- What is the General Data Protection Regulation (GDPR)?
- Why is the GDPR important to me or my organization?
- Does the GDPR apply only to EU-based organizations?
- What are ‘personal data’ and ‘data subject’?
- What is ‘processing’ of personal data?
- What are a ‘controller’ and a ‘processor’?
- What are the data subject’s rights?
- Can personal data be transferred outside the EU?
- What is a ‘Data Protection Officer’ (DPO) and does my organization need to have one?
- What about conflict of interest regarding the DPO?
- Is there a controlling institution?
- My company is a small or medium enterprise, does the GDPR still apply to it?
- Is consent the only legal ground on which personal data can be processed?
The General Data Protection Regulation, or simply the ‘GDPR’, is the latest data protection legislation act of the European Union (EU). It comes into force on the 25th of May 2018 and replaces the previous Data Protection Directive and related national legislation which means that the new data protection rules will be the same in all Member States. The aim of the GDPR is to protect the privacy and personal data of individuals (data subjects) residing in the EU.
The regulation aims to protect every person residing in the European Union, independent of their nationality. Since personal data is being stored all over the world, the geographical scope goes far beyond the borders of the EU, making it relevant and important globally. In essence, both the public and the private sector dealing with EU personal data will have to comply with the new rules on the processing of personal data from the end of May. Moreover, the GDPR is based on the existing EU data protection principles and rules and further develops them by adding new rights for data subjects (natural persons) and new obligations for controllers and processors of personal data. The European legislator will ensure that the law is taken seriously by imposing hefty administrative fines for noncompliance – in some cases, depending on the breach, they can be as much as 20,000,000 EUR or up to 4% of the total worldwide annual turnover of the preceding financial year, whichever is higher (Article 83(5) of the GDPR).
No. The GDPR applies:
- to organizations in the EU that process personal data, regardless of whether the processing takes place in the Union or not;
- to organizations outside the EU. In this case, the GDPR is applicable when the processed personal data relates to individuals (data subjects) in the EU and the processing activities are related to either 1) the offering of goods or services or 2) the monitoring of the individual’s behavior as far as it takes place within the EU;
- to an organization outside the EU, where Member State law applies by virtue of public international law (Article 3 of the GDPR). This would include a Member State's diplomatic mission or consular post for example.
The GDPR defines ‘personal data’ as any information relating to a data subject. A ‘data subject’ is an identified or identifiable natural person. A person could be identified through such identifiers as: a name, an identification number (like a social security number), location data, an online identifier or one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of the natural person (Article 4(1) of the GDPR).
The GDPR defines ‘processing’ as any operation or set of operations which is performed on personal data or on sets of such data, whether or not by automated means (Article 4(2) of the GDPR). The law also gives a non-exhaustive list of actions, which are always considered processing – collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction. The non-exhaustive nature of this list means that it is just an example of what will always be considered processing, therefore, even if an activity or action performed on personal data is absent from the list, it will likely be considered as processing by the Data Protection Authorities or a European court.
- A ‘controller’ is anyone (natural or legal person, public authority, agency or other body) who, alone or jointly with others, determines the purposes and means of the processing of personal data (Article 4(7) of the GDPR).
- A ‘processor’ is anyone who processes personal data on behalf of the controller (Article 4(8) of the GDPR). Although both the controller and the processor have some similarity in their rights and obligations, it is important to make a distinction between the two because the data controller is the one who has more obligations and, thus, is primarily held liable for noncompliance with the GDPR.
The data subject (a natural person) has a set of rights under the GDPR and in most cases the one obligated to fulfill them is the controller. Here are some of the more important data subject’s rights:
- Access – the right to obtain from the controller confirmation as to whether or not personal data concerning the data subject is being processed;
- Rectification – the right to obtain from the controller without undue delay the rectification of inaccurate personal data and to have incomplete personal data completed;
- Erasure (a.k.a. ‘The Right to be Forgotten’) – the right to obtain from the controller the erasure of personal data concerning the data subject without undue delay;
- Data portability – the right to receive the personal data concerning the data subject in a structured, commonly used and machine-readable format;
- Non-automated individual decision-making – the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning the data subject or similarly significantly affects him or her.
Personal data transfers outside the borders of the EU are generally permitted but heavily regulated because the EU wants to prevent the circumventing of the GDPR through data transfers to third countries.
In essence, what the law aims for is to ensure that the level of protection of natural persons it guarantees is not undermined (Articles 44 to 50 and Recitals 101 and the following of the GDPR).
The Commission plays a central role in the supervision of international personal data transfers. It is also possible for the EU and third countries to sign agreements to facilitate the transfer of data outside the EU. One such existing agreement is the Privacy Shield Framework (PSF) between the EU, the United States of America and Switzerland. The Privacy Shield website lets you check who is certified under the PSF and as you can see, global corporations like Google, Microsoft, Amazon and Cisco Systems have their certification in place.
Controllers and Processors are obligated to have a Data Protection Officer in several cases:
- if public authority or body is processing personal data (except for courts acting in their judicial capacity);
- where the core activities of the Controller or the Processor consist of processing operations which require regular and systematic monitoring of data subjects on a large scale; or
- where the core activities of the Controller or the Processor consist of processing on a large scale of special categories of data (like racial or ethnic origin, religious beliefs, health or sexual orientation, etc.) and personal data relating to criminal convictions and offences.
A company must have a DPO if the processing of personal data it performs falls under one (or more) of these scenarios (Article 37(1) of the GDPR).
The conflict of interest may occur if the DPO also performs ‘other tasks and duties’ which fall outside the scope of his or her position as a DPO. The controller or processor is obligated to ensure that any such tasks and duties do not result in a conflict of interests (Article 38(6) of the GDPR). This means that the DPO cannot hold a position which leads him or her to determine the purposes and the means of the processing. As a rule of thumb, conflicting positions may include senior management positions (such as chief executive, chief operating, chief financial, chief medical officer, head of marketing department, head of Human Resources or head of IT departments) but also other roles lower down in the organizational structure (Article 29 Working Party DPO FAQ's, page 5).
Yes, there are Independent Supervisory Authorities. Each Member State provides for one or more independent public authorities to be responsible for monitoring the application of the GDPR. Their goal is to protect the fundamental rights and freedoms of natural persons in relation to processing and to facilitate the free flow of personal data within the EU (Article 51(1) of the GDPR). Each supervisory authority has a wide array of investigative, corrective, authorization and advisory powers (Article 58 of the GDPR) and cooperation with them is mandatory.
Yes. Company size is irrelevant to the law. A controller or processor could even be a single natural person – if he or she is processing personal data.
No. Consent is just one of several legal grounds for processing personal data. The GDPR provides for personal data to be lawfully processed in certain cases like, for example, when someone applies for a job – they send their CV, which contains personal information, which will be stored for the process of the job interviews, or when personal health-related details need to be provided to save the life of a road traffic accident survivor, etc.
More precisely, the other legal grounds for processing of personal data are:
- where processing is necessary for the performance of a contract or in order to take steps at the request of the data subject prior to entering into a contract;
- where processing is necessary for compliance with a legal obligation to which the controller is subject;
- where processing is necessary in order to protect the vital interests of the data subject or of another natural person;
- where processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller; and
- where processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child (Article 6(1) of the GDPR).