In-Depth Legal Summary of the GDPR

I. General Provisions

Actors

Data Controller (organisation collecting data from EU residents) or Data Processor (organisation that processes data on behalf of a data controller).

GDPR applies when:

  • Controller / Processor is based in EU

  • Controller / Processor collects / processes data from a data subject located in the EU

Personal Data

Any information relating to an identified or identifiable natural person (Art. 4).

Personal data is information that relates to an identified or identifiable individual. If an individual cannot be directly identified from that information, one still needs to consider whether the individual is identifiable indirectly. An organization should take into account the information they are processing together with all the means reasonably likely to be used by either them or any other person/organization to identify that individual.

II. Principles

Art. 5: Principles relating to processing of personal data

Personal data shall be collected for specified, explicit and legitimate purpose and may only be processed in a manner compatible with those purposes (purpose limitation). Data must be limited to the amount necessary for the purpose (data minimization). Data must be kept correct and up to date (accuracy). Not stored any longer than is necessary for the purpose of processing (storage limitation). Processed in a way that ensures appropriate security (integrity and confidentiality). The controller is responsible to demonstrate compliance (accountability).

Art. 6: Lawfulness of processing

Data processing is allowed if it is done for lawful purposes. The lawful purposes are:

  • Data subject has given consent to the processing of data (incl. each individual purpose the data is used for - Art. 7, definition Art. 4);

  • To fulfil contractual obligations with a data subject, or for tasks at the request of a data subject who is in the process of entering into a contract;

  • To comply with a data controller's legal obligations;

  • To protect the vital interests of a data subject or another individual;

  • To perform a task in the public interest or in official authority;

  • For the legitimate interests of a data controller or a third party, unless these interests are overridden by interests of the data subject or her or his rights according to the Charter of Fundamental Rights (especially in the case of children).

Consent must be:

  • Explicit

  • Freely-given

  • Plainly worded

  • Unambiguous

A checkbox where the box is ticked per default and needs to be unchecked to opt-out violated GDPR, since there is no unambiguous affirmation of the data subject. Each purpose for processing needs to be separated: different checkboxes for each individual processing-purpose. It must be possible to withdraw consent at any time, and this may not be more difficult than opting in. If a data subject declines processing of PI he may not be refused service, except if that processing is strictly necessary to be able to use the service.

Consent for children <16 y.o. must be given by a parent or custodian. Controller must make reasonable efforts to verify that this person is parent / guardian.

Art. 9: Processing of special categories of personal data

Processing of personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, and the processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person's sex life or sexual orientation may only be processed if data subject has given explicit consent (+ other exceptions: vital interests of data subject, public data etc.)

Art. 10: processing of personal data relating to criminal convictions and offense

Art. 11: Processing which does not require identification

If a controller can’t identify a data subject (not enough data points), controller is not obliged to process new data points to be able to comply with GDPR.

III. Rights of the Data Subject

Art. 12: Transparent information, communication and modalities for the exercise of the rights of the data subject

All notice / communication to data subjects must be in a concise, transparent, intelligible and easily accessible form, using clear and plain language.

Controller must provide information on action taken on a DSR (art. 15-22) within one month after receipt of request. Extension of 2 months is possible (depending on complexity + number of requests). If request is manifestly unfounded (repetitive), controller may charge a fee or decline.

Art. 13: Information to be provided where personal data are collected from the data subject

  • Identity and contact details controller

  • Contact details of DPO (EU organization) or representative (non-EU org)

  • Purposes for processing

  • Legal basis for processing

  • Recipients or categories of recipients (if any)

  • If applicable: the fact that the controller intends to transfer personal data to a third country or international organisation and the existence or absence of an adequacy decision by the Commission (...)

  • How long the data will be stored (if not known: criteria determining how long it will be stored)

  • Existence of data subject rights, right to withdraw consent at any time, the right to complain to SA, existence of automated decision making

Can be provided in Data Protection Guidelines (to be hyperlinked on consent pop up).

Art. 14: Information to be provided where personal data have not been obtained from the data subject

  • Identity and contact details of controller, controllers representative / DPO

  • Purposes for processing

  • Categories of data

  • Recipients or categories of recipients

  • Similar to Art. 13

Art. 15: Right of access by the data subject

Data subjects may request an overview of categories of personal data that are being processed -15(1)(b). Controller must provide categories of PI + purpose of processing (15 (1)(a)), with whom data is shared (15)(1)(c)) and sources (15)(1)(g) Data subjects may request a copy of the data undergoing processing - 15 (3) The data needs to be made available in a format which can be transferred from one electronic processing system to another. In a structured and commonly used standard electronic format. Exception: anonymised data. De-identified data (if it can’t possibly be linked back to an individual)

Both data provided by the data subject and observed data (behaviour) are included.

Art. 16: Right to rectification

Data subjects may request rectification of inaccurate personal data, organizations must respond without undue delay.

Art. 17: The right of erasure

A data subject may request erasure of personal data on the following grounds:

- data no longer necessary in relation to collection-purpose

- consent withdrawal

-objection to processing pursuant to art. 21(1)

- unlawful processing

- erasure to be compliant with legal obligation

- data collected in relation to offer of information sociatey services (art. 8 (1))

Controller must comply within 30 days. One of the grounds of erasure would be unlawfulness of the processing (violation of art. 6(1)).

Google Spain SL, Google Inc. v Agencia Española de Protección de Datos, Mario Costeja González: The interests or fundamental rights and freedoms of the data subject override the legitimate interests of the processor (lawful ground under Art. 6(1)(f), if these interests require protection of personal data.

Art. 18: Right to restriction of processing

Data subjects have a right to restrict processing in some cases (when data accuracy is contested, unlawful, no longer needed etc.).

Art. 19: Notification obligation regarding rectification or erasure of personal data or restriction of processing

After a request for rectification, erasure or restricted processing, the controller needs to communicate this request to each recipient of the data (unless impossible or disproportionate effort).

Art. 20: The right to data portability

DS has the right to receive his/her PA in a structured, commonly used and machine-readable format, should be able to transmit this without hindrance. Should be possible to request submission of data directly from one controller to another (if technically feasible)

Art. 21:The right to object

DS can object against processing that was necessary for public interest (6 (1) (e)) or for legitimate interests pursued by controller (6 (1)(f)). Controller must comply unless he has compelling legitimate grounds that overrides the interests, rights and freedoms of the DS.

DS has a right to object against processing of data for marketing purposes.

Art. 22: Automated individual decision-making, including profiling

Subject has the right to opt-out of automated processing (including profiling) (exceptions)

Art. 23: Restrictions

Conflict with union on member state law which safeguards national security, defence, public security, investigation of criminal offenses etc.

Art. 24: Responsibility of the controller

Controller must implement appropriate technical and organisational measures to ensure compliance.

Art. 25: Data protection by design and by default

Data controller must implement measures which meet the principles of data protection by default and by design. Data protection needs to be designed into products, services and business processes (“Privacy by design”). Data controller must take technical and procedural methods to make sure that processing complies with GDPR.

Examples of privacy by design:

Pseudonymisation (where possible) (recital 78): It should not be possible for data to be attributed to a specific data subject without the use of additional information. Example 1: encryption (which can be reversed with decryption key). Encrypted data needs to be kept separately from the pseudonymised data. Example 2: tokenization.

Report by EU Agency for Cybersecurity

Recital 74: The controller is liable for unlawful processing by a processor, if he fails to implement effective measures.

Art. 26: Joint controllers

Art. 27: Representatives of controllers or processors not established in the Union

Organizations outside of EU - which regularly offer of goods or services to data subjects in the EU; and/or monitor the behaviour of data subjects in the EU, as far as their behaviour takes place within the EU - must appoint an EU-based point of contact for GDPR obligations. Can be a natural person or a corporation. Functions as a point of contact for privacy supervisors and data subjects.

Art. 28: Processor

Controller may only work with processors who can comply with GDPR (sufficient guarantees to implement appropriate technical and organizational measures). This relationship should be governed by a contract that sets out the subject-matter and duration of the processing, the nature and purpose of the processing, the type of personal data and categories of data subjects and the obligations and rights of the controller. The contract should include additional GDPR-mandated clauses.

Art. 29: Processing under the authority of the controller or processor

Processor may only process the data as per instructions of the controller.

Art. 30: Records of processing activities Must include purposes for processing, categories, envisaged time limits

Art. 33: Breach notification

Data controller must notify the (national) Supervisory Authority (SA) in case of a data breach, unless if it’s unlikely to result in a risk to rights & freedoms of data subjects. Notification needs to happen within 72 hours after becoming aware. Data subjects need to be informed of a breach if a high risk of an adverse impact is determined.

Data processors need to notify the controller without undue delay.

Art. 37: Data Protection Officer (for EU-organizations)

EU organizations: A DPO must be appointed. This role may be out-sourced. The DPO must be registered with the SA, his/her contact details must be published in the privacy policy. DPO must be able to handle IT processes and data security, he/she must maintain a living inventory of all data collected and stored on behalf of the organization.

VII. Remedies, liability and penalties

Besides potentially being classified as a criminal offense according to national law (Art. 83 GDPR), the following sanctions can be imposed:

Art. 83 (4): Up to 10 Million or 2% of annual worldwide turnover (whichever is higher) in case of infringement of:

the obligations of the controller and the processor pursuant to Articles 8, 11, 25 to 39, and 42 and 43

the obligations of the certification body pursuant to Articles 42 and 43

the obligations of the monitoring body pursuant to Article 41(4)

Art. 83 (5&6): Up to 20 Million or 4% of annual worldwide turnover (whichever is higher) in case of infringement of:

the basic principles for processing, including conditions for consent, pursuant to Articles 5, 6, 7, and 9

the data subjects' rights pursuant to Articles 12 to 222

the transfers of personal data to a recipient in a third country or an international organisation pursuant to Articles 44 to 49

any obligations pursuant to member state law adopted under Chapter IX

noncompliance with an order or a temporary or definitive limitation on processing or the suspension of data flows by the supervisory authority pursuant to Article 58(2) or failure to provide access in violation of Article 58(1)

GDPR Restrictions

National security, military police, justice, lawful interception

Scientific and statistical analysis

Processing of personal data by a natural person in the course of a purely personal or household activity

An entity or more precisely an "enterprise" has to be engaged in "economic activity" to be covered by the GDPR (Art. 4 18). Economic activity is defined broadly under European Union competition law

The information provided in this resource base and on the Datawallet website does not, and is not intended to, constitute legal advice; instead, all information, content, and materials available on this site are for general informational purposes only. Information on this website may not constitute the most up-to-date legal or other information. This website contains links to other third-party websites. Such links are only for the convenience of the reader, user or browser. No reader, user, or browser of this site should act or refrain from acting on the basis of information on this site without first seeking legal advice from counsel in the relevant jurisdiction. Only your individual attorney can provide assurances that the information contained herein – and your interpretation of it – is applicable or appropriate to your particular situation. All liability with respect to actions taken or not taken based on the contents of this site are hereby expressly disclaimed. The content on this posting is provided “AS IS;” no representations are made that the content is error-free.

Contents
I. General Provisions
Actors
Personal Data
II. Principles
Art. 5: Principles relating to processing of personal data
Art. 6: Lawfulness of processing
Art. 7: Conditions for consent
Art. 8: Conditions applicable to child's consent in relation to information security services
Art. 9: Processing of special categories of personal data
Art. 10: processing of personal data relating to criminal convictions and offense
Art. 11: Processing which does not require identification
III. Rights of the Data Subject
Art. 12: Transparent information, communication and modalities for the exercise of the rights of the data subject
Art. 13: Information to be provided where personal data are collected from the data subject
Art. 14: Information to be provided where personal data have not been obtained from the data subject
Art. 15: Right of access by the data subject
Art. 16: Right to rectification
Art. 17: The right of erasure
Art. 18: Right to restriction of processing
Art. 19: Notification obligation regarding rectification or erasure of personal data or restriction of processing
Art. 20: The right to data portability
Art. 21:The right to object
Art. 22: Automated individual decision-making, including profiling
Art. 23: Restrictions
Art. 24: Responsibility of the controller
Art. 25: Data protection by design and by default
Art. 27: Representatives of controllers or processors not established in the Union
Art. 28: Processor
Art. 29: Processing under the authority of the controller or processor
Art. 33: Breach notification
Art. 37: Data Protection Officer (for EU-organizations)
VII. Remedies, liability and penalties
GDPR Restrictions