It applies to those, who obtain personal data of people of the European region. This particular criteria for deciding applicability of GDPR could be very tricky for organizations of other nations. Now the question arises whether GDPR regulators can impose fines on those entities which are located outside EU region. For illustration can GDPR regulators impose fine on US-based entities or Indian companies for violation of GDPR regulations, if yes then what is the procedure for imposing fine and how complex is that procedure for execution? One of the answers to this question is that EU regulators can impose fine under GDPR on non-EU entities, with the aid of authority, and international laws.
If the entities violating GDPR are outside EU region but if they have any physical presence within EU region, then the regulations can catch those affiliates or subsidiaries for enforcing fine. The real challenge arises how to impose fine on those entities which violate GDPR and does not have any affiliates or subsidiaries or branches within EU region? The answer to this question can be found within the regulations of GDPR, it directs that those entities which are required to comply with GDPR and does not have any physical presence within EU region then those entities are required to have a representative located in the EU region.
Yet another interesting scenario arises, what if any entity, violates GDPR regulations, and does not have any physical presence within EU and nor it has appointed any representative within EU region. The answer to this question lies under international laws and treaties which EU may be having with other nations for imposing sanctions under GDPR regulations. It also depends how flexible are the law enforcement agencies of other nations for extending cooperation to GDPR regulators for enforcing GDPR upon an entity based outside EU region. Yes, it sounds very complex, and it may not be that easy. However, with the increase in trade and business, almost all big organizations have affiliates or branches in EU region, hence these organizations are required to conduct GDPR gap assessment for all of its affiliates and branches to ensure that none of its affiliates or branches violates GDPR regulations.
Now with GDPR in place the service provider is required to have different sets of consent terms covering different purposes, so that the data subject can either accept or deny, for providing personal data for that specific purpose and choose to accept that set of consent terms for which data subject is willing to provide personal data. Certainly, this sounds very cumbersome, but service providers are required to find out solutions for adhering to such consent mechanism prescribed under GDPR. If data subjects have provided consent for using personal information for attending a webinar, then the same personal information as provided by the data subjects cannot be used for providing any other promotional emails to those data subjects, unless the controller obtains specific consent from the data subjects.