Doing Business Online: What You Need to Know

8 June 2018
Posted by Veronica Wong

Part 1: What is the GDPR and how does it impact your business?

As you doing business online?  Operating an online store will open up a world of potential customers but also a heap of new legal considerations.  It is important more than ever to be aware of different laws and requirements that apply when selling goods and services on the internet.

In part one of this series, we consider the effect the introduction of the European Union (EU) General Data Protection Regulation (GDPR) has on Australian businesses.

Is my Australian Business affected by the European Union (EU) General Data Protection Regulation (GDPR)?

Have you noticed a flurry of emails from businesses updating their privacy policy, requesting that you consent for them to continue to send you marketing emails or otherwise to “update” or “refresh” your consents?

This is because a significant new EU law relating to privacy, known as the ‘GDPR’ came into force on 25 May 2018.

Effective from 25 May 2018, Australian businesses of any size may also need to comply with the GDPR if their business:

– Has an establishment in the Union (whether the processing takes place in the Union or not); or
– Offers goods and services to data subjects in the Union (irrespective of whether it is connected to a payment); or
– Monitors the behaviour of data subjects who are in the Union, where the behaviour takes place within the Union

The GDPR will apply to the data processing activities of businesses, and applies to the data controllers and the processors which process the personal data on behalf of the controllers.[1]  Generally data controllers determine why and how the personal data is processed and data processors process the data on behalf of the data controller.

The GDPR defines personal data as ‘any information relating to an identified or identifiable natural person’.[2]

It might also be arguable that in some cases the GDPR may extend to confer protections to EU citizens notwithstanding they may be overseas.

Examples of Australian businesses that may be covered by the GDPR:

– An Australian business whose website is available in a European language and customers can view prices in euro and order products to be delivered to a member state in the EU.[3]
– An Australian business whose website mentions customers or users in the EU.
– An Australian business that tracks individuals in the EU on the internet and uses data processing techniques to profile individuals to analyse and predict personal preferences, behaviours and attitudes.[4]

Some highlights of the GDPR include:

1. Consent by the data subject is one of the six legal grounds for lawful personal data processing under the GDPR.

– It must be freely given, specific, informed and an unambiguous indication of the data subject’s wishes which, by a statement or by a clear affirmative action, signifies agreement to processing of their personal data.[5] For example, pre-ticked boxes or inactivity would not constitute consent.[6]
– Consent is not freely given if the individual has no genuine or free choice, for example if the provision of a service is conditional on consent to processing of personal data that is not necessary for the provision of that service, or if the individual is unable to refuse or withdraw at any time.
– Businesses also need to make the withdrawal of consent as easy as giving consent, and, before individuals give consent, must inform individuals about this right to withdraw consent.[7]

2. The GDPR includes a range of new and enhanced rights for individuals – such as the ‘right to erasure’[8], ‘right to data portability’[9] and ‘right to object’[10]

3. Controllers generally must undertake compulsory data protection impact assessment prior to data processing where a type of processing is likely to result in a high risk for the rights and freedoms of individuals;[11]

4. Businesses not based in the EU have to appoint a designated European representative;[12]

5. A key requirement is that a controller must only use processors that provide sufficient guarantees to implement appropriate technical and organisational measures in such a manner that processing will meet the requirements of the GDPR and ensure the protection of the rights of the data subject.[13] Australian data processing businesses should be aware of the extent to which the GDPR prescribes specific clauses that must be included in such contracts, including that: the processor may only process data in accordance with documented instructions from the controller;[14] and the processor cannot engage another processor without the controller’s authorisation.[15]

The above list is not complete, but provides some key takeaways.

However, don’t panic! There are many common requirements shared between the GDPR and the Australian Privacy Act 1988, so some of your existing processes may also be compliant under the GDPR.

It’s also never been a better time to review your internal business privacy practices and policies with these changes to the GDPR and Australia’s Privacy Act 1988 (Cth) Notifiable Data Breach Scheme.

If you require assistance with whether the Privacy Act 1988 (Cth) or GDPR applies to your business or advice on how to comply, Studio Legal understands your needs and you can speak to us for help. We can also assist to carry out Privacy Impact Assessments. We work closely together with IT and GDPR specialists and can put together a package to best assist you during any privacy and security review. Email us at, or call us on 03 9521 2128.

[1] Article 4, GDPR
[2] Article 4, GDPR
[3] Recital 23, GDPR
[4] Recital 24, GDPR
[5] Article 4(11), GDPR
[6] Recital 32, GDPR
[7] Article 7 and Recital 42, GDPR
[8] Article 17 GDPR
[9] Article 20 GDPR
[10] Article 21 GDPR
[11] Article 35 GDPR
[12] Article 27 GDPR
[13] Article 28 GDPR
[14] Article 28(3) GDPR
[15] Article 28(2) GDPR


The information in this article is of a general nature. It does not constitute formal legal advice, and should not be relied on as such. Please see the full disclaimer in our website terms. Please contact Studio Legal if you are seeking advice about a specific legal matter.