On May 25, 2018, after years of preparation, the first community regulation for the protection of personal data, the GDPR (General Data Protection Regulation), came into force. Unlike the previous regulations, this norm is effective in European Union countries without the need to implement local regulations.
One of the most innovative points is that, even if you do not have a physical establishment in the European Union, there are cases in which you may be subject to the Regulation if you process data in any country of the Central American region.
Thus, you must comply with the GDPR even when processing the data outside the European Union, if you:
Offer goods or services to residents of the European Union, regardless of the place of payment. Carry out monitoring activities for European Union residents, and said activity takes place in the EU. Have an establishment that, under international public law, is subject to European legislation. As an example, you will be bound by the GDPR, even in Central America, if you carry out email campaigns to citizens located in the EU, if you manage an app that has location services in the EU, if you monitor health and physical conditions of an EU resident through medical devices or wearables, or if you are a European embassy or another international body of European jurisdiction.
Moreover, if you are a service provider that processes data for an organization subject to the GDPR, you must also comply with the Regulation because the compliance obligation applies on all service levels. GDPR has raised the standards of data protection and security so that, in cases where a service provider wants to expand its market to the EU, it should prepare accordingly and be ready to demonstrate compliance when hired.
Dentons Muñoz can advise you to determine if the Regulation applies...