OOn 8 April 2016 the EU has adopted the General Data Protection Regulation (in short GDPR) which will come into effect on the 25th of May 2018 repealing the Data Protection Directive 95/43/EC. Its aims are (1) to protect natural persons in relation to the processing of their personal data, (rec 1) (2) to allow natural persons greater control over their data, (rec 7) (3) harmonize the law and remove uncertainty in relation to data protection (rec 9 and 10) (4) to provide for greater protection and strengthen the rights of data subjects, impose obligations to data processors and increase monitoring abilities and sanctions by Member States (rec 11) and (5) to allow for fair and lawful processing of personal data (rec 39). The GDPR will all in all, strengthen the internal market, strengthen the enforcement of rules and set global data protection standards.
The Benefits to Individuals
Under the GDPR, the data subjects (i.e. the individuals benefiting from the Regulation) will be able to:
- Firstly, access their data more easily in the sense that they will be able to know from the beginning of giving their consent, the uses that the data will go through.
- Secondly, they will have the right to delete the data that a data-controller keeps. Termed as the “right to be forgotten”, article 17 of the GDPR aims to allow for an individual to have his data deleted if he/she does not want such data to be processed (provided that there are no legitimate grounds for the data controller to retain it).
- Thirdly, under article 25 of the Regulation, data protection is included by design and by default. Data protection by design means that the controller must implement appropriate technical and organisational measures in order to integrate the safeguards necessary in order to meet the requirements of the GDPR and protect the rights of data subjects. Data protection by default means that the controller must implement appropriate measures in order to ensure that by default, only personal data necessary for each specific purpose of the processing are processed, and at the same time ensure, that by default, personal data cannot be made accessible without the individual’s intervention.
- Fourthly, the individual has the right to know if and when a security breach has occurred whenever his data have been hacked. The GDPR creates an obligation on the data-controller not only to notify the supervisory authority of the breach (and this must be within 72 hours) but it also creates the obligation to communicate to the data subject a personal data breach, describing the nature of the breach as well as recommendations for the natural person concerned to mitigate any potential adverse effects.
Who and what Data is covered?
The GDPR covers personal data which are processed. Processing need not be automatic. Manual processing is covered by the Regulation’s ambit. It does not however cover files or set of files not structured according to specific criteria (rec 15).
Under the definitions of the Regulation, personal data mean information relating to an identified or identifiable natural person. Such persons are persons who can be identified directly or indirectly by reference to a name, identification number, location data, online identifier etc. For example a photograph or an IP address can count as personal data.
It is of great importance that the GDPR does not apply to legal entities (Rec 14) or natural persons who have passed away (Rec 27).
The entities affected need not be resident in the EU. It is for this reasons that the changes have wide reaching effects stemming from the desire of the EU to place obligations on anyone (even from a Third Country) offering goods or services or who monitors the behaviour of data subjects within the EU (Rec 22. 23 and 24).
Who is a data controller and who is a data processor?
Article 4 of the GDPR defines a data controller as a “natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data”. A data processor on the other hand is a “natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller”.