|
Hello, DPO for a small UK charity here. The UK GDPR, which is now a separate article of legislation to the EU GDPR by the way, specifies in Article 3 that it applies;
"to the [(F2) relevant] processing of personal data of data subjects who are in [(F3) the United Kingdom] by a controller or processor not established in [(F3) the United Kingdom]..."
Link to source; https://www.legislation.gov.uk/eur/2016/679/article/3 This to me suggests that even a US citizen, who happens to be in a UK airport at the time, who has data collected, falls under the UK GDPR. But it's more likely that it applies to people resident in the country, rather than just transiting. However, the law is irrespective of nationality, opting instead to apply depending on where the data-subject is. I believe the only changes to the UK GDPR from the EU GDPR, is the territory to which it applies. So if your data-subject are in the EU, their data is subject to the EU GDPR, or if they're in the UK, the UK GDPR. Note also, that the UK GDPR does not make the UK Data Protection Act (DPA) redundant, but just adds a layer on top of it. So you may want to look at the UK DPA if you're going to be handling UK data-subjects data. Also, the UK legislation can be found at;
GDPR: https://www.legislation.gov.uk/eur/2016/679/contents
UK DPA: https://www.legislation.gov.uk/ukpga/2018/12/contents |