Please change your location to view this page.
This page contains content that does not match your current location
The European Union General Data Protection Regulation (the GDPR) contains new data protection requirements effective from 25 May 2018. The GDPR harmonises data protection laws across the EU and replaces existing national data protection rules. It has increased the territorial scope of existing laws.
It applies to all organisations, including charities and not-for-profits, processing personal information about individuals in the EU, regardless of where the organisation is located. Its application is extensive: it may apply to Australian businesses or organisations with a connection or presence in the EU.
Violation of the GDPR attracts administrative fines of up to €20 million or 4% of annual worldwide turnover (whichever is higher), pending the exact violation.
Please note: The following information is general legal information only. If you have any concerns about the application of the GDPR to your specific organisation's circumstances, please seek legal advice.
Do Australian not-for-profits needs to comply with the GDPR?
To determine if the GDPR will apply to an Australian not-for-profit organisation, one or more of the following requirements must be met:
- Have an establishment in the EU (e.g. an office)
- Offer goods and services to individuals in the EU (irrespective of whether payment is required), or
- Monitor the behaviour of individuals in the EU, where that behaviour takes place in the EU.
Establishment in the EU
Many Australian not-for-profit organisations, particularly smaller groups, will not meet the "establishment" requirement as it's unlikely an Australian-based organisation would have additional funds for an office in Europe.
Offering goods and services
Offering goods and services to individuals in the EU means the controller or processer envisages offering goods or services to individuals in the EU (e.g. payment in Euros or services in a European language; where a website specifically mentions customers or users in the EU). The mere accessibility of a website in the EU, of an email address or of other contact details, or the use of an EU language is insufficient to ascertain intention of offering services to EU data subjects.
In other words, a website that is simply accessible by a global audience in itself does not indicate “offering goods and services” to individuals in the EU, and on its own does not necessarily subject an organisation to the GDPR. This is in contrast to an organisation that demonstrates an intention to offer goods and services to individuals in the EU if there are options to interact with the organisation’s website in the native language or currency of an EU member state, or the organisation’s website mentioning customers or users who are in the EU.
In summary, if a not-for-profit organisation's website does not use domains of an EU member state (e.g. .eu, .ie, .de), provide options for EU language translation or EU currency conversions, and does not advertise to attract EU users, it is unlikely to fall under the GDPR requirement of “offering goods and services”.
Monitor the behaviour
The term “monitoring” is defined as the monitoring of the behaviour of individuals that takes place within the EU. Processing activity that is considered “monitoring the behaviour of data subjects” includes the tracking of individuals on the internet, and the subsequent use of personal data* processing techniques which consist of profiling a person, particularly in order to make decisions concerning her or him or for analysing or predicting her or his personal preferences, behaviours and attitudes.
*Personal data means any information relating to an identifiable natural person (similar to the Privacy Act); and extra protections apply to the processing of ‘special categories, which includes data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, and the processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person’s sex life or sexual orientation (these are similar to categories of ‘sensitive information’ under the Privacy Act).
As way of example: if your organisation processes data about an individual (e.g. collecting and storing email addresses and information about charitable causes they support) in the EU for the purposes of a fundraising campaign, this may fall under “monitoring”.
In these circumstances, the organisation may be considered a controller under the GDPR as they are collecting personal information from individuals in the EU, even if they do not actively encourage people in the EU to sign up to email lists through their website AND if the personal data (e.g. IP address or email address) on its own or with other information, can be used to identify an individual in the EU, then it is possible, though unlikely it would fall within the scope of the GDPR. It is far more likely where the organisation uses the data in a systematic and targeted way, for example, having identified the individual in the EU they then track the individual across numerous websites or applications.
The GDPR and the Privacy Act share many common requirements. Therefore, if your organisation already complies with the Privacy Act it will have already satisfied a number of requirements under the GDPR. Both laws foster transparent information handling practices to give individuals confidence that their privacy is being protected.
The Office of the Australian Information Commissioner (OAIC) has useful information on the GDPR. It highlights some key responsibilities under the GDPR (many being broadly similar to existing requirements: principles relating to the processing of personal data, lawfulness of processing requirements, processing of special categories of personal data requirements and security of processing requirements). The OAIC also addresses some of the expanded requirements, which are about accountability of data controllers and governance arrangements relating to the processing of data; data protection policies and incorporating data protection into their data processing activities (called ‘data protection by design and by default’).
The OAIC offers useful examples of measures that can be taken to meet these requirements, should an organisation at some future point, come within the scope of the GDPR. For example, to meet the requirement of ‘data protection by design and by default’ an organisation's policies and practices should include: minimising the processing of personal data; pseudonymising personal data as soon as possible; allowing individual to monitor processing; improving security features; and transparent explanations as to the functions and processing of personal data.
The OAIC also sets out that the GDPR's governance requirements (e.g. appointing data protection officer, data protection impact assessment, keeping records of processing activities and codes of conduct to ensure compliance with the GDPR) are similar to requirements in the Privacy Act.
Do we need to obtain consent of our subscribers?
If the GDPR applies to your organisation, you may need to consider obtaining clear consent from your subscribers. The GDPR tightens the (existing) definition of consent: it must be freely given, specific, informed, and an unambiguous indication of individual’s wishes by which she or he, by a statement or by a clear affirmative action, signifies agreement to the processing. Silence, pre-ticked boxes or inactivity is not taken to be the giving of considered consent.
In practice this means your organisation must determine (and be able to demonstrate) that an individual has clearly consented to the processing of their personal data. Individuals must be able to refuse or withdraw consent at any time and they must also be informed about their right to withdraw consent.
Overall, it is not necessary to remove the personal information of people in your email database who you cannot confirm are based outside of the EU (as above, an email database based in Australia where the information alone (names only) does not fall within the definition of special categories of personal data within the GDPR). You should already (as required by Australian law) have an option for your subscribers to unsubscribe at any time (and you should, once they have unsubscribed make sure their personal data is entirely deleted and not used for other purposes).
The following definitions are used by the GDPR:
- Personal data means any information relating to an identified or identifiable natural person (individual or data subject).
- Identifiable natural person (individual or data subject) means a person who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identify of the natural person.
- Processing means any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.
- Controller means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data.
Consent of the data subject means any freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her.