Legal Blog

The European Union’s General Data Protection Regulation

The European Union’s General Data Protection Regulation (GDPR) will go into effect on May 25, 2018 and will impose comprehensive data privacy obligations on many unsuspecting US companies.

GDPR applies to controllers or processors of personal data of “data subjects” (i.e., people) who are in the EU if the controller or processor is either “established” in the EU, or processes personal data of EU data subjects related to the offering of goods or services, or monitors personal behavior in the EU. Establishment implies “the effective and real exercise of activity through stable arrangements.” Thus, “established” is a broad term not limited to a legal form such as a subsidiary. Placement of cookies or online behavioral advertising on computers in the EU causes a US company to fall under the GDPR. EU personal data may not be transferred to the US without first meeting stringent requirements.

A controller determines how personal data is processed and for what purpose. A processor carries out the processing on behalf of a controller. In some cases, the controller and processor of a data set may be one and the same. In other cases, a controller may hire one or more processors, in which case it is important for the controller to ensure it has clearly instructed all processors on how and for what purpose the data is to be processed on behalf of the controller. As a practical matter, this may mean controllers need to renegotiate contracts with processors.

A controller is also responsible for seeing that personal data is only collected for a lawful purpose, and only to the extent necessary to achieve that purpose. It must be kept accurate and up to date, and not retained longer than needed. Transparency is also required, meaning that each data subject must understand how the data is being used and why.

Processing of data must be lawful under GDPR. While contractual and legal requirements form preferred grounds for the lawful processing of data, data may be lawfully processed if the data subject gives active consent to the processing of his or her personal information for the expected purpose. As a rule of thumb, companies should treat consent as being required for most commercial purposes, and the controller must be able to show that a data subject consented freely to the processing of his or her data in the manner prescribed by the controller. Additionally, consent may be withdrawn absent certain overriding circumstances. These requirements are more stringent when the data subject is a child.


As a starting point, US companies whose activities subject them to GDPR should revisit all of their data privacy and security programs for compliance, including internal policies, external notices, and processor contracts. Unless exempted by Article 27 (2) of the GDPR, controllers or processors to which GDPR applies may also need to designate a representative in the EU. These and other measures are advisable as companies move toward GDPR compliance.


For more information on this topic, please contact Scott Lloyd at

ABOUT SCOTT LLOYD | 301.575.0357

Scott Lloyd is a registered patent attorney who specializes in intellectual property counseling and commercialization work. He has served as a technology commercialization specialist and advisor to companies in a diverse array of markets, including biotechnology, pharmaceuticals, medical devices, food and beverage, specialty chemicals, technology and engineering. In addition, Mr. Lloyd spent ten years as in-house general counsel to small and mid-sized companies, where he managed corporate matters and resolved commercial disputes in addition to intellectual property strategy, and now serves in the same capacity for entrepreneurial clients. He serves as counsel to and small and mid-sized business owners seeking to implement growth strategies and succession plans.

While in house, Mr. Lloyd has also contributed to the successful formation of international affiliates of domestic businesses as well as a $400,000,000 business acquisition.




Offit Kurman is one of the fastest-growing, full-service law firms in the Mid-Atlantic region. With over 170 attorneys offering a comprehensive range of services in virtually every legal category, the firm is well positioned to meet the needs of dynamic businesses and the people who own and operate them. Our eleven offices serve individual and corporate clients in the Virginia, Washington, DC, Maryland, Delaware, Pennsylvania, New Jersey, and New York City regions. At Offit Kurman, we are our clients’ most trusted legal advisors, professionals who help maximize and protect business value and personal wealth. In every interaction, we consistently maintain our clients’ confidence by remaining focused on furthering their objectives and achieving their goals in an efficient manner. Trust, knowledge, confidence—in a partner, that’s perfect.

You can connect with Offit Kurman via our Blog, Facebook, Twitter, Google+, YouTube, and LinkedIn pages. You can also sign up to receive Law Matters, Offit Kurman’s monthly newsletter covering a diverse selection of legal and corporate thought leadership content.