Introduction to the General Data Protection Regulation (GDPR)
Introduction
The General Data Protection Regulation (commonly known as the “GDPR”) is a comprehensive regulation passed by the European Union and that sets forth, among other things, both a set of rights that individuals possess regarding their personal data, and a set of obligations that govern the processing of that data by controllers (a party who determines purposes and means of the processing) and processors (a party who processes on behalf of a controller). While the GDPR applies to controllers and processors in the EU, its reach also includes, in some instances, businesses in the U.S. The GDPR also sets forth certain administrative fines, so it’s important that businesses affected by the GDPR understand the regulation and implement policies and procedures to effectuate compliance.
Principles
In addition to its other provisions, the GDRP sets forth a set of principles that relate to the processing of personal data. These principles include the following:
Personal data shall be processed lawfully and transparently
Personal data shall be “collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes”
Personal data shall be limited to what is necessary in relation to the purposes for which it is processed
Personal data shall be accurate and kept up to date
Personal data shall be “kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed”
Who does the GDRP apply to?
A threshold question for U.S. companies that process personal data is, “does the GDPR apply to me?’ The answer is that the GDPR applies to processing of personal data of data subjects who are in the EU by a controller or processor not in the EU, where the processing activities relate to either (1) the offering of goods and services (regardless of whether payment is required) to data subjects in the EU; or (2) the monitoring of their behavior as far as their behavior takes place in the EU. In order to determine whether the regulation applies to a controller or processor outside the EU, “it should be ascertained whether it is apparent that the controller or processor envisages offering services to data subjects in one or more Member States in the Union [emphasis added].” While, for example, “mere accessibility” of a website in the EU “is insufficient to ascertain such intention, factors such as the use of language or currency generally used in one or more Member States with the possibility of ordering goods or services in that other language, or the mentioning of customers or users who are in the Union, may make it apparent that the business envisages offering services to data subjects in the Union.”
What kind of data does the GDRP apply to?
The GDPR applies to processing of personal data by automated means, but also applies to manual processing if the personal data are contained or intended to be contained in a filing system.
Of note is that “personal data” is defined very broadly. Specifically, under the GDPR, “personal data” is defined as any information relating to an identified or identifiable natural person…” To that end, the GDPR states that:
“[A]n identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, identification number, location data, an online identifier, or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.”
To determine whether a person is identifiable, one must look to all means reasonably likely to be used either by the controller or someone else to identify the natural person directly or indirectly.
What does the GDRP do?
The GDPR sets forth, among other things, both a set of rights that belong to data subjects, and a set of obligations that apply in regard to the processing of their personal data. For instance, the rights of data subjects include (subject to the provisions, including any exemptions, in the GDPR):
The right to be informed about the use of their personal data
The right to request copy of their personal data
The right to object to processing
The right to have their personal data erased
The right not to be subject to certain forms of automated decision making
In addition, the GDPR sets forth, among other things:
The six situations where data may be lawfully processed
Conditions applicable to consent
Information that must to be provided to data subjects
Requirements relating to the manner in which certain information must be provided
Requirements relating to implementation of procedures and safeguards concerning personal data
Requirements relating to transfer of personal data
Penalties
The GDRP provides that any person who is damaged by a controller’s or processor’s infringement of the regulation will have the right to receive compensation from the controller or processor. In addition, the GDRP authorizes administrative fines based on breaches of specific provisions (including a maximum administrative fine of up to 20,000,000 EUR or up to 4% of worldwide turnover of the preceding year, whichever is greater, in the case of breach of certain provisions). Finally, the GDPR mandates that EU Member States promulgate rules on other penalties applicable to infringements, in particular for infringements not subject to the administrative fines set forth in the GDRP.
Conclusion
The GDPR is a sweeping and comprehensive regulation affecting the way personal data is processed. While from a policy standpoint, the GDPR represents a step forward in protecting the right of privacy, it is both complex and far-reaching in scope. This article serves merely as an introduction to some of the more general features of the GDPR, and is not intended as a substitute for in depth analysis of how and to what extent the GDPR may affect a particular business. However, with the help of a qualified attorney, the GDPR is something that can readily be navigated.
NOTE: This article is presented for informational purposes and represents the author's personal opinion only. It does not constitute legal advice and no attorney-client relationship exists between the reader and the author. If you would like legal advice concerning this issue, you should speak with a qualified attorney who can evaluate the particulars of your matter.