UK GDPR—extra-territorial reach

Produced in partnership with Aaron Simpson of Hunton Andrews Kurth and Bridget Treacy of Hunton Andrews Kurth
Practice notes

UK GDPR—extra-territorial reach

Produced in partnership with Aaron Simpson of Hunton Andrews Kurth and Bridget Treacy of Hunton Andrews Kurth

Practice notes
imgtext

This Practice Note discusses the territorial scope of the regime established by the United Kingdom General Data protection Regulation, Assimilated Regulation (EU) 2016/679 (UK GDPR). It also considers the regime requiring the appointment of UK representatives in certain circumstances. For a higher-level introduction to those topics, see Practice Note: UK GDPR and EU GDPR—extra-territorial reach.

For higher-level introductions to UK and EEA data protection laws generally, see Practice Notes: Data protection law—new starter guide and Introduction to the EU GDPR and UK GDPR.

The Data protection toolkit collates further general guidance on those regimes and is a recommended starting point for research.

In brief

In summary, and subject to certain exceptions, the UK GDPR may apply:

  1. to the processing of personal data in the context of the activities of an establishment of a controller or a processor in the UK, regardless of whether that processing takes place in the UK or not

  2. the processing of personal data of data subjects who are in the UK by a controller

Aaron Simpson
Aaron Simpson

Aaron Simpson is a partner at Hunton Andrews Kurth and leader on the firm’s Global Privacy and Cybersecurity team. He advises clients on a broad range of complex data protection, privacy and cybersecurity matters, including international and US federal and state privacy and data security requirements. His work ranges from advising clients on large-scale cybersecurity incidents to the development of cross-border data transfer solutions, compliance with existing and emerging data protection requirements in Europe, and negotiating data-driven commercial agreements. Aaron is well known as a top privacy professional and has been recognized by Chambers and Partners, Computerworld and The Legal 500 for his work on behalf of clients. Aaron is the only lawyer listed in both The Legal 500 United Kingdom and The Legal 500 United States guides, providing clients with a broad and unique transatlantic perspective on privacy, data protection and cybersecurity matters. He is a sought-after media resource on privacy issues and has been quoted in such publications as Bloomberg BNA, Businessweek Magazine, Computer Weekly, Corporate Secretary, DataGuidance, Law360, SC Magazine, The Times and TIME Magazine. Aaron is a frequent speaker and has written and co-written numerous articles, book chapters and handbooks on data protection, privacy and information security issues.

Bridget Treacy
Bridget Treacy

Bridget Treacy is a partner at Hunton Andrews Kurth. Her practice focuses on all aspects of privacy, data protection, information governance and e-commerce issues for multinational companies across a broad range of industry sectors. She advises clients on the EU General Data Protection Regulation that is transforming Europe’s privacy landscape. Other key experience includes big data and analytics, cloud computing, cross-border data transfers and BCRs, behavioural targeting and data breach. She has structured and implemented global privacy and data management compliance programs. Bridget is one of the few UK lawyers with deep, practical experience of advising on EU data protection, cybersecurity and data breach issues. She also has wide-ranging experience advising on outsourcing agreements, strategic alliances, shared services arrangements and technology licensing. She is the editor of the specialist privacy journal “Privacy and Data Protection”, and has contributed to a number of published texts.

Powered by Lexis+®
Jurisdiction(s):
United Kingdom
Key definition:
Data protection definition
What does Data protection mean?

In an employment context, this refers to the obligation on an employer to protect the data of its employees and ensure that it complies with the law on how it uses the employees' data.

Popular documents