What is the General Data Protection Regulation?
The General Data Protection Regulation or GDPR will come into effect across the EU on the 25th of May 2018 repealing the current Data Protection Directive (Directive 95/46/EC) and establishing a single legal framework aimed at regulating data protection matters across the EU.
The GDPR affects businesses established in the EU but also encompasses obligations for those businesses established outside of the EU in cases where the said businesses provide their goods or services to data subjects within the EU or where data subjects within the EU are monitored by these non-EU companies.
Despite building upon the principles of data protection already in place, the GDPR introduces various changes aimed at increasing data subject rights regarding the processing of their personal data as well as requiring businesses to review how they deal with protecting personal data they hold.
This document will give a brief overview of the most salient features of the GDPR.
What is considered as personal Data?
As defined under the GDPR, personal data refers to any information relating to an identified or identifiable natural person, known as the ‘data subject’.
An identifiable natural person is one who can be identified, directly or indirectly, through details including a name, an identification number or other factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.
Data controllers vs. Data Processors
You are considered as a data controller if you are the person or company that decides and determines the purpose and means of processing of the personal data held. For example, an employer who is required to collect data to process his employees’ payroll, is considered as a data controller since he is the one who decides the means of processing of the personal data.
On the other hand, data processors are those people or companies which process personal data on behalf of the data controller. For example, payroll service providers are considered as data processors since they are processing personal data provided to them by the controller and processing it on the data controller’s behalf.
On what basis can a data controller process personal data?
Article 6 of the GDPR enlists the legal bases upon which a data controller can process personal data. These are the following:
- The data subject has given consent to the processing of his personal data for one or more specific purposes. It is important to note that the GDPR provides stricter requirements for consent, hence one must be ensure that consent given by data subjects satisfies all the requirements;
- Processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering the contract;
- Processing is necessary for compliance with a legal obligation to which the controller is subject;
- Processing is necessary in order to protect the vital interests of the data subject or another natural person;
- Processing is necessary for the performance of a task carried out in the public interest or the exercise of an official authority vested in the data controller;
- Processing is necessary for the purposes of legitimate interests pursued by the controller or by a third party except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, particularly when the data subject is a child
The GDPR introduces a number of data subject rights which include:
- The right for the data subject to be provided with certain specific information in clear and plain language regarding the personal data being collected including the purpose for processing, the legal basis of the processing, the recipients or categories of recipients of such personal data, retention period of such data and the specific data subject rights;
- The right of the data subject to request access to the personal data held on him by the data controller;
- The right to request the data controller to rectify any erroneous personal data or add any missing personal data;
- The right to withdraw consent, if the legal basis of such processing of personal data is based on consent;
- The right to have request that the data controller destroys personal data that is held on him by the data controller, known as the right to be forgotten;
- The right to data portability
- The right to object to the processing of personal data concerning him or her
Severe administrative fines are envisaged by the GDPR in cases of non-compliance. Breaches of some of the GDPR’s provisions can lead to administrative fines of up to €20 million or 4% of the global turnover of the business for the preceding financial year, whichever is higher.
In cases of other breaches, the supervisory authority can impose an administrative fine of up to €10 million or 2% of global annual turnover, whichever is greater.