Skip to main content

Scope and main features

The new General Data Protection  Regulation - as opposed to its predecessor, the Data Protection Directive (Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data), which is actually in force till the 24th May 2018, has to be applied not only by companies and other organisation in the European Union but also by a controller or a processor not established in the Union processing of personal data of data subjects who are in the Union. Recital 23 explains a little more: The mere accessibility of a website in the Union, of an email address or of other contact details, or the use of a language generally used in the third country where the controller is established, is insufficient to ascertain such intention, factors such as the use of a language or a currency generally used in one or more Member States with the possibility of ordering goods and services in that other language, or the mentioning of customers or users who are in the Union, may make it apparent that the controller envisages offering goods or services to data subjects in the Union. The GDPS is a "text with EEA relevance", i.e. it is also applicable to controllers processing personal data of persons residing in countries who are members of the European Economic Area but not members of the EU (Norway, Iceland, Liechtenstein). Switzerland has its own data protection law and is recognised as providing equivalent protection of personal data (in the part about transfer of data to third countries I will talk about this in more detail).
The GDPR does not apply to the processing of personal data by a natural person in the course of a purely personal or household activity and thus with no connection to a professional or commercial activity, to the processing of personal data in the framework of the so-called "second and third pillars" (the pillars were abolished in the Lisbon treaty), i.e. the foreign and security policy and the area of police cooperation, prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties, public security. Personal data in the framework of the latter activities is subject to the Directive (EU) 2016/680 of the European Parliament and of the Council - a directive which has to be transposed into national law by national legislation where the legislators have more manoeuvring space than in the case of a regulation. The GDPR also defines some areas where member states can legislate, mainly in the area of public authorities and they have the right to lower the age limit (actually 16 years) under which a child has special rights, but not lower than 13 years.
The definition of personal data and the main principles and conditions of lawfulness of data processing did not change. The different actors did not change either (except the status of the former "Article 29 working party" which becomes the European Data Protection Board - which has a special role in cross-boarder cases). The controller is still the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data while the processor processes personal data on behalf of the controller and shall not process those data except on instructions from the controller, unless required to do so by Union or Member State law. This clause is actually taken over from the directive but is preceded in the new regulation by a series of specific rules about what the controller has to define for the processor. A not so small change is that the processor can be instructed directly be the data protection authority.
The lawfulness of processing is so impertant that it is worth quoting here directly the relevant paragraph of the GDPR:
(a)
the data subject has given consent to the processing of his or her personal data for one or more specific purposes;
(b)
processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract;
(c)
processing is necessary for compliance with a legal obligation to which the controller is subject;
(d)
processing is necessary in order to protect the vital interests of the data subject or of another natural person;
(e)
processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller;
(f)
processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child.
Point (f) of the first subparagraph shall not apply to processing carried out by public authorities in the performance of their tasks.
As it can be seen, consent of the data subject (which is actually one of the subjects where specific rules apply for children) is one but not the only basis of processing, there may be other grounds which do not require the consent of the data subject.
Still it is important that the GDPR clarified the conditions of consent (which had to be freely given specific and informed in the directive also). It has to be freely given, specific, informed and unambiguous.  A specific article (Article 7) specifies the conditions:
  • the controller has to be able to demonstrate that the data subject has given consent
  • if it is given in the context of a written declaration which also concerns other matters, it has to be clearly distinguishable from them and should be in an intelligible and easily accessible form, using clear and plain language
  • the conditions should be taken into account when deciding whether consent was freely given.
Consent can be withdrawn at any time - with effect to the time of withdrawal, i.e. processing of data till then remains legitimate.




Labels:

Comments

Post a Comment

Popular posts from this blog

Transfer of Personal Data to Third Countries and International Organisations

Legal requirements The GDPR and Regulation (EU) 2018/1725 (the EUDPR) have changed somewhat the rules concerning transfer of personal data to jurisdictions which are not considered to provide adequate protection of personal data. On one hand the conditions are clearer, on the other hand, new types of safeguards have been introduced. It has to be noted, that there are two possible situations: transfer from a European Institution as controller to another controller and transfer to a processor. At the moment these cases are mostly treated together, although there are some differences. One safeguard which is common between the old and new rules is the use of standard contractual clauses approved by the European Commission (the only change is that the approval procedure has been set within the framework of Comitology, namely the investigation procedure) and the EDPS can also adopt contractual clauses but these also have to be approved by the Commission under the same procedure...
Post a Comment
Read more

How to prepare for the new GDPR?

If you are completely complying with the "old" data protection rules, you do need have to do a lot about your existing operations processing personal data. Some of the rules were, however open to interpretation and thus some "cutting corners" has been made impossible, like implicit consent. The new "right to be forgotten" also applies immediately to all processing (if there is a request, of course) where the retention was defined too liberally. Different national rules which you followed may be too lenient or too stict so at least a review of what you do amd how you do it is indispensable. Documentation also has to be completed, the "privacy by design" and "privacy by default" concepts and the obligation for data protection impact assessment, however, applies only to newly starting or significantly changed processing. So what about consent? First of all, it has to be noted that - contrary to what you can read sometimes - it is n...
1 comment
Read more

Why is there no article about transmission of data to EU controllers in the GDPR?

There is an article, number 9, in the data protection regulation for EU institutions (Regulation (EU) 2018/1725, called EUDPR). The transmission to other EU institutions or to another controller within the same institution is, however, only subject to recital 21. In the GDPR , even the recitals do not mention transmission of personal data to other European organisations. Of course, the use of processors is regulated in both acts, but not the transmission to another controller. It can be concluded that the transmission to entities under the same legislation is not covered while transmission from EU institutions to entities under a regulation which has a wider scope, is. The reason is clear: protection by the EUDPR is intended to be stricter. For example, EU institutions are not allowed to process data based on legitimate interest. Therefore transmission to another controller, who may process data based on legal bases unavailable for EU institutions, is restricted to cases where the sam...
Post a Comment
Read more