- What is the General Data Protection Regulation (GDPR)?
- Why is the GDPR important to me or my organization?
- Does the GDPR apply only to EU-based organizations?
- What are ‘personal data’ and ‘data subject’?
- What is ‘processing’ of personal data?
- What are a ‘controller’ and a ‘processor’?
- What are the data subject’s rights?
- Can personal data be transferred outside the EU?
- What is a ‘Data Protection Officer’ (DPO) and does my organization need to have one?
- What about conflict of interest regarding the DPO?
- Is there a controlling institution?
- My company is a small or medium enterprise, does the GDPR still apply to it?
- Is consent the only legal ground on which personal data can be processed?
- Is the GDPR applicable only to the processing of personal data of EU citizens?
- What are special categories of personal data?
- How much would it cost to comply with the GDPR?
- Where can I learn more about the GDPR?
- Data retention or the right of erasure, which one prevails?
- Do I need special consent for marketing?
- Can I process children’s personal data?
- What is the difference between an EU Regulation and a Directive?
- Are there special security rules under the GDPR?
- Does the GDPR apply to the personal data of deceased persons?
- Do I need to sign a DPA for all Unit4 products and/or services or just the clould-based?
- Can I collect clients’ consent for processing their personal data for newsletters and other marketing over the phone?
- Does Unit4 have a Data Protection Officer?
The General Data Protection Regulation, or simply the ‘GDPR’, is the latest data protection legislation act of the European Union (EU). It comes into force on the 25th of May 2018 and replaces the previous Data Protection Directive and related national legislation which means that the new data protection rules will be the same in all Member States. The aim of the GDPR is to protect the privacy and personal data of individuals (data subjects) residing in the EU.
The regulation aims to protect every person residing in the European Union, independent of their nationality. Since personal data is being stored all over the world, the geographical scope goes far beyond the borders of the EU, making it relevant and important globally. In essence, both the public and the private sector dealing with EU personal data will have to comply with the new rules on the processing of personal data from the end of May. Moreover, the GDPR is based on the existing EU data protection principles and rules and further develops them by adding new rights for data subjects (natural persons) and new obligations for controllers and processors of personal data. The European legislator will ensure that the law is taken seriously by imposing hefty administrative fines for noncompliance – in some cases, depending on the breach, they can be as much as 20,000,000 EUR or up to 4% of the total worldwide annual turnover of the preceding financial year, whichever is higher (Article 83(5) of the GDPR).
No. The GDPR applies:
- to organizations in the EU that process personal data, regardless of whether the processing takes place in the Union or not;
- to organizations outside the EU. In this case, the GDPR is applicable when the processed personal data relates to individuals (data subjects) in the EU and the processing activities are related to either 1) the offering of goods or services or 2) the monitoring of the individual’s behavior as far as it takes place within the EU;
- to an organization outside the EU, where Member State law applies by virtue of public international law (Article 3 of the GDPR). This would include a Member State's diplomatic mission or consular post for example.
The GDPR defines ‘personal data’ as any information relating to a data subject. A ‘data subject’ is an identified or identifiable natural person. A person could be identified through such identifiers as: a name, an identification number (like a social security number), location data, an online identifier or one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of the natural person (Article 4(1) of the GDPR).
The GDPR defines ‘processing’ as any operation or set of operations which is performed on personal data or on sets of such data, whether or not by automated means (Article 4(2) of the GDPR). The law also gives a non-exhaustive list of actions, which are always considered processing – collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction. The non-exhaustive nature of this list means that it is just an example of what will always be considered processing, therefore, even if an activity or action performed on personal data is absent from the list, it will likely be considered as processing by the Data Protection Authorities or a European court.
- A ‘controller’ is anyone (natural or legal person, public authority, agency or other body) who, alone or jointly with others, determines the purposes and means of the processing of personal data (Article 4(7) of the GDPR).
- A ‘processor’ is anyone who processes personal data on behalf of the controller (Article 4(8) of the GDPR). Although both the controller and the processor have some similarity in their rights and obligations, it is important to make a distinction between the two because the data controller is the one who has more obligations and, thus, is primarily held liable for noncompliance with the GDPR.
The data subject (a natural person) has a set of rights under the GDPR and in most cases the one obligated to fulfill them is the controller. Here are some of the more important data subject’s rights:
- Access – the right to obtain from the controller confirmation as to whether or not personal data concerning the data subject is being processed;
- Rectification – the right to obtain from the controller without undue delay the rectification of inaccurate personal data and to have incomplete personal data completed;
- Erasure (a.k.a. ‘The Right to be Forgotten’) – the right to obtain from the controller the erasure of personal data concerning the data subject without undue delay;
- Data portability – the right to receive the personal data concerning the data subject in a structured, commonly used and machine-readable format;
- Non-automated individual decision-making – the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning the data subject or similarly significantly affects him or her.
Personal data transfers outside the borders of the EU are generally permitted but heavily regulated because the EU wants to prevent the circumventing of the GDPR through data transfers to third countries.
In essence, what the law aims for is to ensure that the level of protection of natural persons it guarantees is not undermined (Articles 44 to 50 and Recitals 101 and the following of the GDPR).
The Commission plays a central role in the supervision of international personal data transfers. It is also possible for the EU and third countries to sign agreements to facilitate the transfer of data outside the EU. One such existing agreement is the Privacy Shield Framework (PSF) between the EU, the United States of America and Switzerland. The Privacy Shield website lets you check who is certified under the PSF and as you can see, global corporations like Google, Microsoft, Amazon and Cisco Systems have their certification in place.
Controllers and Processors are obligated to have a Data Protection Officer in several cases:
- if public authority or body is processing personal data (except for courts acting in their judicial capacity);
- where the core activities of the Controller or the Processor consist of processing operations which require regular and systematic monitoring of data subjects on a large scale; or
- where the core activities of the Controller or the Processor consist of processing on a large scale of special categories of data (like racial or ethnic origin, religious beliefs, health or sexual orientation, etc.) and personal data relating to criminal convictions and offences.
A company must have a DPO if the processing of personal data it performs falls under one (or more) of these scenarios (Article 37(1) of the GDPR).
The conflict of interest may occur if the DPO also performs ‘other tasks and duties’ which fall outside the scope of his or her position as a DPO. The controller or processor is obligated to ensure that any such tasks and duties do not result in a conflict of interests (Article 38(6) of the GDPR). This means that the DPO cannot hold a position which leads him or her to determine the purposes and the means of the processing. As a rule of thumb, conflicting positions may include senior management positions (such as chief executive, chief operating, chief financial, chief medical officer, head of marketing department, head of Human Resources or head of IT departments) but also other roles lower down in the organizational structure (Article 29 Working Party DPO FAQ's, page 5).
Yes, there are Independent Supervisory Authorities. Each Member State provides for one or more independent public authorities to be responsible for monitoring the application of the GDPR. Their goal is to protect the fundamental rights and freedoms of natural persons in relation to processing and to facilitate the free flow of personal data within the EU (Article 51(1) of the GDPR). Each supervisory authority has a wide array of investigative, corrective, authorization and advisory powers (Article 58 of the GDPR) and cooperation with them is mandatory.
Yes. Company size is irrelevant to the law. A controller or processor could even be a single natural person – if he or she is processing personal data.
No. Consent is just one of several legal grounds for processing personal data. The GDPR provides for personal data to be lawfully processed in certain cases like, for example, when someone applies for a job – they send their CV, which contains personal information, which will be stored for the process of the job interviews, or when personal health-related details need to be provided to save the life of a road traffic accident survivor, etc.
More precisely, the other legal grounds for processing of personal data are:
- where processing is necessary for the performance of a contract or in order to take steps at the request of the data subject prior to entering into a contract;
- where processing is necessary for compliance with a legal obligation to which the controller is subject;
- where processing is necessary in order to protect the vital interests of the data subject or of another natural person;
- where processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller; and
- where processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child (Article 6(1) of the GDPR).
No. The GDPR applies to all who are currently on EU territory. It does not take citizenship or residency as a criterion to protect personal data. From this perspective, it applies to the personal data of all individuals who live in the EU, regardless of whether or not they are EU citizens.
The special categories of personal data are such data which reveal racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership. Furthermore, special categories are also genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person's sex life or sexual orientation. The processing of special categories of data is generally prohibited but there is an exhaustive list of exceptions to this rule. For example, in case the data subject has given explicit consent or the processing is necessary to protect the vital interests of the data subject or of another natural person (like his or her life) and the data subject is physically or legally incapable of giving consent.
There is no universal answer to this question. It always depends on each specific case. For example, the cost would be perhaps in a similar range for Facebook, Google and Microsoft, but in a completely different one for a small local business in the EU (like a bakery, a restaurant, etc.). Additionally, the cost might be quite high due to the fact there is a low number of qualified experts to consult on and/or implement GDPR compliance. Even finding such experts could prove to be an impossible task for some. Lastly, it should be taken into account that the cost would comprise not only finances but time as well.
Data Subjects have the right to have their personal data erased by the controller under certain circumstances (a.k.a. the ‘Right to be Forgotten’). However, there are exceptions to this rule. The personal data could be retained in case the processing is necessary for compliance with a legal obligation under Union or Member State law to which the controller is subject or for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller. So, for example, the national law of a Member State could be obligating the controller to keep records of tax-related or other administrative documentation, which contains personal data, for several years.
Consent is a good legal basis for processing personal data for marketing purposes, but not the only one. The processing of personal data for direct marketing purposes may be regarded as carried out for a ‘legitimate interest’. This means that you need a good reason why you process the personal data. However, the data subject shall have the right to object at any time to processing of personal data concerning him or her for direct marketing purposes. This includes profiling to the extent that it is related to such direct marketing. In case of such an objection the personal data shall no longer be processed – at least not for such purposes.
The short answer is ‘yes’. When consent is the legal ground for processing and information society services are offered directly to a child, the processing is lawful where the child is at least 16 years old. If the child is below 16 years old, the processing is lawful only if and to the extent that consent is given or authorized by the holder of parental responsibility over the child. However, Member States have the opportunity to adjust their national legislations to set a lower age than 16, but not below 13. The controller is obligated to make reasonable efforts to verify that the child’s consent is given or authorized by the holder of parental responsibility, taking into consideration available technology.
A Directive gives a legal framework of what the EU Member States generally need to implement in their national legislations. This allows for a varying level of difference in the specific rules on one subject matter between the Member States. In contrast, a Regulation does not include implementation in the national legislations of Member States and is directly applicable. This means that the law is generally the same in all of the EU and that natural and legal persons can base their claims directly on the Regulation (not on the relevant national law).
The GDPR is taking the security of personal data very seriously. Therefore, the controller and the processor are obligated to implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk while taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons.
Furthermore, in assessing the appropriate level of security account shall be taken in particular of the risks of accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to personal data transmitted, stored or otherwise processed.
Additionally, the controller and the processor shall take steps to ensure that any natural person acting under their authority who has access to personal data does not process the data except on instructions from the controller, unless he or she is required to do so by Union or Member State law.
The GDPR does not apply to the personal data of deceased persons. Member States may provide for rules regarding the processing of personal data of such persons. However, it must be taken into account that the personal data of deceased persons may relate to and/or reveal personal data of living natural persons (most likely, but not exclusively, relatives). For example, shared home phone number or inherited disease. In this case the processing of the personal data would still fall under the scope of the GDPR and compliance should be ensured.
A Data Processing Agreement (DPA) is needed in all cases where Unit4 is providing a SaaS (cloud-based service). Additionally, a DPA is needed in all cases where a Unit4 product is on the Customer’s premise and there is a valid Support agreement/clause between Unit4 and the Customer. Having a DPA is important for both the Customer and Unit4 because it is a direct requirement of the GDPR.
Q: Can I collect clients’ consent for processing their personal data for newsletters and other marketing over the phone?
No, this is insufficient. The GDPR obligates the data controller (Unit4 in this case) to be able to demonstrate (prove) that they have consent from the specific individual, for specific personal data (name, email, phone number) and for specific purposes. Unit4’s Subscription Center is fully GDPR compliant with regards to collecting consent for these purposes.
Unit4 has a Global Data Protection Officer - René Bentvelzen; telephone number: +31882471777; email address: email@example.com. It is possible that there is a local point of contact for each country.