THE EUROPEAN UNION'S GENERAL DATA PROTECTION REGULATION: WHAT YOU NEED TO KNOW

The General Data Protection Regulation (GDPR) covers all matters concerning the protection of fundamental rights and freedoms vis-à-vis the processing of personal data and rules relating to the free movement of personal data, including the obligations on the controller and the rights of natural persons. 

The GDPR is the world’s most robust set of data protection rules and can be considered the most essential and unique EU Regulation since it has an international reach. It also applies to third countries. 

The processing of personal data of data subjects who are in the Union by a controller or processor not established in the Union should also be subject to this Regulation when it is related to the monitoring of the behaviour of such data subjects in so far as their behaviour takes place within the Union and where the processing activities are related to offering goods or services to such data subjects, regardless of whether the processing takes place in the Union or not.

However, considering the legal complexity, the Member States, companies and Public bodies are still struggling to meet the legal requirements. There are still many aspects of pending developments and concretion. The Member States, control authorities, the European Data Protection Committee and the Commission must specify a multitude of elements that appear in the GDPR that are too ambiguous. 

Here are some key things you need to know about this Regulation:

Principles

GDPR’s seven principles are lawfulness, fairness and transparency, purpose limitation; data minimization; accuracy; storage limitation; integrity and confidentiality (security), and accountability.

Consent 

Consent should be given by a clear affirmative act establishing a freely given, specific, informed and unambiguous indication of the data subject’s agreement to the processing of personal data relating to them, such as by a written statement, including electronic means, or an oral statement. Silence, pre-ticked boxes or inactivity should not, therefore, constitute consent. The controller should be able to demonstrate that the data subject has given permission to the processing operation.

The data subject shall have the right to withdraw their consent at any time. 

Rights of the data subject

• Right to rectification
• Right to obtain from the controller without undue delay rectify inaccurate personal data concerning them. 
• Right to erasure (‘right to be forgotten)
• Right to restriction of processing
• Notification obligation regarding rectification or erasure of personal data or restriction of processing
•  Right to data portability
• Right to object
• Right to an effective judicial remedy against a controller or processor.

Transparent information, communication and modalities

Transparency

Any information and communication relating to the processing of personal data should be easily accessible, easy to understand, with clear and plain language. 

Information and communication.

The controller shall, at the time when personal data are obtained, provide the data subject with all of the following information:

• The identity and the contact details of the controller and, where applicable, of the controller’s representative.
•  The contact details of the data protection officer, where applicable;
•  The purposes of the processing for which the personal data are intended as well as the legal basis for the processing; 
•  The legitimate interests pursued by the controller or by a third party; 
• The recipients or categories of recipients of the personal data.

 Additional information: 

• The period for which the personal data will be stored, or if that is not possible, the criteria used to determine that period.

• The existence of the right to request from the Controller access to and rectification or erasure of personal data or restriction of processing concerning the data subject or to object to the processing as well as the right to data portability. 

The data subject shall have the right to obtain from the controller confirmation as to whether or not personal data concerning them are being processed, and, where that is the case, access to the personal data and the following information:

• The purposes of the processing; 
• The categories of personal data concerned; 
• The recipients or categories of recipients to whom the personal data have been or will be disclosed, in particular recipients in third countries or international organizations; 
•  The existence of the right to request from the controller rectification or erasure of personal data or restriction of processing of personal data concerning the data subject or to object to such processing; 
• The right to lodge a complaint with a supervisory authority.

Communication of a personal data breach to the data subject

When the personal data breach is likely to result in a high risk to the rights and freedoms of natural persons, the controller shall communicate in clear and plain language the nature of the personal data breach to the data subject without undue delay.

Sensitive data

Processing of personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, and the processing of genetic data, biometric data to uniquely identify a natural person, data concerning health or data concerning a natural person’s sex life or sexual orientation shall be prohibited, except in certain limited conditions and situations.

The main establishment of the data controller

The main establishment of a controller in the Union should be the place of its central administration in the Union unless the decisions on the purposes and means of the processing of personal data are taken in another establishment of the controller in the Union, in which case that other establishment should be considered to be the main establishment.

Supervisory authority

Each Member State shall provide for one or more independent public authorities to monitor the application of this Regulation to protect the fundamental rights and freedoms of natural persons concerning the processing and facilitating the free flow of personal data within the Union (‘supervisory authority). each supervisory authority shall act with complete independence in performing its tasks and exercising its powers.

Designation of a representative when the controller or a processor is not established in the Union 

When that controller or processor is processing personal data of data subjects who are in the Union whose processing activities are related to the offering of goods or services to such data subjects in the Union, or to the monitoring of their behaviour as far as their behaviour takes place within the Union, the controller or processor should designate a representative, unless the processing is occasional, does not include processing, on a large scale, of special categories of personal data or the processing of personal data relating to criminal convictions and offences, and is unlikely to result in a risk to the rights and freedoms of natural persons.

The representative should be explicitly designated by a written mandate of the controller or of the processor to act on its behalf concerning its obligations under this Regulation. Such a representative should perform its tasks according to the mandate received from the controller or processor, including cooperating with the competent supervisory authorities concerning any action taken to ensure compliance with this Regulation. The designated representative should be subject to enforcement proceedings in the event of non-compliance by the controller or processor.

Data processing within the EU

To ensure compliance with the requirements of this Regulation in respect of the processing to be carried out by the processor on behalf of the controller, when entrusting a processor with processing activities, the controller should use only processors providing sufficient guarantees, in particular in terms of expert knowledge, reliability and resources, to implement technical and organizational measures which will meet the requirements of this Regulation, including for the security of processing. 

The adherence of the processor to an approved code of conduct or an approved certification mechanism may be used as an element to demonstrate compliance with the controller’s obligations. 

The controller and the processor shall implement appropriate technical and organizational measures to ensure a proper level of security.

Data transfer to third countries 

The personal data are transferred from the Union to controllers, processors or other recipients in third countries or to international organizations, could take place only if the conditions laid down in the provisions of this Regulation relating to the transfer of personal data to third countries or international organizations are complied with by the controller or processor.

The third country should offer guarantees ensuring an adequate level of protection essentially equivalent to that ensured within the Union. In particular, the third country should ensure adequate independent data protection supervision. It should provide for cooperation mechanisms with the Member States’ data protection authorities, and the data subjects should be provided with sufficient and enforceable rights and effective administrative and judicial redress.

The Commission may decide with effect for the entire Union that a third country, a territory or specified sector within a third country, or an international organization, offers an adequate level of data protection. In such cases, transfers of personal data to that third country or international organization may occur without the need to obtain any further authorization. 

The Commission may also revoke such a decision and prohibit transferring personal data to that third country or international organization when they no longer ensure an adequate level of data protection. 

Breaches and fines

States, organizations and businesses that don’t comply with the GDPR provisions can face penalties and fines.