A GDPR summary that’s going to help you understand this European data protection regulation.
“Recent inventions and business methods call attention to the next step which must be taken for the protection of the person, and for securing to the individual what Judge Cooley calls the right ‘to be let alone.’ Instantaneous photographs and newspaper enterprise have invaded the sacred precincts of private and domestic life, and numerous mechanical devices threaten to make good the prediction that ‘what is whispered in the closet shall be proclaimed from the house-tops.” — Warren and Brandeis, 1890
What is Privacy?
There are many definitions for the word “Privacy”:
- Privacy is the state or condition of being free from being observed or disturbed by other people.
- Privacy is the ability of an individual or group to seclude themselves or information about themselves, and thereby express themselves selectively. The boundaries and content of what is considered private differ among cultures and individuals.
- Privacy is secrecy.
- Privacy is a fundamental human right that underpins freedom of association, thought and expression, as well as freedom from discrimination.
- Privacy is the right to control how information about one is used, processed, stored, or shared.
- Privacy is the right “to be let alone”.
As we can see, the core of these different definitions is something similar: boundaries for one’s own. But is privacy a concept or a legal right?
Hyman Gross observed, “The law does not determine what privacy is, but only what situations of privacy will be afforded legal protection.”
Why Privacy Matters
Maybe privacy wasn’t a trending issue all over the globe decades ago. But now with the wider access to the internet, it has become a concern to everyone. People want to know how they can protect their data (consequently, protecting themselves) and whether they are using products that respect their privacy.
Social media entices you to post a lot of your own private data. Websites you use daily may potentially sell your data to third parties. Some even don’t care enough about securing user data, which may result in massive data breaches exposing your personal records all over the internet. But privacy issues go way beyond. Advertising companies can monitor your behavior and use this information to influence your purchasing, voting, and life-changing decisions.
The sensitivity of data types is different. Something like social security number or physical location is of high sensitivity, but something like online behavior when seeing an ad about shoes might not be as important. However, the important thing to remember is that all of these data are private and should be handled respectively.
This is where GDPR comes into the picture
The General Data Protection Regulation (or as usually referred to, GDPR) is a regulation in EU law on data protection and privacy in the European Union and the European Economic Area. It also addresses the transfer of personal data outside the EU and EEA areas. It is a set of rules designed to give European citizens more control over their personal data. It aims to simplify the regulatory environment for business so both citizens and businesses in the European Union can fully benefit from the digital economy.
Keep in mind that laws often exist to balance conflicting values. In other words, the law does not deal with absolutes, meaning there is no absolute right to privacy.
If you are running a business that has access to users’ information (of any kind) and your business has users in Europe, you should strongly think about applying GDPR to it.
What Are the Penalties for Violating the GDPR?
There are GDPR fines and it threatens would-be violators with some severe penalties. To make sure companies handle your personal data in a legal, ethical way, the fines for noncompliance are up to €20 million ($23 million) or 4% of annual global turnover.
When does GDPR apply?
GDPR applies to any operation performed on any information related to an identified or (reasonably) identifiable person.
According to GDPR, an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person. Recital 26 implies, “To determine whether a natural person is identifiable, account should be taken of all the means reasonably likely to be used, such as singling out, either by the controller or by another person to identify the natural person directly or indirectly. To ascertain whether means are reasonably likely to be used to identify the natural person, account should be taken of all objective factors, such as the costs of and the amount of time required for identification, taking into consideration the available technology at the time of the processing and technological developments.”
Terms you might encounter along the way:
- “Personal information” is an important technical term that GDPR revolves around. GDPR Art. 4(1) defines personal data as any information relating to an identified or identifiable natural person (‘data subject’). The most common personal information examples you might deal with every day are email address, cookie ID, your pet’s name, or your grade.
- Art. 4(2) says ‘Data processing’ means any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.
To whom does GDPR apply?
First, let’s make these terms clear (GDPR Art. 4(7) & Art 4(8)):
Data Controller: The natural or legal person, public authority, agency or another body which, alone or jointly with others, determines the purposes and means of the processing of personal data.
Responsibilities of the Data Controller are mentioned in Art.
Data Processor: A natural or legal person, public authority, agency or another body which processes personal data on behalf of the controller.
The Data Controller has principal responsibility for complying with the GDPR. However, the Data Processor must follow the controller’s legal instructions, cannot process data for its own purpose, and will sometimes in reality determine some of the means of data processing, but those can’t be “essential”. You usually can’t be a processor of the data of your own customers/employees (because nobody can instruct you to delete the data of your own customers).
According to Art. 3, the territorial scope of GDPR application is when the data subject is in the European Union and European Economic Area, regardless of whether the processing of their data takes place in the Union or not. If the establishment of a controller or a processor is in the Union, the law applies to all data processing. However, processing by a controller or processor that is not established in the Union, the law applies when: a) there is offering of goods or services, even if they are offered for free and no transactions take place b) there is monitoring of their behavior, as far as their behavior takes place within the Union.
- In order to determine whether such a controller or processor is offering goods or services to data subjects who are in the Union, it should be ascertained whether it is apparent that the controller or processor envisages offering services to data subjects in one or more Member States in the Union. Whereas the mere accessibility of the controller’s, processor’s or an intermediary’s website in the Union, of an email address or of other contact details, or the use of a language generally used in the third country where the controller is established, is insufficient to ascertain such intention, factors such as the use of a language or a currency generally used in one or more Member States with the possibility of ordering goods and services in that other language, or the mentioning of customers or users who are in the Union, may make it apparent that the controller envisages offering goods or services to data subjects in the Union.
- In order to determine whether a processing activity can be considered to monitor the behavior of data subjects, it should be ascertained whether natural persons are tracked on the internet including potential subsequent use of personal data processing techniques which consist of profiling a natural person, particularly in order to make decisions concerning her or him or for analyzing or predicting her or his personal preferences, behaviors and attitudes.
But why does all of this information matter? Because, if GDPR applies to a company, they should have a representative in the EU/EEA. Consider all aspects of your business and see if GDPR is applicable, and take all the necessary steps it requires to stay away from trouble.
Data Protection Principals
The principals of data protection are mentioned in GDPR Art. 5. These principals are a summary of some of the core GDPR requirements. They are as follows:
- Lawfulness, fairness, and transparency
- Purpose limitation
- Data minimization
- Storage limitation
- Integrity and confidentiality
Data controllers shall be responsible for, and be able to demonstrate compliance with the mentioned principals. This is called “accountability.”
The lawfulness of data processing is widely considered, meaning that data processing acts should be based on a legal purpose. (Art. 6(1))
Any freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her. Consent needs to be documented, whether given orally or in the written form.
- Being freely given
There can be no negative consequences for refusing to give consent (“bundling” is prohibited). Balance of power must be taken into account (e.g. an employer often can’t ask for valid consent from their employee). It should be as easy to withdraw as to give. Also, there cannot be a “backup” legal basis.
The consent’s content must inform of the controller’s identity, data categories gathered, the purpose of processing, right to withdraw consent, and data subject rights. It should also be easy to understand and written in different sections for different purposes.
Pre-checked boxes and hidden text are not acceptable as consents. The data subject themselves must take action to give consent.
As an owner of online business, remember you must get consent when placing information on the user’s terminal equipment, like when placing a tracking cookie. You must also get consent when you engage in direct electronic marketing, and you are not advertising the same or similar services as the one customer purchased from you. (ePrivacy Directive)
The applicable laws here are Art. 6(1)(b), Recital 44, ICO, and WP29. The processing must be necessary. If you could reasonably do what they want without processing their personal data, this basis will not apply. ‘Necessary’ does not mean that the processing must be essential for the purposes of performing a contract or taking relevant pre-contractual steps. However, it must be a targeted and proportionate way of achieving that purpose. This lawful basis does not apply if there are other reasonable and less intrusive ways to meet your contractual obligations or take the steps requested.
This lawfulness basis does not apply if you need to process one’s details but the contract is with someone else. The data controller doesn’t need to be a party to the contract. Contractual necessity does not apply if you take pre-contractual steps on your own initiative or at the request of a third party. Also, the right to be forgotten (data subject rights) does not apply here.
“Processing is necessary for compliance with a legal obligation to which the controller is subject.”
“Where the processing is carried out in accordance with a legal obligation to which the controller is subject or where processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority, the processing should have a basis in Union or Member State law. This Regulation does not require a specific law for each individual processing. A law as a basis for several processing operations based on a legal obligation to which the controller is subject or where processing is necessary for the performance of a task carried out in the public interest or in the exercise of an official authority may be sufficient.”
This legal ground is for balancing the rights of individuals. In cases where data is being used for statistical analysis to improve something, legitimate interest would be the way to go lawful.
As Recital 47 implies, legitimate interests could be valid where there is a relevant appropriate relationship between the data subject and the controller, in situations such as where the data subject is a client or in the service of the controller. At any rate, the existence of a legitimate interest would need careful assessment including whether a data subject can reasonably expect at the time and in the context of the collection of the personal data that processing for that purpose may take place. The processing of personal data strictly necessary for the purposes of preventing fraud also constitutes a legitimate interest of the data controller concerned. The processing of personal data for direct marketing purposes may be regarded as carried out for a legitimate interest.
Legitimate interest is the most flexible lawful basis for data processing, but it is not always the most appropriate. Relying on legitimate interests will create extra responsibility for considering and protecting people’s rights and interests. So, before making the decision to work with data on the grounds of legitimate interest, LIA or Legitimate Interest Assessment should be taken:
• Purpose test: are you pursuing a legitimate interest?
• Necessity test: is the processing necessary for that purpose?
• Balancing test: do the individual’s interests override the legitimate interest?
The official authority vested in the data controller gives them the right to process data based on Public Interest.
Protecting the Vital Interests of the Data Subject
If there’s a situation where there is not enough time to get consent or the data is immediately needed, like knowing someone’s blood type when they’re dying and need blood, legitimate interest applies as a legal basis for the lawfulness of data processing. In other words, the processing is necessary in order to protect the vital interests of the data subject or of another natural person.
The concepts of the data controller, the data processor, and personal information were introduced earlier. These concepts are the basis of rules on data transferring. There are for types of data transfer:
- Controller / Processor
- Processor / Sub-processor
- Controller / Controller (joint purpose)
- Controller / Controller (separate purpose)
Steps needed to be taken in the case of data transfer should be:
- Start by determining roles
- Ensure the legality of the transfer (GDPR)
- Ensure the legality of international transfer, if applicable (Standard Contractual Clauses, Binding Corporate Rules Program, …)
The legality of Data transfers:
- Controller / Processor:
Where the processing is to be carried out on behalf of a controller, the controller shall use only processors providing sufficient guarantees to implement appropriate technical and organizational measures in such a manner that processing will meet the requirements of this Regulation and ensure the protection of the rights of the data subject; GDPR Art. 28(1).
Processing by a processor shall be governed by a contract or other legal act under Union or Member State law, that is binding on the processor with regard to the controller and that sets out the subject-matter and duration of the processing, the nature and purpose of the processing, the type of personal data and categories of data subjects and the obligations and rights of the controller. Refer to GDPR Art. 28(3) for further information on what the contract should stipulate.
Where more than one controller or processor, or both a controller and a processor, are involved in the same processing and where they are, under paragraphs 2 and 3, responsible for any damage caused by processing, each controller or processor shall be held liable for the entire damage in order to ensure effective compensation of the data subject; GDPR Art. 82(4).
To summarize, it should be with due diligence and a contract should be signed between the controller and the processor.
- Processor / Sub-processor:
The processor shall not engage another processor without prior specific or general written authorization of the controller. In the case of general written authorization, the processor shall inform the controller of any intended changes concerning the addition or replacement of other processors, thereby giving the controller the opportunity to object to such changes; GDPR Art. 28(2).
Where a processor engages another processor for carrying out specific processing activities on behalf of the controller, the same data protection obligations as set out in the contract or other legal act between the controller and the processor as referred to in paragraph 3 shall be imposed on that other processor by way of a contract or other legal act under Union or Member State law, in particular providing sufficient guarantees to implement appropriate technical and organizational measures in such a manner that the processing will meet the requirements of this Regulation. Where that other processor fails to fulfill its data protection obligations, the initial processor shall remain fully liable to the controller for the performance of that other processor’s obligations; GDPR Art. 28(4).
To summarize, the processors should get permission from the data controller, and they should also sign an agreement contract between themselves.
- Controller / Controller (joint purpose):
Where two or more controllers jointly determine the purposes and means of processing, they shall be joint controllers. They shall in a transparent manner determine their respective responsibilities for compliance with the obligations under this Regulation, in particular as regards the exercising of the rights of the data subject and their respective duties to provide the information referred to in Article 13 and Article 14, by means of an arrangement between them unless, and in so far as, the respective responsibilities of the controllers are determined by Union or Member State law to which the controllers are subject. The arrangement may designate a contact point for data subjects; GDPR Art. 26(1).
The arrangement referred to in paragraph 1 shall duly reflect the respective roles and relationships of the joint controllers vis-à-vis the data subjects. The essence of the arrangement shall be made available to the data subject. Irrespective of the terms of the arrangement referred to in paragraph 1, the data subject may exercise his or her rights under this Regulation in respect of and against each of the controllers; GDPR Art. 26(2) & 26(3).
To summarize, there is no formality — no need to sign a contract. However, it is good to have some agreements. Data controllers must inform data subjects that their data is being used.
- Controller / Controller (separate purpose):
Two controllers may exchange personal data, but separately determine purposes and means of processing. WP29 is the applicable law here. There is no strict requirement to enter into an agreement, but it is recommended. Both controllers still must inform data subjects about data transfers.
- Third-Country Transfers:
Any transfer of personal data which are undergoing processing or are intended for processing after transfer to a third country or to an international organization shall take place only if, subject to the other provisions of this Regulation, the conditions laid down in Chapter 5 of GDPR are complied with by the controller and processor, including for onward transfers of personal data from the third country or an international organization to another third country or to another international organization. All provisions in this Chapter shall be applied in order to ensure that the level of protection of natural persons guaranteed by this Regulation is not undermined; GDPR Art. 44.
A transfer of personal data to a third country or an international organization may take place where the Commission has decided that the third country, a territory or one or more specified sectors within that third country, or the international organization in question ensures an adequate level of
protection. Such a transfer shall not require any specific authorization; GDPR Art. 45. Some countries have a great data protection system, so, there is no need to look any closer at the rules and you can just transfer data. The European Commission has so far recognized Andorra, Argentina, Canada (commercial organizations), Faroe Islands, Guernsey, Israel, Isle of Man, Jersey, New Zealand, Switzerland, Uruguay, Japan, South Korea, and the United States of America (limited to the Privacy Shield framework) as providing adequate protection.