The European privacy regulation General Data Protection Regulation (GDPR) is a European regulation (so with direct effect) that concerns the ‘protection of natural persons with regard to the processing of personal data of European citizens and the free movement of such data’.


This new regulation applies worldwide to all companies and organizations that hold and process personal data of European citizens, regardless of whether or not they pay for services or products. In English, the AVG is called General Data Protection Regulation (GDPR). The regulation replaces the 1995 data protection directive. It no longer matched the current digital world. The GDPR entered into force in May 2016. From that time on, organizations are expected to bring their business operations in line with the GDPR. They have until 25 May 2018 to do so. After that, everyone may hold organizations accountable for compliance with the GDPR. The maximum fine is 20 million euros or 4% of the annual worldwide turnover in the case of a company, whichever option applies. Separate privacy legislation applies to investigative authorities and the Public Prosecution Service. The EU proposal is to have the GDPR accompanied by the e-privacy regulation on May 25, 2018. The EU-US Privacy Shield is an agreement on the protection of personal data of EU citizens processed in the US.

Principles

Personal data is data that can be linked to an individual, or with which an individual can be identified: name, photo, telephone number, address, bank account number, e-mail address, IP address, fingerprint, medical data, etc. (a very long list ).

The following rules must be followed:

  • transparency:
    the person whose data is being processed is aware of this, has given permission for this and knows his rights.
  • goal limitation:
    the personal data is collected for a specific legitimate purpose and may not be used for other purposes
  • data restriction:
    only the necessary data that is necessary for the intended purpose may be collected
  • correctness:
    the personal data must be and remain correct
  • storage limitation:
    the personal data may not be kept longer than necessary for the intended purpose
  • integrity and confidentiality:
    the personal data must be protected against unauthorized access, loss or destruction
  • justification:
    the controller must be able to demonstrate compliance with these rules

Content

Scope

The Regulation applies if the controller, an organization that collects data from EU citizens, or a processor, an organization that processes data on behalf of a controller such as cloud service providers or on behalf of the data subject (person), in the EU is situated. The regulation also applies to organizations established outside the EU that collect or process personal data from persons established within the EU. According to the European Commission, “personal data is all data relating to an individual, regardless of whether it concerns his private, professional or public life. It can be a name, a home address, a photo, an e-mail address, bank details. , messages on social networking sites, medical information or the IP address of a computer. “

The Regulation is not intended to apply to the processing of personal data for national security or law enforcement activities in the EU; however, industrial groups concerned about potential conflicts of law have questioned whether Article 48 of the GDPR may be invoked to try to prevent a controller subject to the law of a third country from complying with any legal order of that country’s law enforcement, judicial or national security authorities from transferring personal data to those authorities of any person from the EU, regardless of whether the data is in or out of the EU. Article 48 states that a decision of a court or an administrative authority of a third country requiring a controller or processor to transfer or disclose personal data can only be recognized or enforceable on the basis of an international agreement, such as a mutual legal assistance treaty in force between the requesting third country (non-EU) and the EU or a Member State. The data protection reform package also includes a separate data protection directive for the police and criminal justice sector that contains rules for the exchange of personal data at national, European and international level.

One set of rules and one counter

The same rules will apply to all Member States of the EU. Each Member State will set up an independent supervisory authority to deal with and investigate complaints, sanction administrative offenses, etc. The supervisory authorities in each Member State cooperate with other supervisory authorities, provide mutual assistance and organize joint actions. If a company has multiple sites in the EU, it will have a single supervisory authority as its “lead authority”, based on the location of its “main establishment” where the main processing activities take place. A European Data Protection Board will coordinate the supervisory authorities. This Committee will replace the Article 29 working group.

There are exceptions for data processed in the context of employment or national security that may still be subject to individual national regulation (Article 2 (2) (a) and Article 82 GDPR).

Responsibility and Accountability

The announcement requirements will be maintained and expanded. They should include the retention period for personal data and contact information should be provided to the controller and the data protection officer.

Automated individual decision-making, including profiling (Article 22), can be challenged, as in the Data Protection Directive (Article 15). Citizens have the right to ask questions and to fight against important decisions that affect them and are only made on an algorithmic basis.

In order to demonstrate compliance with the GDPR, the controller must take measures that comply with the principles of data protection by design (privacy by design) and data protection by default settings (privacy by default). Data protection by design and data protection by default (Article 25) require data protection measures to be designed for the development of business processes for products and services. Such measures include pseudonymisation of personal data by the controller as soon as possible (recital 78).

It is the responsibility and liability of the controller to take effective measures and to demonstrate the compliance of the processing activities, even if the processing is carried out by a data processor on behalf of the controller. (recital 74).

In case of specific risks to the rights and freedoms of data subjects, data protection impact assessments (Article 35) must be carried out. Risk assessment and mitigation is required and prior approval from national data protection authorities is required for major risks. Data protection officers (Articles 37-39) are needed to ensure compliance within organizations.

They must be named:

  • for all public authorities, with the exception of courts acting in their capacity as judges
  • if the core activities of the controller or processor are as follows: processing operations which, by their nature, scope and / or purposes, require that data subjects be regularly and systematically monitored on a large scale; large-scale processing of special categories of data in accordance Article 9 and personal data in connection with criminal convictions and offenses as referred to in Article 10.

Legal basis for processing

Data should not be processed unless there is at least one legal basis for doing so:

  • The data subject has given consent to the processing of personal data for one or more specific purposes.
  • Processing is necessary for the performance of a contract of which the data subject is a part or to take steps at the request of the data subject before concluding a contract.
  • Processing is necessary for compliance with a legal obligation to which the controller is subject.
  • Processing is necessary to represent the vital interests of the data subject or of another natural person.
  • The processing is necessary for the performance of a task carried out in the public interest or for the exercise of official authority of the controller.
  • Processing is necessary in view of the legitimate interests pursued by the controller or by a third party, unless these interests prevail over the interests or fundamental rights and freedoms of the data subject, which require protection of personal data, in particular when the the person concerned is a child.

Permission

If consent is used as a legal basis for processing, consent must be explicitly given for the data collected and the purposes for which the data is used (Article 7; defined in Article 4). Consent for children must be given by the child’s parent or guardian and must be verifiable (Article 8). Data controllers must be able to demonstrate “consent” and consent can be withdrawn.

Data protection officer

If the processing is carried out by a public authority, other than courts or independent courts when acting in their judicial capacity, or if the processing is carried out in the private sector by a controller whose core business consists of processing operations carried out on a regular basis and require systematic control of data subjects, a person with expert knowledge of data protection laws and practices should assist the controller or processor in supervising internal compliance with this Regulation.

The data protection officer is similar to a compliance officer and is also expected to be skilled in managing IT processes, data security (including handling cyber attacks) and other critical business continuity aspects of retaining and processing personal and sensitive data. The skills required go beyond understanding legal compliance with data protection laws and regulations.

The appointment of a data protection officer in a large organization will pose a challenge to both the board and the data subject. There are numerous governance and human factors issues that organizations and companies must address given the size and nature of the appointment. In addition, the DPO must have a support team and will also be responsible for further professional development to be independent of the organization employing them, effectively as a “mini-authority”.

More details on the function and role of the data protection officer were provided in a guidance document on 13 December 2016 (revised 5 April 2017).

Pseudonymization

The GDPR refers to pseudonymisation as a process of transforming personal data in such a way that the resulting data cannot be attributed to a specific data subject without the use of additional information. An example of this is encryption, where the original data becomes unintelligible and the process cannot be reversed without access to the correct decryption key. The GDPR requires that the additional information (such as the decryption key) is kept separate from the pseudonymized data.

Another example of pseudonymization is symbolization, a non-mathematical approach to data protection at rest that replaces sensitive data with non-sensitive substitutes called symbols. The symbols have no extrinsic or exploitable meaning or value. The symbolization does not change the type or the length of the data, which means it can be handled by older systems such as databases that can be sensitive to length and type of data.

This requires far fewer computing resources to process and less storage space in databases than traditionally coded data. This is achieved by keeping specific data fully or partially visible for processing and analysis while keeping sensitive information hidden.

Pseudonymisation is recommended to limit the risks to data subjects and also to help controllers and processors to comply with their data protection obligations (recital 28).

While the GDPR encourages the use of pseudonymisation to “reduce the risks to data subjects” (recital 28), pseudonymised data is still considered personal data (recital 26) and thus remains subject to the GDPR.

Data breach

Under the GDPR, the controller is legally obliged to notify the supervisory authority without undue delay, unless the data breach is unlikely to result in a risk to the rights and freedoms of the data subjects. There is a maximum period of 72 hours after knowledge of the data breach to prepare the report (Article 33). Persons must be informed when adverse effects are identified (Article 34). In addition, the data processor must notify the controller of a data breach without undue delay. (Article 33).

However, the notification to data subjects is not required if the controller has implemented appropriate technical and organizational protection measures that make the personal data unintelligible to anyone without access authorization, such as encryption (Article 34).

Sanctions

The following sanctions can be imposed:

  • a written warning in case of initial and unintentional non-compliance
  • periodic data protection checks
  • a fine of up to EUR 10 million or up to 2% of the worldwide annual turnover of the previous financial year in the case of a company, whichever is higher, if the following provisions are violated (Article 83 (4) (20))
    • the obligations of the controller and processor under Articles 8, 11, 25 to 39, 42 and 43
    • the obligations of the certifying authority under Articles 42 and 43
    • the obligations of the control body under Article 41 (4)
  • a fine of up to 20 million euros or up to 4% of the worldwide annual turnover of the previous financial year in the case of a company, whichever is higher, if the following provisions are violated (Article 83, paragraphs 5 and 6 )
    • the basic principles for processing, including the conditions for consent in accordance with Articles 5,6,7 and 9
    • the rights of data subjects under Articles 12 to 22
    • the transfer of personal data to a recipient in a third country or an international organization in accordance with Articles 44 to 49
    • any obligations under the legislation of a Member State adopted under Chapter IX
    • non-compliance with an order or a temporary or permanent restriction of the processing or suspension of data flows by the supervisory authority in accordance with Article 58 (2) or failure to provide access in violation of Article 58 (1) or failure to provide of access in violation of Article 58 (1)

Privacy rights

The GDPR grants data subjects the following rights, among other things.

Right of access

The right of access (Article 15) is a right of the data subject. This gives citizens the right to access their personal data and information about how this personal data is processed. A controller must provide upon request an overview of the categories of data being processed (Article 15 (1) (b)) and a copy of the actual data (Article 15 (3)). In addition, the controller must inform the data subject about the details of the processing, such as what the purpose of the processing is (Article 15 (1) point a)), with whom the data will be shared (Article 15 (1) (c)) and how the data was obtained (Article 15 (1) (g)).

Right to correction and deletion

The right to be forgotten was replaced by a more limited right to deletion in the version of the GDPR adopted by the European Parliament in March 2014. Article 17 provides that the data subject has the right to request deletion of personal data concerning him or her on any of a number of grounds, including non-compliance with article 6.1 (legality) which includes a case (f) in which the legitimate interests of the data subject data controller outweigh the interests or fundamental rights and freedoms of the data subject that require protection of personal data (see also Google Spain SL, Google Inc. v Agencia Española de Protección de Datos, Mario Costeja González).

Right to data portability

A person should be able to transfer their personal data from one electronic processing system to another, without being prevented by the controller. Data that is sufficiently anonymized is not eligible, but data that is only anonymised but can still be linked to the person in question, such as by him or her providing the relevant identifier, is not. Both data “provided” by the data subject and “observed” data – for example about their behavior – fall within the scope of this right. In addition, the data must be provided by the controller in a structured and widely used electronic open standard. The right to data portability is enshrined in Article 20 of the GDPR. Legal experts see in the final version of this measure a “new right” which “goes beyond the portability of data between two controllers as provided for in Article 18”. (Note: The item number was updated in the final version of Section 20. This quote was correct at the time.)

Limitations

The following cases outside the regulation:

  • National security, the army, the police, justice
  • Statistical and scientific analysis
  • Deceased persons are governed by national law
  • There is a special law on employer-employee relationships
  • Processing of personal data by a natural person in the course of a purely personal or household activity

 

Source: WikipediA