Cross border processing operations

As an organisation, you can process personal data in more than one EU member state. For example, if you have establishments in the Netherlands and France, and both establishments process personal data. But also if you process personal data within one member state, there may be cross-border data processing.

On this page

Within one member state 

Do you process data within one member state? Then there is nevertheless cross-border processing if people in more than one member state are substantially affected by your data processing. Or are likely to be substantially affected.

For example, if you have your registered office in the Netherlands, but process data of consumers from other EU countries. Or for activities that, for example, concern people in both the Netherlands and Belgium.

Substantially affected

The General Data Protection Regulation (GDPR) does not give a definition of ‘substantially affected’. The data protection supervisory authorities assess this on a case-by-case basis.

In doing so, they consider:

  • the context within which you process personal data;
  • the type of data that you process;
  • the purpose of your data processing.

They also assess whether your data processing may, for example:

  • result in damage or disadvantage for the people whose data you process;
  • have consequences for their health or welfare;
  • lead to discrimination or unequal treatment.