What marketers need to know
The General Data Protection Regulation (GDPR) regulates the processing by an individual or organization of personal data relating to individuals in the EU.
If you're a Canadian organization, you are subject to the GDPR if you:
- Have an establishment or physical presence in the EU,
- Offer goods or services to EU residents (even at no charge), or;
- Intentionally monitor or profile behaviours of individuals in the EU.
There are also implications if you are a third-party processor of EU personal data.
Of particular importance to marketers is the expected ePrivacy Regulation (intended to replace the current ePrivacy Directive), a companion regulation to the GDPR covering the processing of personal information for electronic communication, including cookie usage.
As European legislators struggle to reach a consensus (the latest draft of the ePrivacy Regulation was voted down in late 2019), implementation of the new regulation may not occur until well into 2021.
- CMA Guide: EU GDPR and ePrivacy Regulation
- CMA Blog: GDPR Update: Cookies, new consent guidance, and what's on the horizon
- CMA Blog: How the GDPR impacts Marketers - challenging common misconceptions to understand Europe's new privacy law
- CMA Blog: GDPR's impact on Canadian business - preparing yourself for EU's new privacy law
In force since May 25, 2018, the GDPR was created for the purpose of strengthening and unifying privacy and data protection for all individuals in the EU.
Organizations should be mindful of general guidance issued by the European Data Protection Board (EDPB) to promote a common understanding of the GDPR, both across the EU and around the world, as well as available guidance from designated supervisory authority(ies) in each country.
Canada's adequacy status under the GDPR ensures that data processed in accordance with the GDPR can be transferred from the EU to Canada without the additional data protection safeguards that have been put in place for some other countries. This status is subject to review by the EU every four years, and a decision on Canada's renewed adequacy status is expected soon.
Violators of the GDPR may be fined up to €20 million, or up to 4% of their annual worldwide turnover for the preceding financial year, whichever is greater.
The GDPR is enforced by the designated supervisory authority or "Data Protection Authority" in each member state. Although the GDPR is an EU-wide law, passed by the European Parliament, it's up to each of the member states to develop its own guidance around GDPR and enforce the application of the law within its territory.
Generally, you will deal with the supervisory authority(ies) in the EU Member State(s) where you are established. If you do not have an establishment in the EU, consult the following guidelines to identify your relevant supervisory authority(ies).
Organizations should be mindful of general guidance issued by the European Data Protection Board (EDPB) to promote a common understanding of the GDPR, both across the EU and around the world. You should also consult available guidance from your designated supervisory authority(ies).
- Guidelines on consent (2020
- Guidelines on the criteria of the Right to be Forgotten in the search engines cases - version for public consultation (2020)
- Guidelines on processing of personal data through video devices (2019)
- Guidelines on the processing of personal data in the context of the provision of online services to data subjects (2019)
- Guidelines on the territorial scope of the GDPR (2018)
- Guidelines on transparency (2018)
- Guidelines on automated individual decision-making and profiling (2018)
- Guidelines on personal data breach notifications (2018)
- Guidelines on the right to data portability (2018)
- Guidelines on Data Protection Officers ('DPO') (2018)
- Guidelines for identifying a controller or processor's lead supervisory authority
For a full list of guidelines from the EDPB, see here.