GDPR compliance for Australian businesses offering goods or services to EU residents
The EU General Data Protection Regulation (GDPR) applies to Australian businesses that offer goods or services to individuals in the EU, or that monitor the behaviour of EU residents. This guide sets out 10 core obligations — lawful basis, data subject rights, cross-border transfers, and the 72-hour breach notification — that sit alongside (and sometimes go beyond) the Privacy Act 1988 (Cth).
Coverage
Any Australian business that (a) offers goods or services to individuals in the EU regardless of payment, or (b) monitors the behaviour of individuals in the EU (including via cookies, analytics, or profiling). Mere accessibility of a website from the EU is not enough — the business must be targeting EU customers. Many AU exporters, SaaS providers, and ecommerce businesses are caught.
Legal basis
Regulation (EU) 2016/679 (GDPR), Article 3 sets out the extraterritorial reach. The Privacy Act 1988 (Cth) and the Australian Privacy Principles operate alongside — compliance with one does not automatically satisfy the other. The European Data Protection Board publishes guidance on territorial scope (Guidelines 3/2018).
The obligations
Identify a lawful basis for every processing activity
Each processing activity must be supported by one of the six lawful bases in Article 6 — consent, contract, legal obligation, vital interests, public task, or legitimate interests. Consent must be freely given, specific, informed, and unambiguous.
Provide transparent privacy information to data subjects
At the point of collection (or within one month for indirect collection), provide a detailed privacy notice covering identity, purposes, lawful basis, recipients, retention, and data subject rights. The notice must be concise, intelligible, and in plain language.
Respond to data subject rights requests within one month
Respond to access, rectification, erasure, restriction, portability, and objection requests within one month (extendable by two months for complex requests). No fee unless the request is manifestly unfounded or excessive.
Appoint an EU representative if required
Australian businesses without an EU establishment must appoint a written EU representative under Article 27 if they process EU personal data — except where processing is occasional, does not involve large-scale special category data, and is unlikely to result in risk.
Appoint a Data Protection Officer where triggered
Appoint a DPO if core activities involve large-scale regular and systematic monitoring of data subjects, or large-scale processing of special category data. The DPO must report to the highest level of management and cannot be dismissed for performing DPO tasks.
Conduct Data Protection Impact Assessments for high-risk processing
Carry out a DPIA before any processing likely to result in high risk to rights and freedoms — including large-scale profiling, systematic monitoring of public areas, or large-scale processing of special category data.
Use lawful transfer mechanisms for data leaving the EEA
Transfers of EU personal data to Australia require an adequacy decision, Standard Contractual Clauses, Binding Corporate Rules, or another Article 46 mechanism. Australia does not have an adequacy decision — most AU businesses rely on SCCs plus a Transfer Impact Assessment.
Implement appropriate technical and organisational measures
Security measures must be appropriate to the risk, including (where appropriate) pseudonymisation, encryption, confidentiality, integrity, availability, and regular testing. Security by design and by default is required.
Notify the supervisory authority within 72 hours of a breach
Notify the lead supervisory authority within 72 hours of becoming aware of a personal data breach, unless unlikely to result in risk. Notify affected data subjects without undue delay if the breach is likely to result in high risk.
Maintain Records of Processing Activities
Controllers and processors must maintain written (including electronic) records of processing activities. The records must be available to supervisory authorities on request. Small exceptions apply under Article 30(5) but rarely in practice.
What happens if you do not comply
Administrative fines up to EUR 20 million or 4% of global annual turnover (whichever is higher) for serious breaches (Article 83(5)). Lesser breaches attract up to EUR 10 million or 2% of global annual turnover. Data subjects also have a right to compensation for material and non-material damage.
Reporting requirements
Personal data breaches must be notified to the lead supervisory authority within 72 hours. Data subjects must be notified without undue delay where the breach is likely to result in high risk. Records of processing activities must be provided to the supervisory authority on request.
What firms should do today
- Map all processing activities involving EU personal data and document the lawful basis for each
- Review website targeting indicators (currency, language, delivery destinations) to confirm whether Article 3 applies
- Execute Standard Contractual Clauses with EU counterparties and run a Transfer Impact Assessment for AU-based processing
- Appoint an EU representative under Article 27 unless the narrow exemption applies
- Draft a breach response playbook that triggers a 72-hour clock from the moment of awareness
- Align the Australian privacy notice and the GDPR privacy notice so data subjects receive the more protective set of rights
Compliance with Quillio
Quillio runs on Australian-hosted infrastructure with full data sovereignty. For AU businesses that also handle EU data, Quillio drafts DPIAs, Article 30 records, SCC schedules, and breach notification templates aligned to current EDPB guidance. See /resources/security or start a free trial.
This guide is general information about GDPR obligations — not legal advice. Territorial scope, lawful basis, and transfer mechanisms are fact-specific. Obtain specialist EU data protection advice before relying on any particular mechanism or exemption.
Build compliance into your stack.
Quillio is built around AU compliance from the ground up — SOC 2 Type II + ISO 27001 + Australian data sovereignty. The free trial requires no credit card.
Start your free trial