The General Data Protection Regulation (GDPR) covers all matters concerning the protection of fundamental rights and freedoms vis-à-vis the processing of personal data and rules relating to the free movement of personal data, including the obligations on the controller and the rights of natural persons.
The GDPR is the world’s most robust set of data protection rules and can be considered the most essential and unique EU Regulation since it has an international reach. It also applies to third countries.
The processing of personal data of data subjects who are in the Union by a controller or processor not established in the Union should also be subject to this Regulation when it is related to the monitoring of the behaviour of such data subjects in so far as their behaviour takes place within the Union and where the processing activities are related to offering goods or services to such data subjects, regardless of whether the processing takes place in the Union or not.
However, considering the legal complexity, the Member States, companies and Public bodies are still struggling to meet the legal requirements. There are still many aspects of pending developments and concretion. The Member States, control authorities, the European Data Protection Committee and the Commission must specify a multitude of elements that appear in the GDPR that are too ambiguous.
Here are some key things you need to know about this Regulation:
GDPR’s seven principles are lawfulness, fairness and transparency, purpose limitation; data minimization; accuracy; storage limitation; integrity and confidentiality (security), and accountability.
Consent should be given by a clear affirmative act establishing a freely given, specific, informed and unambiguous indication of the data subject’s agreement to the processing of personal data relating to them, such as by a written statement, including electronic means, or an oral statement. Silence, pre-ticked boxes or inactivity should not, therefore, constitute consent. The controller should be able to demonstrate that the data subject has given permission to the processing operation.
The data subject shall have the right to withdraw their consent at any time.
Rights of the data subject
Transparent information, communication and modalities
Any information and communication relating to the processing of personal data should be easily accessible, easy to understand, with clear and plain language.
Information and communication.
The controller shall, at the time when personal data are obtained, provide the data subject with all of the following information:
The data subject shall have the right to obtain from the controller confirmation as to whether or not personal data concerning them are being processed, and, where that is the case, access to the personal data and the following information:
Communication of a personal data breach to the data subject
When the personal data breach is likely to result in a high risk to the rights and freedoms of natural persons, the controller shall communicate in clear and plain language the nature of the personal data breach to the data subject without undue delay.
Processing of personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, and the processing of genetic data, biometric data to uniquely identify a natural person, data concerning health or data concerning a natural person’s sex life or sexual orientation shall be prohibited, except in certain limited conditions and situations.
The main establishment of the data controller
The main establishment of a controller in the Union should be the place of its central administration in the Union unless the decisions on the purposes and means of the processing of personal data are taken in another establishment of the controller in the Union, in which case that other establishment should be considered to be the main establishment.
Each Member State shall provide for one or more independent public authorities to monitor the application of this Regulation to protect the fundamental rights and freedoms of natural persons concerning the processing and facilitating the free flow of personal data within the Union (‘supervisory authority). each supervisory authority shall act with complete independence in performing its tasks and exercising its powers.
Designation of a representative when the controller or a processor is not established in the Union
When that controller or processor is processing personal data of data subjects who are in the Union whose processing activities are related to the offering of goods or services to such data subjects in the Union, or to the monitoring of their behaviour as far as their behaviour takes place within the Union, the controller or processor should designate a representative, unless the processing is occasional, does not include processing, on a large scale, of special categories of personal data or the processing of personal data relating to criminal convictions and offences, and is unlikely to result in a risk to the rights and freedoms of natural persons.
The representative should be explicitly designated by a written mandate of the controller or of the processor to act on its behalf concerning its obligations under this Regulation. Such a representative should perform its tasks according to the mandate received from the controller or processor, including cooperating with the competent supervisory authorities concerning any action taken to ensure compliance with this Regulation. The designated representative should be subject to enforcement proceedings in the event of non-compliance by the controller or processor.
Data processing within the EU
To ensure compliance with the requirements of this Regulation in respect of the processing to be carried out by the processor on behalf of the controller, when entrusting a processor with processing activities, the controller should use only processors providing sufficient guarantees, in particular in terms of expert knowledge, reliability and resources, to implement technical and organizational measures which will meet the requirements of this Regulation, including for the security of processing.
The adherence of the processor to an approved code of conduct or an approved certification mechanism may be used as an element to demonstrate compliance with the controller’s obligations.
The controller and the processor shall implement appropriate technical and organizational measures to ensure a proper level of security.
Data transfer to third countries
The personal data are transferred from the Union to controllers, processors or other recipients in third countries or to international organizations, could take place only if the conditions laid down in the provisions of this Regulation relating to the transfer of personal data to third countries or international organizations are complied with by the controller or processor.
The third country should offer guarantees ensuring an adequate level of protection essentially equivalent to that ensured within the Union. In particular, the third country should ensure adequate independent data protection supervision. It should provide for cooperation mechanisms with the Member States’ data protection authorities, and the data subjects should be provided with sufficient and enforceable rights and effective administrative and judicial redress.
The Commission may decide with effect for the entire Union that a third country, a territory or specified sector within a third country, or an international organization, offers an adequate level of data protection. In such cases, transfers of personal data to that third country or international organization may occur without the need to obtain any further authorization.
The Commission may also revoke such a decision and prohibit transferring personal data to that third country or international organization when they no longer ensure an adequate level of data protection.
Breaches and fines
States, organizations and businesses that don’t comply with the GDPR provisions can face penalties and fines.