EU General Data Protection Regulations (GDPR) – How to comply

Similar to the Australian Privacy Principles (APP) as set out in the Australian Privacy Act 1988 (Cth) (Privacy Act), the General Data Protection Regulation (GDPR) ‘lays down rules relating to the protection of natural persons and the processing of their personal data.’  The GDPR came into force on 24 May 2016 and became binding on all European Union (EU) member states on 25 May 2018.

How does the GDPR apply to Australian entities?

Most important to Australian businesses is the territorial scope of the GDPR set out in Article 3.  The GDPR applies to entities with an establishment in the EU and to entities that are not established in the EU if they are involved in processing personal information about EU citizens or residents.

Article 3 (2) states:

“This Regulation applies to the processing of personal data of data subjects who are in the Union by a controller or processor not established in the Union, where the processing activities are related to:

  • the offering of goods or services, irrespective of whether a payment of the data subject is required, to such data subjects in the Union; or
  • the monitoring of their behaviour as far as their behaviour takes place within the Union.”

As such if an Australian entity is dealing with personal information about natural persons who are residents or citizens of an EU member state, which relates to the offering of goods or services or monitoring their behaviour, the GDPR will likely apply.

These are some examples where the GDPR may apply to Australian entities:

  • selling software to EU citizens or residents and keeping a record of their personal data attached to their license;
  • collecting personal data for marketing purposes;
  • providing a SaaS system to EU clients or having clients who use the system to capture personal data from EU subjects; or
  • hosting websites where your clients are collecting EU resident’s or citizen’s personal data.

Key Concepts – what is Personal Data?

Article 4 (1) states:

‘personal data’ means any information relating to an identified or identifiable natural person (data subject); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person;

A Data Subject is therefore a natural person.  Personal Data, deriving from the term ‘any information’, is very broad and may be alphabetical, numerical or graphical.  Similar to the definition of sensitive information in the Privacy Act, the GDPR refers to special categories of personal data (Sensitive Personal Data) which includes:

‘racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, and the processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person’s sex life or sexual orientation,’

The GDPR prohibits the processing of this Sensitive Personal Data except where conditions are met, such as obtaining explicit consent.  Other exceptions to the general prohibition are set out in Article 9 (2).

Who does the GDPR apply to?

Assuming an entity falls within the territorial scope of the GDPR an entity is subject to the regulation if it is a controller or processor of Personal Data. As defined in Article 4:

(7) ‘controller’ means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data; where the purposes and means of such processing are determined by Union or Member State law, the controller or the specific criteria for its nomination may be provided for by Union or Member State law; (Data Controller)

(8) ‘processor’ means a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller; (Data Processor)

Relevant to these definitions is the definition of processing:

(2) ‘processing’ means any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction;

The difference between the two categories is essentially:

  • Data Controller decides what happens with Personal Data and are responsible for the processing; and
  • Data Processors perform the processing on behalf of Data Controllers.

Naturally an entity may be both a Data Controller and a Data Processor.  The extent to which the GDPR applies and the obligations enforced on Data Controllers is different to that of Data Processes.

Principles relating to processing of Personal Data

Article 5 of the GDPR sets out the six (6) key principles relating to the processing of Personal Data, they are, that Personal Data shall be:

  • processed lawfully, fairly and in a transparent manner;
  • collected for specified purposes;
  • limited to that which is necessary;
  • accurate;
  • stored no longer than necessary; and
  • processed with integrity and confidentiality.

Obtaining Consent

Article 7(1) states that where consent is required or obtained, the Data Controller must be able to demonstrate they have obtained consent. This illustrates one of the differences between the obligations on Data Controllers and Data Processors. Only the former must be able to demonstrate consent.

Consent is defined in Article 4 (11) which states:

(11) ‘consent’ of the data subject means any freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her;

Article 7 goes on to require consent to be obtained in an unambiguous manner. Consent may be withdrawn and the Data Subject must be informed about the right to withdraw consent.

Article 8 sets out requirements for consent for Children under the age of 16.  This includes obtaining parental consent or having a valid contract to which the child may be bound. However, differences may exist between member states.

Rights of Data Subjects

Pursuant to Article 5 (1), Data Subjects have the right to:

  • know if their Personal Data is being held;
  • know the purposes of the processing of Personal Data, and restrict processing (Article 18);
  • know what categories of Personal Data are held;
  • be advised who the Personal Data may be disclosed to;
  • know the storage period of their Personal Data;
  • correct inaccurate Personal Data (Article 16);
  • have their data erased (Article 17);
  • lodge a complaint (Article 77), and obtain a judicial remedy (Article 78);
  • obtain access to information about the source of their Personal Data where it did not come directly from them; and
  • knowledge about the logic of and the existence of any automated decision making facilities, including details of profiling.

Another interesting right expressed in Article 20 of the GDPR is the right of data portability.  This gives the Data Subject the right to have their data transferred to a third party, or themselves.  Data Portability in this context means Data Subjects may require a bank to send all their Personal Data to a competitor at their request.

In considering breaches of the GDPR by Data Controllers or Processors, Data Subjects have the right to compensation (Article 82) and the right to be represented by other organisations, such as not-for-profit privacy advocates (Article 80).

Obligations of Data Controllers

Data Controllers must implement technical and organisation measures to comply with the GDPR and be able to demonstrate their compliance.  The key obligations on Data Controllers are to:

  • maintain records of all processing activities (Article 30);
  • co-operate and consult with supervisory authorities (Article 31);
  • ensure Data Security as appropriate to the level of risk (Article 32);
  • perform a data protection impact assessment, in limited situations (Article 35);
  • appoint a data protection officer, if it is a public authority or deals with large scale monitoring of Data Subjects or processes Sensitive Personal Data (Article 37);
  • assist Data Subjects with their rights under the GDPR (Chapter III); and
  • comply with specific obligations when transferring data outside of the EU (Chapter V).

Obligations of Data Processors

Data Processors must also be able to demonstrate their compliance with the GDPR.

Their obligations, pursuant to Article 28, include:

  • have a comprehensive contract detailing their relationship with the Data Controller and their obligations with respect to Personal Data;
  • not pass on any Personal Data provided to it by Data Controllers other than in accordance with their instructions;
  • only process Personal Data in accordance with the Data Controllers instructions;
  • ensure data security;
  • appoint data protection officers;
  • co-operate with supervisory authorities; and
  • similar to Data Controllers Data Processors must also maintain records of data processing (Article 30).

Notification obligations

At the time of collecting information Data Controllers must notify the Data Subject:

  • of their right to withdraw consent;
  • of their right to object to data processing;
  • of the Data Controllers identity and contact details;
  • of the data protection officers details;
  • the purpose and basis for data processing;
  • of details of any data recipient other than the data controller; and
  • whether or not the data will be transmitted offshore.

Other notification obligations include:

  • when Data Controllers have complied with a request to rectify Personal Data;
  • when Data Controllers have complied with the right to erasure of Personal Data; and
  • when a Data Breach which is likely to put a Data Subject at risk of harm (Article 34).

In the event of a breach Data Controllers must also advise supervisory authorities within 72 hours (Article 33).  The obligations following a data breach are similar to Australia’s Mandatory Notifiable Data Breach Scheme which came into effect on 23 February 2018.

Demonstrating Compliance

Data Controllers must be able to demonstrate compliance with the GDPR.  This includes:

  • having a comprehensive privacy policy;
  • appointing a Data Protection Officer;
  • adopting internal policies that conform with their obligations under the GDPR; and
  • maintaining records of data processing activities (Article 30) although an exemption applies to entities that have less than 250 people and the processing would not risk the Data Subjects rights or freedoms.


Data Controllers and Processors are liable for damage caused to Data Subjects if they have not complied with the GDPR (Article 82).  They may be subject to administrative fines of up to €20,000,000 or 4% of the entities worldwide annual turnover of the preceding financial year (Article 83).  Where multiple Data Controllers or Processors are involved in a breach they become jointly and severally liable.

This is particularly relevant for Australian entities because it adds another avenue by which they may find themselves brought into a dispute.  If a business partner based in the EU is fined they may seek compensation from their Australian business partner.  This increases the likelihood of an Australian entity being brought into an EU based action.

Appointment of a Representative in the EU

Entities who fall within the territorial scope of the GDPR but are not established in the EU are required to appoint a representative in the EU (Article 27).  An exception applies to:

  • public authorities; and
  • where processing is occasional, does not include, on a large scale, processing of special categories of data as referred to in Article 9(1) or processing of personal data relating to criminal convictions and offences referred to in Article 10, and is unlikely to result in a risk to the rights and freedoms of natural persons, taking into account the nature, context, scope and purposes of the processing.

Cross-border data transfers

Pursuant to Article 45, the general rule is the transfer of Personal Data may only occur to countries deemed to have an adequate level of data protection.  At the time of writing, Australia has not been assessed to have this.  For updates see here.

However, data can be transferred to another country in the absence of an adequacy decision, if:

the Data Controller or Processor takes appropriate safeguards, such as binding relevant contractual clauses between parties or binding corporate rules within an organisation; and

there are effective legal remedies in that country.

A number of other exceptions including, public interest and the defence of legal claims are included in Article 49.

Further references


EU General Data Protection Regulations

Privacy Act 1988 (Cth)

Related articles by Dundas Lawyers

Selling into the EU – what do the cookie laws mean for your website?

If you need advice on compliance with the EU data protection regulations, please telephone me for an obligation free and confidential discussion.
Brisbane Lawyers
Malcolm Burrows B.Bus.,MBA.,LL.B.,LL.M.,MQLS.
Legal Practice Director
Telephone: (07) 3221 0013 (preferred) | Mobile: 0419 726 535


This article contains general commentary only.  You should not rely on the commentary as legal advice.  Specific legal advice should be obtained to ascertain how the law applies to your particular circumstances.

Send this to a friend