Question 1

Does GDPR apply to our US-based company?

Accepted Answer

If you offer goods or services to individuals in the EU, monitor the behavior of individuals in the EU (such as through website analytics or ad tracking), or process personal data of EU-based employees, GDPR applies to you regardless of where your company is headquartered. The regulation's extraterritorial scope is one of its defining features.

Question 2

Do we need to appoint a Data Protection Officer (DPO)?

Accepted Answer

A DPO is required if your core activities involve large-scale systematic monitoring of individuals or large-scale processing of special category data (health, biometric, genetic, etc.). Many technology companies fall into the systematic monitoring category through analytics, behavioral tracking, or profiling. If a DPO is required, we can help you define the role, recruit, or provide DPO-as-a-service through our team.

Question 3

What are the penalties for GDPR non-compliance?

Accepted Answer

GDPR fines can reach up to 20 million euros or 4% of annual global turnover, whichever is higher. Enforcement is active: EU data protection authorities have issued billions of euros in fines since 2018, with technology companies receiving some of the largest penalties. Beyond fines, non-compliance can result in orders to stop processing, which effectively shuts down your EU operations.

Question 4

How do we handle cross-border data transfers after Schrems II?

Accepted Answer

The EU-US Data Privacy Framework (DPF), adopted in 2023, provides a mechanism for certified US companies to receive EU personal data. For transfers to non-adequate countries, Standard Contractual Clauses (SCCs) remain the primary mechanism, but they require a Transfer Impact Assessment (TIA). We help you select the right mechanism, complete the required assessments, and document your transfer safeguards.

GDPR

适用对象

您将获得

常见问题

通过渗透测试强化GDPR合规性

准备好开始了吗？