Here is what you need to know about the General Data Protection Regulation.
In this article we have compiled some information in case you are new to GDPR. Please note that GDPR regulations are very complex and this content does not constitute legal advice. We recommend you to contact a dedicated lawyer or data protection officer if you need guidance on this topic.
The General Data Protection Regulation (GDPR) is considered one of the toughest, if not the toughest, set of data protection rules. Although it is part of EU law, GDPR affects not only the European Union (EU) and the European Economic Area (EEA) but all companies that process personal data of EU citizens or residents, or offer goods or services to them according to the Article 3 of the legislation.
We have made a summary of the rights you have on your personal data as an individual and how companies and organizations should process and storage it in order to be compliant to the European regulations.
The Regulation (EU) 2016/679 (General Data Protection Regulation) is a privacy and security law drafted and passed by the European Union. Its 99 articles address the rights to protection of personal data and the limits that companies haveon processing personal information. GDPR is a framework for laws of countriesacross the continent.
GDPR was passed European Parliament in 2016 and put into effect on the 25th of May 2018. It was designed to substitute the 1995's European Data Protection Directive, as the Internet has changed substantially since then. Banner ads, online banking, and social media companies are examples of how the online landscape developed. Naturally, the legislation needed to be updated to address the current personal data issues.
The personal data protected by GDPR goes from basic information such as name, address, e-mail, and phone number to username, IP address, cookie identifier, and biometric data. Any person's data that can identify them directly or indirectly is addressed in the law, including pseudonyms, gender, ethnicity, religious beliefs, sexual orientation, location information, and political opinions.
GDPR applies to individuals, companies, and organizations that are data controllers or processors. A data controller is someone who decides why and how personal data will be processed, and a data processor is a third party that processes personal data on behalf of a data controller.
Although it is an EU law, GDPR applies even to individuals, companies, and organizations outside Europe. Every data controller or processor that offers goods or services or processes personal data of EU citizens or residents should comply with the legislation, subject to very high fines in case of violation. They shall comply with GDPR even if the controller or processor is outside the European Union and does not process data within the EU.
Protection of personal data is the core of GDPR. GDPR's Article 5 contains seven fundamental principles:
Lawfulness, fairness and transparency: personal data shall be "processed lawfully, fairly and in a transparent manner inrelation to the data subject".
Purpose Limitation: the purposes for collecting data should be explicit and used only for legitimate purposes. There is an exception if the processing is for archiving purposes in the public interest, scientific or historical research, or statistical purposes. The exceptions are further explained in Article 89.
Data minimization: individuals, companies,and organizations should not collect more personal information than necessary for their purposes. It is okay for an online shop to ask for your address, but it would be unreasonable if they asked about your religious beliefs, for example.
Accuracy: personal data should be accurate and, if possible, up to date.
Storage limitation: data should be kept so that it allows identification of data subjects and only for the time necessary for the purposes. It can be stored for longer only if it meets the requirements laid down in Article 89.
Integrity and confidentiality: data controllers and processors should ensure that personal data are secure and protected against unlawful or unauthorized processing, damage or destruction.
Accountability: this new principle was included to guarantee that companies are working to be GDPR compliant. Accountability means they need to prove they are taking all necessary measures to handle personal data according to GDPR's principles.
GDPR has a series of requirements for how personal data should be processed and stored by businesses. The data controller, who decides about the processing of personal data, is responsible for only using processors that provide guarantees to implement the technical and organizational measures compliant to GDPR’s data protection principles. Moreover, data controllers must ensure that, by default, only personal data which are necessary for each specific purpose of processing are processed. This applies to the amount of data, extend of processing, period of storage of data, and their accessibility.
Additionally, according to Article 32, both controller and processor must implement technical and organizational measures to ensure a level of security appropriate to the risk, including:
- Pseudonymisation and encryption of personal data,
- ongoing confidentiality, integrity, availability and resilience of processing systems and services,
- availability and access to personal data in a timely manner in case of a physical or technical incident,
- regularly testing, assessing and evaluating the effectiveness of technical and organisational measures for ensuring the security of the processing.
The responsibilities of data processors are addressed in the third paragraph of Article 28. They should be governed by a contract of another legal act when processing data which specifies the nature, purpose and duration of the processing, along with rights and obligations of the controller.
At the choice of the controller, the data processor should delete or return all the personal information on data subjects to the controller afte rending the services related to processing. They should also delete all existing copies unless the law requires them to store the data.
December 10, 2021