Disclaimer: all the information in this article and otherwise on this website is for informational purposes only. No information is of a legal nature. Please read our full disclaimer.

On 16 July 2020, the Court of Justice for the European Union issued a ruling (“Schrems II judgment”) regarding the international transfers of personal data from the EU.

The ruling invalidated the Privacy Shield framework and set out stricter criteria for using other safeguards such as Standard Contractual Clauses (SCC) or Binding Corporate Rules (BCR).

This article is for you if you’re a:

• US provider (processor) processing the personal data of anyone in the EU/EEA, or/and
• A controller for such personal data, using third country processor(s)

Latest update and short summary of the ruling (April 2022)

For those returning, here are the latest, relevant updates:

• The European Commission and the US announced on 25 March 2022 that they agree in principle on a new Trans-Atlantic Data...

And does the GDPR even apply to you?

You're probably wondering how many hours it will take to comply with the GDPR, the new European data protection and privacy law, applicable to almost every online business (across the world).

In short, if you promote or sell services to people in the EU, you need to comply with the GDPR. Simply promoting your stuff online to EU people (through email list building for example), is enough.

If you're a US company with a target market in California, and you happen to sell something to a dude in Germany once every blue moon, then you probably don't have worry about the GDPR. You got your own laws to worry about, though (CCPA), and GDPR-like laws are sprouting all over the world, so perhaps you might as well do *something* about how you handle personal data.

If you're still unsure, take the ICO's (the UK data protection authority) assessment here: Does data protection law apply to my business?

After spending well over a thousand hours studying and...

This article is written specifically for small businesses and therefore doesn’t include all aspects of the legislation that may apply to larger businesses and public entities. No information on this website constitute legal advice.

Don't trust everything you read about the GDPR

The GDPR is already a complicated area for many, and most people feel overwhelmed. They’re not sure what to do, in which order, and when it’s good enough – for their kind of business. They’re often also worried about the price of getting help.

If this is the case, go straight to the ultimate GDPR compliance checklist for small and online businesses

Also visit the website of your national data protection authority (DPA). All you need to know about the GDPR, can usually be found there. Free of charge.

Just make sure you know when to get help with the GDPR, what to get help on, and that you do your due diligence on any GDPR "helpers" first.

Here is a list of the members of the...

This article is written specifically for small businesses and therefore doesn’t include all aspects of the legislation that may apply to larger businesses and public entities. No information on this website constitute legal advice.

The GDPR applies to the processing of personal data when running a (non or for profit) business, membership, club, association or any type of organization (online or not).

Because of the definitions in the legal text, GDPR applies to nearly all kinds of businesses and organisations, irrespective of size, type, industry or revenue.

Read all about GDPR compliance for SaaS companies, tech startups, freelancers and all types of online businesses

Many business owners who believe that GDPR don’t apply to them, are not clear on what personal data is. And, in short, it’s almost anything.

Personal data in the GDPR is more than you think

Personal data as per the GDPR is any kind of information or assessment of an individual, that can be either ...

This article is written specifically for small businesses and therefore doesn’t include all aspects of the legislation that may apply to larger businesses and public entities. No information on this website constitute legal advice.

What is GDPR - in a nutshell?

GDPR is short for the General Data Protection Regulation and it’s a European law about data protection, privacy and basic human rights.

A lot has been written about the GDPR and how to achieve GDPR compliance. My first and most important advice is: Only rely on credible sources. Meaning no random advice from Facebook groups or blog posts from companies that aren't GDPR experts.

The law applies if your business/organization is based in the EEA (the  27 EU member countries + the three EEA countries Norway, Liechtenstein and Iceland), or you (happen to) promote or sell goods/services to people in the EEA.

Notice that I said «people», not citizens, inhabitants or with this or that nationality. As long...