GDPR Q&A
With the General Data Protection Regulation (GDPR) “ante portas”, it is important for companies that are subject to the new regulation to have a clear understanding of the forthcoming regulation and what it really means for their business. It is equally important to comprehend what the new regulation does not require and what measures need to be taken under which assumptions.
An important aspect of the GDPR that is also a source of confusion is that GDPR has different provisions for processors and controllers, depending on the nature of their operations, the personal data they handle and the scale at which their operations are conducted. Therefore, it is important to always refer to the official document of the regulation in order to clarify them before jumping into action.
We have set up a small Q&A to help you with your roadmap towards GDPR compliance. This Q&A is intended to provide some help and guidance and should be treated as such; it is by no means a detailed explanation of all aspects of the regulation and does not provide an exhaustive treatment of the regulation in its entirety, covering all regulation requirements, sub-cases and provisions.
What is new with the scope of GDPR compared to previous data privacy laws and directives?
What constitutes personal data?
What constitutes processing?
Is the way that consent is asked for and given in the context of a service affected?
Is getting users’ consent mandatory for a company in order to be able to perform processing?
Is it true that under GDPR European personal data must be exclusively stored within Europe?
In case of data breach is notification to the data subjects required?
What is the major change in GDPR regarding Privacy by Design?
What is the data subject’s right to access?
What is the data subject’s right to data rectification?
What is the data subject’s right to be forgotten?
What is the data subject’s right to data portability?
Is it true that appointing a Data Protection Officer is mandatory for all companies subject to the GDPR?
Is performing a Data Protection Impact Assessment for all processing activities mandatory under GDPR?
- systematic and extensive evaluation of personal aspects relating to natural persons which is based on automated processing, including profiling, and on which decisions are based that produce legal effects concerning the natural person or similarly significantly affect the natural person;
- processing on a large scale of special categories of data such as data concerning a person’s health, or of personal data relating to criminal convictions and offences;
- or a systematic monitoring of a publicly accessible area on a large scale.
First of all, GDPR is a regulation, this means that - as opposed to EU directives - it is self-activating and legally binding upon its enforcement date, May 25th, 2018. GDPR replaces the prior data privacy EU Directive 95/46/EC and regulates how individuals and organizations such as government institutions and companies may obtain, use, process and delete personal data of European citizens.
The territorial scope of the GDPR is also substantially larger, as it applies to any company that is doing business with/processing personal data of EU citizens regardless of where it is established or where the actual processing of personal data takes place. This means that even if a company is not based in the EU and there is no processing of personal data in any EU-based facility, either the offering of goods-services to EU citizens or the tracking of EU citizens behavior - for example by means of cookies - are enough for the company to be subject to the forthcoming regulation. Non-EU businesses that fall into this category are required to appoint a representative in the EU if they wish to carry on their business with EU citizens.
Any information related to a natural person (‘data subject’) that identifies or can be used to identify the person either directly or indirectly constitutes personal data. This includes but is not limited to the person’s full name, email address, online identifier, bank account, IP address, social security number, etc.
As defined in Article 4, “Processing means any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction”. The definition is very broad and includes more or less any kind of operation on personal data.
Yes, the conditions for legitimate consent under the GDPR are sufficiently strengthened compared to prior data privacy laws. GDPR aims to empower the data subjects by explicitly rejecting complex pre-selected terms and conditions full of legalese as a legitimate means of valid consent. Instead, consent should be provided by means of an affirmative act (e.g. actively opting in by ticking a box as opposed to pre-selected tick boxes). Equally importantly, it must be as easy to withdraw consent as it is to give it and clear, straightforward language should be used, avoiding technical or legal jargon and confusing terminology (such as double negatives) so that users can actually understand what they consent to. Consent should be clear, granular (separate consent for different processing operations), distinguishable from other matters such as general terms and conditions and it should be given freely and unambiguously.
No, consent is just one of the five legal bases one can use for the processing of personal data, as explained in Article 6 of the GDPR. Potential reasons to justify lawful processing include the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract; cases where processing is necessary for compliance with a legal obligation; when processing is necessary in order to protect the vital interests of the data subject or of another natural person; when processing is necessary for the performance of a task carried out in the public interest; or finally on the basis of legitimate interest, which must, however, outweigh any detriment to the privacy of the data subject.
No, this is a common misconception. The GDPR regulation does not contain any obligation to store or process information exclusively in Europe.
However, transfers of European personal data outside the European Economic Area (EEA) require that a valid transfer mechanism is in place so that the personal data are adequately protected. As mentioned in Article 45 of the GDPR, “transfer of personal data to a third country or an international organisation may take place where the Commission has decided that the third country, a territory or one or more specified sectors within that third country, or the international organisation in question ensures an adequate level of protection. Such a transfer shall not require any specific authorization.”
Breach notification will become mandatory under GDPR in cases where a data breach is likely to “result in a risk for the rights and freedoms of individuals”. The time deadline for the notification is 72 hours after first having become aware of a data breach.
Under GDPR the “Privacy by Design” system design concept is now becoming also a legal requirement for the processing of personal data. The goal is to motivate and enforce a culture of data privacy that is embedded in the companies’ operations and systems. The “Privacy by Design” culture requires that security and privacy policies, processes and controls must be explicitly specified, enforced, monitored and tested. Privacy and data protection are henceforth in the core of the designing of systems, rather than an addition or extra feature that may or may not be considered later on. An additional important implication of this is that companies are accountable for and must be able to prove the secure operation of their operations and systems against potential threats, the enforcement of the limitation of access to personal data to those needing to act out the processing for the completion of their duties, as well as that the minimum set of data are retrieved and processed for each processing operation, thus processing only the data that are absolutely necessary. Mass exposure of personal data to unlimited number of recipients is strictly prohibited.
In order to allow data subjects to enforce their data protection rights, GDPR mandates that data subjects whose personal identifiable information is potentially processed, have the right of access to their personal data. Upon such request, a copy of the personal data is to be provided, free of charge, in an electronic format. Additionally, data subjects have the right to obtain information regarding whether, and where, their personal data are processed; the purpose of the processing; the categories of data being processed; the categories of recipients with whom the data may be shared; the period for which the data will be stored (or the criteria used to determine that period); the existence of the rights to erasure, to rectification, to restriction of processing and to object to processing; information about the existence of the right to complain; and information about the existence of, and an explanation of the logic involved in, any automated processing that has a significant effect on data subjects.
The data subject’s right to data rectification, as defined in Article 16 of the GDPR, mandates the ability of data subjects to rectify any errors in their personal data that are processed or controlled by companies. The right to data rectification also means that the data subject shall have the right to have incomplete personal data completed, including by means of providing a supplementary statement.
The right to be forgotten is described in Article 17 of the GDPR. It entitles the data subject to have the companies controlling his/her data erase his/her personal data “without undue delay” when the personal data are no longer necessary in relation to the purposes for which they were collected or otherwise processed, cease further dissemination of the data, and potentially have third parties halt processing of the data. Deleting personal data is also justified in case the data subject has withdrawn the previously given consent or if the personal data have been unlawfully processed. It should also be noted that this right requires companies to compare the subjects' rights to "the public interest in the availability of the data" when considering such requests; for instance there may be legal obligations for maintaining financial records due to tax or social security related legal obligations for at least a specific amount of time.
Data subjects, as described in Article 20 of the GDPR, have the right to transfer their personal data. This means that they must be able to receive the personal data concerning them in a in a structured, commonly used and machine-readable format and have the right to transmit that data to another controller “without hindrance from the controller to which the personal data have been provided”. As an additional means of achieving this, the regulation also prescribes that the data subject shall have the right to have the personal data transmitted directly from one controller to another, where technically feasible.
No. As explained in Article 37 and Recital 97 of the GDPR, a Data Protection Officer (DPO) is only required for government institutions and also for companies whose core activities consist of processing operations which require regular and systematic monitoring of data subjects on a large scale (for example CCTV, tracking software) or of special categories of sensitive data (such as health data) or data relating to criminal convictions and offences.
DPO appointment must be performed on the basis of professional qualities and, in particular, expert knowledge on data protection law and practices. The DPO, regardless of whether or not is an employee of the company, should be in a position to perform his/her duties and tasks in an independent manner. Equally importantly, the DPO must be provided with appropriate resources to carry out his/her tasks and must not carry out any other tasks that could results in a conflict of interest.
Data Protection Impact Assessment (DPIA), as explained in Article 35 of the GDPR, is explicitly required only in cases of high-risk processing of EU citizens’ personal data, including:
In the same article of the regulation there is also the provision that the supervisory authority shall establish and make public a list of the kind of processing operations which are subject to the requirement for a data protection impact assessment.