK lawyers with deep, practical experience of advising on EU data protection, cybersecurity and data breach issues. She also has wide-ranging experience advising on outsourcing agreements, strategic alliances, shared services arrangements and technology licensing. She is the editor of the specialist privacy journal 鈥淧rivacy and Data Protection鈥, and has contributed to a number of published texts.

Read moreRead more
Powered by Lexis+
Jurisdiction(s):
United Kingdom
Related legal acts:
Key definition:
Data protection definition
What does Data protection mean?

In an employment context, this refers to the obligation on an employer to protect the data of its employees and ensure that it complies with the law on how it uses the employees' data.

Read more

Popular documents

What are the differences between joint controllers and controllers in common under the GDPR? What is the

What are the differences between joint controllers and controllers in common under the GDPR? What is the difference in liability if a party is a joint controller with another, compared to where the parties are controllers in common?(1) What are the differences between joint controllers and

Is someone鈥檚 voice personal identifiable information under GDPR? If someone is to do a voice over for

Is someone鈥檚 voice personal identifiable information under GDPR? If someone is to do a voice over for content of some training for a business, would a consent form be needed?Is someone鈥檚 voice personal identifiable information under GDPR?A voice recording is likely, in almost all circumstances, to

If planning permission imposes restrictions on a licensed premises opening hours, once operational can

If planning permission imposes restrictions on a licensed premises opening hours, once operational can the personal licence holder apply for a Temporary Events Notice (TEN) to open for longer hours than those permitted in the planning permission?To use any property for a licensable activity both

What is the difference between an appeal and a review?

What is the difference between an appeal and a review?What is an appeal?An appeal in insolvency proceedings is no different to an appeal in normal litigation. An appeal will be allowed only if the appeal court is satisfied that the decision of the lower court was 'wrong' or 'unjust because of a