Legal And Regulatory Implications Of The GDPR On Business Organizations: Basic Compliance Strategies For Non-EU Entities

The European Union (“EU”)’s General Data Protection Regulations (“GDPR” or the “Regulations”), adopted by the European Parliament and the Council of the EU in April 2016, finally came into force on the earlier agreed date of May 25, 2018. The GDPR is a landmark in the global history of regulatory regimes. The Regulations apply extraterritorially to all business entities that target EU citizens and residents, anywhere in the world. It also prescribes heavy penalty for non-compliance. Whilst enforcement of the GDPR on affected entities has commenced with full and instant compliance within the EU territory, efforts at compliance among many organizations outside the EU remain an ongoing process.  

This article highlights the core provisions of the GDPR, analyses the legal and regulatory implications of the Regulations on affected entities, and provides hints on compliance strategies for non-EU organizations, particularly Nigerian business entities.


At its core, the GDPR is a set of rules made to give EU citizens and residents more control over their personal data. Prior to the adoption of the GDPR, the applicable data protection regulation in all EU Member States was the EU Directive 95/46/EC. Whilst the EU Directive has similar objectives and provisions to the GDPR, it was implemented in fragments across EU Member States. The GDPR is therefore developed to apply uniformly across the EU territory in protecting sensitive personal data of EU data subjects.

Essentially, the Regulations  

  1. repealed and replaced the EU Directive 95/46/EC as the new rules applicable uniformly to the collection and processing of the data of all natural persons across the European Single Market (“Eurozone”); and

  2. apply extra-territorially to all persons and entities offering goods and services to EU citizens and residents, and in the process collect, process, and store data of the citizens/residents.

As provided in Article 3 of the GDPR and paragraph 23 of the recitals, the Regulations are binding on:

  1. All EU organizations, with presence/offices either within the EU or outside of the Eurozone, that collect, process and store data of natural persons within the EU;

  2. All non-EU organizations, situate anywhere in the world, that collect, process, store and control the data of natural persons who are citizens or residents in the EU, for the purposes of offering goods and/or services. It does not matter whether such goods or services are paid for by, or offered free of charge to, the data subjects. 

Also, in accordance with Article 3(2) & (3) of the GDPR, the territorial scope of the Regulations is activated where personal data;

  1. are processed in anticipation of the offering of goods or services to data subjects in the EU, irrespective of whether a payment by the data subject is required;

  2. are processed for the monitoring of the behavior of data subjects, as far as their behavior takes place within the EU;

  3. are processed by a controller not established in the EU, but in a place where Member State law applies by virtue of public international law. 

For the purpose of the GDPR, mere accessibility to a data processor/controller’s website or that of its intermediary by EU data subjects, does not amount to sufficient intention to offer goods and/or services. Same goes for accessibility of data processor/controller’s email address or other contact details. In the same vein, the use of a language generally used in the foreign country where a data processor/controller is established, is insufficient to ascertain an intention to offer goods and/or services.

However, pursuant to Article 3 of the GDPR and paragraph 24 of the recitals, where a data processor/controller uses a language or a currency generally used in one or more EU Member States, with the possibility of ordering goods and services in that other language, it becomes apparent that the data processor/controller envisages offering of goods or services to data subjects in the EU. In this case, the provisions of the GDPR will apply. Same goes for situations where a data processor/controller mentions customers or users who are in the EU.  

Similarly, the Regulations will be applicable where a data processor/controller who, not being established in the EU, processes personal data of EU data subjects for the purpose of monitoring how such data subjects behave within EU territory. A processing activity is considered as monitoring the behavior of data subjects, if it is ascertained that it is done to track natural persons on the internet, including potential subsequent use of data processing techniques which consist of profiling a natural person, particularly in order to take decisions concerning the data subject for analyzing or predicting his or her personal preferences, behaviors and attitudes.

From the foregoing, the provisions of the GDPR are binding on all non-EU (including Nigerian) entities offering goods and services to persons within the EU territory, irrespective of whether or not they have offices within the EU. Such entities are bound by the Regulations in so far as they collect, process, store and control “personal data” or “sensitive personal data” of EU citizens and residents. Compliance is therefore required from Nigerian entities, such as banks, law firms, accounting firms, and consulting organizations among others, offering services to foreign clients who are European citizens or residents.

1 / 2 / 3 / 4