You are here:
07 May 2018 / article

Personal data vs. business information in the European Union: recent developments

These are busy times for the protection of personal and business data in the European Union (“EU”): on May 25, the General Data Protection Regulation 2016/679 (“GDPR”) will become applicable, while on June 9 all EU Member States should (in principle) have adopted legislation implementing the so-called Trade Secrets Directive 2016/943. Let’s have a look at how these two important pieces of EU legislation could be of relevance for US companies.

Personal data vs business information

As to its territorial scope of application, the GDPR first of all provides that it applies to any processing of personal data that takes place in the context of the activities of a European establishment of a data controller or processor, regardless of whether the processing itself takes place in the EU. This entails that not only EU affiliates of US-based companies should be GDPR compliant, but also US companies themselves, insofar as they would have a branch or representation office in the EU and this ‘establishment’ creates a data flow to the US. In addition, the GDPR applies to the processing of personal data by a controller or processor without any EU establishment, where the processing activities relate to (1) the (active) offering of goods or services to individuals in the EU, or (2) the monitoring of individuals’ behavior in the EU. US companies operating a web shop targeting European customers or a mobile application tracking the behavior of EU individuals will thus also be caught by the GDPR, even if they have no establishment in Europe.

On the other side of the spectrum, companies often also own important (non-personal) sensitive business information or technical knowhow. US companies should therefore also be attentive to the Trade Secrets Directive, aiming at the protection of such confidential business or technical information. As the Trade Secrets Directive does not set any territorial restrictions, it can perfectly be used by US companies to act against misappropriation of their trade secrets in the EU. In order to succeed, US companies should of course make sure that what they call “trade secrets” effectively meets the following definition: “any information that is secret, has commercial value because it is secret and has been subject to reasonable steps to be kept secret”. Such ‘reasonable steps’ generally include signing NDAs and adequate confidentiality clauses with employees, consultants and any third party having access to confidential information, protecting such information with passwords and access control, etc. As the EU and the US (via the Defend Trade Secrets Act effective since May 11, 2016) have defined trade secrets in a similar manner, this should not be too much of a challenge for US companies.

In sum, we encourage you to be aware of how much the protection of personal data, on the one hand, and business data, on the other hand, is a hot topic at the EU level and could potentially serve your international business.  



Energy Team achieves once again top-tier rankings in the Legal 500 EMEA

Energy Team achieves once again top-tier rankings in the Legal 500 EMEA

The Legal 500 EMEA international independent ranking directory on law firms published its annual guide on 10 April 2019. Our Belgian Energy Team has again been... read more
Loyens & Loeff in Legal 500 rankings 2019

Top scores Loyens & Loeff in Legal 500 rankings 2019

Loyens & Loeff continued its excellent rankings in the Legal 500 2019. read more
Members Belgian Data Protection Authority (finally) appointed

Members Belgian Data Protection Authority (finally) appointed

On 28 March 2019, the members of the Executive Committee of the Belgian Data Protection Authority have been appointed by the Belgian Parliament in plenary meeting.... read more
Stay informed

Don't miss out. Stay up to date about our latest news and events.

Subscribe