Skip to main content

Scope and main features

The new General Data Protection  Regulation - as opposed to its predecessor, the Data Protection Directive (Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data), which is actually in force till the 24th May 2018, has to be applied not only by companies and other organisation in the European Union but also by a controller or a processor not established in the Union processing of personal data of data subjects who are in the Union. Recital 23 explains a little more: The mere accessibility of a website in the Union, of an email address or of other contact details, or the use of a language generally used in the third country where the controller is established, is insufficient to ascertain such intention, factors such as the use of a language or a currency generally used in one or more Member States with the possibility of ordering goods and services in that other language, or the mentioning of customers or users who are in the Union, may make it apparent that the controller envisages offering goods or services to data subjects in the Union. The GDPS is a "text with EEA relevance", i.e. it is also applicable to controllers processing personal data of persons residing in countries who are members of the European Economic Area but not members of the EU (Norway, Iceland, Liechtenstein). Switzerland has its own data protection law and is recognised as providing equivalent protection of personal data (in the part about transfer of data to third countries I will talk about this in more detail).
The GDPR does not apply to the processing of personal data by a natural person in the course of a purely personal or household activity and thus with no connection to a professional or commercial activity, to the processing of personal data in the framework of the so-called "second and third pillars" (the pillars were abolished in the Lisbon treaty), i.e. the foreign and security policy and the area of police cooperation, prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties, public security. Personal data in the framework of the latter activities is subject to the Directive (EU) 2016/680 of the European Parliament and of the Council - a directive which has to be transposed into national law by national legislation where the legislators have more manoeuvring space than in the case of a regulation. The GDPR also defines some areas where member states can legislate, mainly in the area of public authorities and they have the right to lower the age limit (actually 16 years) under which a child has special rights, but not lower than 13 years.
The definition of personal data and the main principles and conditions of lawfulness of data processing did not change. The different actors did not change either (except the status of the former "Article 29 working party" which becomes the European Data Protection Board - which has a special role in cross-boarder cases). The controller is still the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data while the processor processes personal data on behalf of the controller and shall not process those data except on instructions from the controller, unless required to do so by Union or Member State law. This clause is actually taken over from the directive but is preceded in the new regulation by a series of specific rules about what the controller has to define for the processor. A not so small change is that the processor can be instructed directly be the data protection authority.
The lawfulness of processing is so impertant that it is worth quoting here directly the relevant paragraph of the GDPR:
(a)
the data subject has given consent to the processing of his or her personal data for one or more specific purposes;
(b)
processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract;
(c)
processing is necessary for compliance with a legal obligation to which the controller is subject;
(d)
processing is necessary in order to protect the vital interests of the data subject or of another natural person;
(e)
processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller;
(f)
processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child.
Point (f) of the first subparagraph shall not apply to processing carried out by public authorities in the performance of their tasks.
As it can be seen, consent of the data subject (which is actually one of the subjects where specific rules apply for children) is one but not the only basis of processing, there may be other grounds which do not require the consent of the data subject.
Still it is important that the GDPR clarified the conditions of consent (which had to be freely given specific and informed in the directive also). It has to be freely given, specific, informed and unambiguous.  A specific article (Article 7) specifies the conditions:
  • the controller has to be able to demonstrate that the data subject has given consent
  • if it is given in the context of a written declaration which also concerns other matters, it has to be clearly distinguishable from them and should be in an intelligible and easily accessible form, using clear and plain language
  • the conditions should be taken into account when deciding whether consent was freely given.
Consent can be withdrawn at any time - with effect to the time of withdrawal, i.e. processing of data till then remains legitimate.




Labels:

Comments

Post a Comment

Popular posts from this blog

A Hungarian case about processing data based on law - what are the requirements?

This question can be interesting in respect of the latest change in Hungarian health data processing: doctors performing health on the workplace tests are obliged to upload the entire files to the common health space where access is not as limited as it should be. The concrete case adjudicated by the European Court of Justice concerns the processing of COVID vaccination data, also based on national law. For processing based on a legal obligation to which the controller is subject, Member Statesmay maintan and introduce specific provisions determining more specific requirements and can also describe features of the processing, including measures to ensure fair and lawful processing. Processing of special categories of data (including health data) for reasons of substantial public interest (in any area) or of public interest in the area of public health requires that the élaw should provide for suitable and specific measures to safeguard the fundamental rights and interests of the data ...
Post a Comment
Read more

Doubts around data transfer - use of derogations

 A lot happened since Schrems-II , among others the European Data Protection Board published a FAQ document , a guidance on essential guarantees for surveillance measures      and submitted another guidance , on measures that supplement transfer tools. Transfer tools are either safeguards which ensure that data subjects enjoy adequate protection of their privacy at the place and in the organisation to where their data are transferred or derogations which enable transfer essentially without adequate protection. I used the term adequate protection and previously the view was that the protection ensured need not be identical with that in the EU. The Schrems II judgment, however, speaks about equivalent protection and this is stronger. In case the derogations (according to article 49 GDPR) are used, the EDPB is of the view that the last sentence of Article 44 GDPR (All provisions in this Chapter shall be applied in order to ensure that the level of protection of natural...
Post a Comment
Read more

The right to information and data subject access requests

The European Court of Justice dealt with some cases concerning data subject access requests and clarified the scope of certain information to be provided. 1. The right to informationThe data subjects have the right to be informed about how their personal data are processed by the controller. This information has to be provided using a privacy statement which is also called data protection notice. The privacy statement has a set content which serves not only to inform data subjects about which of their personal data are processed and how but also to assure them that their personal data are processed in compliance with EU rules. Some information in the privacy statements is nevertheless general and therefore data subjects can request further information and access to the personal data the controller processes about them. Privacy statements can be displayed on the webpages of the controller. Some controllers publish one comprehensive privacy statement which contains information about vari...
Post a Comment
Read more