Client Update – The EU Data Protection Regulation Imposes New Requirements on Non-EU Companies and May Affect Your Non-EU Business

June 7th, 2016 Back to all publications

Client Update – The EU Data Protection Regulation Imposes New Requirements on Non-EU Companies and May Affect Your Non-EU Business


If your company markets products or services in the EU or applies online tracking techniques to individuals in the EU, the new EU General Data Protection Regulation (GDPR) may affect your business.


The GDPR, which was adopted on April 14, 2016, replaces the current EU Data Protection Directive (Directive 95/46/EC) and seeks to address new challenges brought by rapid technological developments, by providing a strong and coherent data protection framework, backed by strong enforcement.


This new regulation imposes new comprehensive requirements on non-EU companies that process personal data of data subjects in the EU in connection with the offering of goods or services in the EU or monitoring behavior of data subjects in the EU. For example, an Israeli company that directly markets its products in the EU, or that applies certain online tracking techniques to individuals in the EU, may be subject to the GDPR, even if it has no physical presence in the EU.


Among the requirements applicable to non-EU companies, are the obligations to:

  • provide data subjects with information on the purpose of data processing, the recipients of the data and additional information necessary to ensure fair and transparent processing (such as information on profiling of data subjects). This information should be provided in a concise, transparent, intelligible and easily accessible form, using clear and plain language, in particular for any information addressed specifically to children;
  • report data breaches to a “supervisory authority” (generally, within 72 hours after becoming aware of the breach), and in some cases to the data subjects themselves;
  • comply with demands of individuals to erase their personal data without undue delay (in concert with the concept of the “right to be forgotten”); and
  • in some cases, to appoint a representative in the EU.

Violation of certain provisions of the GDPR may lead to a fine of up to €20 million or 4% of the total worldwide turnover (whichever is higher).


Companies are provided a two-year transition period as the GDPR will become applicable from May 25, 2018. It will be applicable in all EU Member States, with no need for national legislation.


As mentioned above, the GDPR may be applicable to companies irrespective of whether they are physically present in the EU. Accordingly, businesses are encouraged to examine whether their activities fall within the scope of the GDPR and, if so, to use the transition period, until the GDPR becomes applicable, in order to ensure that their policies and practices are aligned with the requirements of the GDPR.


Gornitzky’s Cyber-Security, Privacy and Data Protection team offers clients a well-rounded multidisciplinary approach to navigating the emerging regulatory and legal frameworks in the field of cyber security, privacy and data protection.



For further information on these developments, please feel free to contact: Timor Belan (Partner), Assaf Harel (Associate)


Download as PDF


This client update is designed to provide general information only, is not a full or complete analysis of the matters presented, and may not be relied upon as legal advice.