Compliance with the GDPR: Does geography even matter?

Yes, we have already explained that the GDPR covers all companies that offer goods or services to individuals in EU. So obviously geography doesn’t matter, right? Well, actually, it’s not that simple.

The GDPR aims to harmonise data protection law across the European Union. However, there are still areas in which Member States can apply their own national rules. These areas may fall outside the union’s legislative competence or some Member States have constitutional rules that apply.

How geography matters to GDPR

What it does mean is that data protection law across the EU isn’t quite as consistent as the GDPR may have aimed for. And companies that work in several Member States (many MSPs do) will experience different data protection laws from one Member State to the next. So despite efforts to eliminate such headaches, companies still need to concern themselves with the GDPR and national laws alike.

In that regard, it might be a redeeming feature that most legislation across the EU will be subject to the GDPR. For precautionary reasons, companies need to familiarize with relevant national laws wherever they do business . But in most cases, they will find themselves to be navigating GDPR territory.

The rule of member stats

For instance, Member States remain in charge of determining limits of free expression. In some Member States personal data can be processed for reasons that relate to free expression, in other one’s it can’t. Issues in which national law trumps the GDPR include national security, defence, the investigation of criminal offences and other important public interests.

Not to say that the standard MSP doesn’t process personal data that relate to important national affairs, but, well, in most cases it probably doesn’t. At least not on a daily or weekly (or monthly) basis. And probably almost never in situations, where the company won’t naturally cooperate with authorities in case of a serious national crisis.

How certain sectors are affected

Not all exemptions from the GDPR stem from national security and similarly heavy stuff, however. For an example, members states are free to determine their own law regarding the processing of national ID numbers. Employment laws are almost exclusively outside the legislative reach of the EU including the relevant personal data. And in some Member States, certain sectors (such as law firms and banks) are subject to specific obligations in terms of professional secrecy. And this is just a fragment of national law that is going to be arround despite the GDPR.

In other words, MSPs, you have no choice but to pay attention to national law in all the countries you roam. Despite the fact that having a thorough understanding of the GDPR will most often have you covered.  


Three highlights:

– Despite the GDPR’s intention to harmonise data protection law all over the EU, national law still does matter.


– Companies that work in several member states need to familiarize with national law. But mostly for precautionary reasons.


– The GDPR is going to be the dominating data protection law across the Union.