What You Need to Know about the GDPR

Editor’s Note: TRSA General Counsel Steven John Fellman wrote this article.

If it hasn’t already happened, you may soon get a notice from one of your major customers advising you that in order to continue serving the customer, you must be in compliance with the General Data Protection Regulation, or GDPR. You may ask what is the GDPR and why is my customer asking me if I am in compliance. Below is some basic background information.

Recently, the European Union enacted a new data-privacy regulation that took effect on May 25. This regulation requires that every company that has a presence in the EU or offers goods or services to persons residing in the EU must implement a comprehensive Data Privacy Protection Program to protect personal data provided by EU individuals to the company. “Personal Data” is defined broadly.  It includes such basic information as a person’s name and address. Essentially, if your company has an office or agent in the EU, has customers who are individuals in the EU or sends promotional information to individuals in the EU, you are covered by the GDPR. Companies and other organizations that violate the provisions of the GDPR are subject to substantial fines.  In certain cases, a company’s board members may be held personally liable.

You are probably all aware of the GDPR because you have been receiving privacy notices from a great variety of companies, some of which you have never dealt with and some of which you have never heard about.  Why are they sending you this information? First, they believe that they have your personal data in their files. Second, they are sending privacy notices to all the individuals in their database, regardless of where they are located. Third, and of most interest to TRSA members, they are sending these notices because they want to demonstrate to their customers that they are GDPR compliant.

Let’s pick up on the third point. The GDPR not only requires that companies covered by the GDPR adopt a data privacy protection program, but the GDPR also requires that companies covered by the GDPR not exchange personal information with other companies, including service providers, subcontractors, or other vendors unless such service providers, subcontractors or other vendors are also GDPR compliant.

The major requirements of GDPR compliance include:

1. Providing detailed notices describing how your company collects and processes personal data.
2. Ensuring that you provide personal data only to companies that are GDPR compliant.
3. Having written GDPR compliance agreements with all service providers that will process your personal data.
4. Having a system to protect all EU residents’ privacy rights.
5. Having an internal company policy in place to address data-protection issues.

In some industries, international companies that are required to comply with the GDPR have found that it’s impossible to limit GDPR compliance to facilities in the EU or information transfers involving only EU residents. These large companies have adopted a policy of international companywide GDPR compliance. Under such a policy, all of the company’s service providers, which would include linen, uniform and facility services companies, subcontractors and other vendors must provide written certification to the company that they are GDPR compliant. Since one element of GDPR compliance is to only use GDPR-compliant service providers, subcontractors or other vendors, we also expect to see many U.S. companies require GDPR compliance in their contracts with other U.S. partners in order to maintain business relationships with large international partners, even where the U.S. companies are not directly covered by the GDPR.

Let’s take it one step further. Assume your client, an automobile manufacturer, takes a position that it’s not covered by the GDPR. However, the automobile manufacturer enters into a contract to sell a fleet of vehicles to a customer located in the EU. The EU customer must comply with the GDPR. As part of this compliance, it must show that all of its suppliers, including the automobile manufacturer, have certified that they are in compliance. In order to certify that it is in compliance, the automobile manufacturer must certify that all of its contractors and service providers are in compliance. As a linen, uniform or facility services company, you may be one of those service providers.

Recently, some of our clients have received contracts from their customers that have a clause requiring them to certify that they are GDPR compliant. When they object, arguing that they do not receive any personal data from EU residents from the customer, they are told that it is the customer’s corporate policy that all of its service providers, subcontractors or other vendors must provide this certification – without exception.

If you are a linen, uniform or facility services company doing business with an international company such as an auto manufacturer or energy company, you may receive a GDPR compliance request. You may be told that if you do not become GDPR compliant, you will no longer qualify to do business with that customer.  Are you prepared to show that you are in compliance?

GKG Law, P.C. has published a comprehensive GDPR client alert. For a free copy of the Client Alert, contact Steve Fellman (sfellman@gkglaw.com).