Data protection under GDPR
UK decision to invoke Article 50 of the TEU: More information
As of 30 March 2019, all EU law will cease to apply to the UK, unless a ratified withdrawal agreement establishes another date, or the European Council and the UK decide unanimously to extend the two-year negotiation period. For more information about the legal repercussions for businesses:
The GDPR sets out detailed requirements for companies and organisations on collecting, storing and managing personal data. It applies both to European organisations that process personal data of individuals in the EU, and to organisations outside the EU that target people living in the EU.
When does the General Data Protection Regulation (GDPR) apply?
The GDPR applies if:
- your company processes personal data and is based in the EU, regardless of where the actual data processing takes place
- your company is established outside the EU but processes personal data in relation to the offering of goods or services to individuals in the EU, or monitors the behaviour of individuals within the EU
Non-EU based businesses processing EU citizen's data have to appoint a representative in the EU.
When does the General Data Protection Regulation (GDPR) not apply?
The GDPR does not apply if:
- the data subject is dead
- the data subject is a legal person
- the processing is done by a person acting for purposes which are outside his trade, business, or profession
What is personal data?
Personal data is any information about an identified or identifiable person, also known as the data subject. Personal data includes information such as their:
- ID card/passport number
- cultural profile
- Internet Protocol (IP) address
- data held by a hospital or doctor (which uniquely identifies a person for health purposes).
Special categories of data
You may not process personal data about someone's:
- racial or ethnic origin
- sexual orientation
- political opinions
- religious or philosophical beliefs
- trade-union membership
- genetic, biometric or health data except in specific cases (e.g. when you've been given explicit consent or when processing is needed for reasons of substantial public interest, on the basis of EU or national law)
- personal data related to criminal convictions and offences unless this is authorised by EU or national law
Who processes the personal data?
During processing, personal data can pass through various different companies or organisations. Within this cycle there are two main profiles that deal with processing personal data:
- The data controller - decides the purpose and way in which personal data is processed.
- The data processor - holds and processes data on behalf of a data controller.
Who monitors how personal data is processed within a company?
The Data Protection Officer (DPO), who may have been designated by the company, is responsible for monitoring how personal data is processed and to inform and advise employees who process personal data about their obligations. The DPO also cooperates with the Data Protection Authority (DPA), serving as a contact point towards the DPA and individuals.
When should you appoint a Data Protection Officer?
Your company is required to appoint a DPO when:
- you regularly or systematically monitor individuals or process special categories of data
- this processing is a core business activity
- you process data on a large scale.
For example, if you process personal data to target advertising through search engines based on people's online behaviour, you are required to have a DPO. If, however, you only send your clients promotional material once a year, then you will not need a DPO. Likewise, if you are a doctor who collects data on patients' health, a DPO is probably not needed. But if you process personal data on genetics and health for a hospital, then a DPO will be required.
The DPO may be a staff member of your organisation or may be contracted externally on the basis of a service contact. A DPO can be an individual or part of an organisation.
Processing data for another company
A data controller can only use a data processor who offers sufficient guarantees, these should be included in a written contract between the parties involved. The contract must also contain a number of mandatory clauses, e.g. that the data processor will only process personal data when instructed to do so by the data controller.
Data transfer outside the EU
Once the integration of the GDPR into the EEA agreement is in force, the GDPR will apply to the European Economic Area (EEA), which includes all EU countries plus Iceland, Liechtenstein and Norway. When personal data is transferred outside the EEA, the protection offered by the GDPR should travel with the data. This means that if you export data abroad, your company must ensure one of the following measures are adhered to:
- The non-EU country's protections are deemed adequate by the EU.
- Your company takes the necessary measures to provide appropriate safeguards, such as including specific clauses in the agreed contract with the non-European importer of the personal data.
- Your company relies on specific grounds for the transfer (derogations) such as the consent of the individual.
When is data processing allowed?
EU data protection rules mean you should process data in a fair and lawful manner, for a specified and legitimate purpose and only process the data necessary to fulfil this purpose. You must ensure that you fulfil one of the following conditions to process the personal data; you:
- have been given the consent of the individual concerned
- need the personal data to fulfil a contractual obligation with the individual
- need the personal data to satisfy a legal obligation
- need the personal data to protect the vital interests of the individual
- process personal data to carry out the task in the interest of the public
- are acting in your company's legitimate interests, as long as the fundamental rights and freedoms of the individual whose data are processed are not seriously impacted. If the person's rights override your company's interests, then you cannot process the personal data.
Agreeing to data processing - consent
The GDPR applies strict rules for processing data based on consent. The purpose of these rules is to ensure that the individual understands what he or she is consenting to. This means that consent should be freely given, specific, informed and unambiguous by way of a request presented in clear and plain language. Consent should be given by an affirmative act, such as checking a box online or signing a form.
When someone consents to the processing of their personal data, you can only process the data for the purposes for which consent was given. You must also give them the opportunity to withdraw their consent.
Providing transparent information
You must clearly provide individuals with information on who is processing the personal data about them and why. The following should be included as a minimum:
- who you are
- why you are processing the personal data
- what the legal basis is
- who will receive the data (if applicable)
In some cases, the information you provide must also state:
- the contact information of the Data protection officer (DPO) when applicable
- what is the legitimate interest pursued by the company when you rely on this legal ground for processing
- the measures applied for transferring the data to a country outside the EU
- how long the data will be stored for
- the individual's data protection rights (i.e. right to access, correction, erasure, restriction, objection, portability, etc.)
- how consent can be withdrawn (when consent is the legal ground for processing)
- whether there is a statutory or contractual obligation to provide the data
- in the case of automated decision-making, information about the logic, significance and consequences of the decision
You should present this information in clear and plain language.
Specific rules for children
If you're collecting personal data from a child based on consent, for example using a social media account or a download account, you must get parental consent first, e.g. by sending a notification to a parent or guardian. The age until which someone is considered to be a child differs depending on where they live, but is between 13 and 16 years old.
Right to access and right to data portability
You must ensure that individuals have the right to access their personal data, free of charge. If you receive such a request you have to:
- tell them if you're processing their personal data
- tell them about the processing (the purpose of the processing, categories of personal data concerned, recipients of their data, etc.)
- give them a copy of the personal data being processed (in an accessible format)
When the processing is based on consent or a contract, the individual can also ask for you to return their personal data to them or transmit it to another company. This is known as the right to data portability. You should provide the data in a commonly used and machine-readable format.
Right to correct and right to object
If an individual believes that their personal data is incorrect, incomplete or inaccurate, they have the right to have it rectified or completed without undue delay.
If this is the case, you should notify all data recipients if any of the personal data you shared with them has been changed or deleted. If any personal data you shared was incorrect, you may also have to inform anyone who has seen it that this was the case (unless this is deemed to require a disproportionate effort).
An individual may also object - at any time - to the processing of their personal data for a particular use when your company processes it on the basis of your legitimate interest, or for a task in the public interest. Unless you have a legitimate interest that overrides the interest of the individual, you must stop processing the personal data.
Likewise, an individual can ask to have the processing of their personal data restricted while it is determined whether or not your legitimate interest overrides their interest. However, in the case of direct marketing, you are always obliged to stop processing the personal data if requested by the individual.
Right to erasure (right to be forgotten)
In some circumstances, an individual can ask the data controller to erase their personal data, for example if the data is no longer needed to fulfil the processing purpose. However, your company is not obliged to do so if:
- the processing is necessary to respect the freedom of expression and information
- you have to keep the personal data to comply with a legal obligation
- there are other reasons of public interest to store the personal data, such as public health or scientific and historical research purposes
- you need to store the personal data to establish a legal claim
Automated decision-making and profiling
Individuals have the right not to be subject to a decision that is based solely on automated processing. However, there are some exceptions to this rule, such as when they have given their explicit consent to the automated decision. Except where the automated decision is based on a law, your company must:
- inform the individual about the automated decision-making
- give the individual the right to have the automated decision reviewed by a person
- give the individual the opportunity to contest the automated decision
For example, if a bank automates its decision of whether or not to grant a loan to a certain individual, that individual should be informed of the automated decision and given the opportunity to contest the decision and request human intervention.
Data breaches – providing proper notification
A data breach is when the personal data you are responsible for is disclosed, either accidentally or unlawfully, to unauthorised recipients or is made temporarily unavailable or is altered.
If a data breach does occur and the breach poses a risk to individual rights and freedoms, you should notify your Data Protection Authority within 72 hours after becoming aware of the breach.
Depending on whether or not the data breach poses a high risk to those affected, your company may also be required to inform all individuals affected.
Responding to requests
If your company receives a request from an individual who wants to exercise their rights, you should respond to this request without undue delay and in any case within 1 month of receiving the request. This response time may be extended by 2 months for complex or multiple requests, as long as the individual is informed about the extension. Requests should be dealt with free of charge.
If a request is rejected, then you must inform the individual of the reasons for doing so and of their right to file a complaint with the Data Protection Authority.
Conducting a Data Protection Impact Assessment (DPIA) is mandatory whenever the intended processing would pose a high risk to the rights and freedoms of individuals, e.g. when new technologies are used.
There is such a high risk when:
- automated processing and profiling mechanisms are used to evaluate individuals
- a publicly accessible area is monitored on a large scale (e.g. CCTV)
- special categories of data or personal data relating to criminal convictions and offences is processed on a large scale (e.g. health data)
Note: Data Protection Authorities may also consider other categories of data processing as high risk.
If the measures indicated in the DPIA fail to remove all the identified high risks, the Data Protection Authority must be consulted before the intended data processing takes place.
Keeping a record
You must be able to prove that your company acts in accordance with the GDPR and fulfils all applicable obligations — particularly upon request or inspection from the Data Protection Authority.
One way to do this is to keep detailed records on such things as the:
- name and contact details of your business involved in data processing
- reason(s) for processing personal data
- description of the categories of individuals providing personal data
- categories of organisations receiving the personal data
- transfer of personal data to another country or organisation
- storage period of the personal data
- description of security measures used when processing personal data
Your company should also keep — and regularly update — written procedures and guidelines and make them known to your employees.
If your company is an SME or smaller, you do not need to keep records of your processing activities as long as they:
- are not done regularly
- they do not affect the rights or freedoms of the individuals involved
- do not deal with sensitive data or criminal records
Data protection by design and default
Data protection by design means that your company should take data protection into account at the early stages of planning a new way of processing personal data. In accordance with this principle, a data controller must take all necessary technical and organisational steps to implement the data protection principles and protect the rights of individuals. These steps could include, for example, using pseudonymisation.
Data protection by default means that your company should always make the most privacy friendly setting the default setting. For example, if two privacy settings are possible and one of the settings prevents personal data from being accessed by others, this should be used as the default setting.
Infringement of the rules and penalties
Failure to comply with the GDPR may result in significant fines of up to EUR 20 million or 4 % of your company's global turnover for certain breaches. The Data Protection Authority may impose additional corrective measures, such as ordering you to stop processing personal data.