Data Controller (organisation collecting data from EU residents) or Data Processor (organisation that processes data on behalf of a data controller).
GDPR applies when:
Controller / Processor is based in EU
Controller / Processor collects / processes data from a data subject located in the EU
Any information relating to an identified or identifiable natural person (Art. 4).
Personal data is information that relates to an identified or identifiable individual. If an individual cannot be directly identified from that information, one still needs to consider whether the individual is identifiable indirectly. An organization should take into account the information they are processing together with all the means reasonably likely to be used by either them or any other person/organization to identify that individual.
Personal data shall be collected for specified, explicit and legitimate purpose and may only be processed in a manner compatible with those purposes (purpose limitation). Data must be limited to the amount necessary for the purpose (data minimization). Data must be kept correct and up to date (accuracy). Not stored any longer than is necessary for the purpose of processing (storage limitation). Processed in a way that ensures appropriate security (integrity and confidentiality). The controller is responsible to demonstrate compliance (accountability).
Data processing is allowed if it is done for lawful purposes. The lawful purposes are:
Data subject has given consent to the processing of data (incl. each individual purpose the data is used for - Art. 7, definition Art. 4);
To fulfil contractual obligations with a data subject, or for tasks at the request of a data subject who is in the process of entering into a contract;
To comply with a data controller's legal obligations;
To protect the vital interests of a data subject or another individual;
To perform a task in the public interest or in official authority;
For the legitimate interests of a data controller or a third party, unless these interests are overridden by interests of the data subject or her or his rights according to the Charter of Fundamental Rights (especially in the case of children).
Consent must be:
A checkbox where the box is ticked per default and needs to be unchecked to opt-out violated GDPR, since there is no unambiguous affirmation of the data subject. Each purpose for processing needs to be separated: different checkboxes for each individual processing-purpose. It must be possible to withdraw consent at any time, and this may not be more difficult than opting in. If a data subject declines processing of PI he may not be refused service, except if that processing is strictly necessary to be able to use the service.
Consent for children <16 y.o. must be given by a parent or custodian. Controller must make reasonable efforts to verify that this person is parent / guardian.
Processing of personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, and the processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person's sex life or sexual orientation may only be processed if data subject has given explicit consent (+ other exceptions: vital interests of data subject, public data etc.)
If a controller can’t identify a data subject (not enough data points), controller is not obliged to process new data points to be able to comply with GDPR.
All notice / communication to data subjects must be in a concise, transparent, intelligible and easily accessible form, using clear and plain language.
Controller must provide information on action taken on a DSR (art. 15-22) within one month after receipt of request. Extension of 2 months is possible (depending on complexity + number of requests). If request is manifestly unfounded (repetitive), controller may charge a fee or decline.
Identity and contact details controller
Contact details of DPO (EU organization) or representative (non-EU org)
Purposes for processing
Legal basis for processing
Recipients or categories of recipients (if any)
If applicable: the fact that the controller intends to transfer personal data to a third country or international organisation and the existence or absence of an adequacy decision by the Commission (...)
How long the data will be stored (if not known: criteria determining how long it will be stored)
Existence of data subject rights, right to withdraw consent at any time, the right to complain to SA, existence of automated decision making
Can be provided in Data Protection Guidelines (to be hyperlinked on consent pop up).
Identity and contact details of controller, controllers representative / DPO
Purposes for processing
Categories of data
Recipients or categories of recipients
Similar to Art. 13
Data subjects may request an overview of categories of personal data that are being processed -15(1)(b). Controller must provide categories of PI + purpose of processing (15 (1)(a)), with whom data is shared (15)(1)(c)) and sources (15)(1)(g) Data subjects may request a copy of the data undergoing processing - 15 (3) The data needs to be made available in a format which can be transferred from one electronic processing system to another. In a structured and commonly used standard electronic format. Exception: anonymised data. De-identified data (if it can’t possibly be linked back to an individual)
Both data provided by the data subject and observed data (behaviour) are included.
Data subjects may request rectification of inaccurate personal data, organizations must respond without undue delay.
A data subject may request erasure of personal data on the following grounds:
- data no longer necessary in relation to collection-purpose
- consent withdrawal
-objection to processing pursuant to art. 21(1)
- unlawful processing
- erasure to be compliant with legal obligation
- data collected in relation to offer of information sociatey services (art. 8 (1))
Controller must comply within 30 days. One of the grounds of erasure would be unlawfulness of the processing (violation of art. 6(1)).
Google Spain SL, Google Inc. v Agencia Española de Protección de Datos, Mario Costeja González: The interests or fundamental rights and freedoms of the data subject override the legitimate interests of the processor (lawful ground under Art. 6(1)(f), if these interests require protection of personal data.
Data subjects have a right to restrict processing in some cases (when data accuracy is contested, unlawful, no longer needed etc.).
After a request for rectification, erasure or restricted processing, the controller needs to communicate this request to each recipient of the data (unless impossible or disproportionate effort).
DS has the right to receive his/her PA in a structured, commonly used and machine-readable format, should be able to transmit this without hindrance. Should be possible to request submission of data directly from one controller to another (if technically feasible)
DS can object against processing that was necessary for public interest (6 (1) (e)) or for legitimate interests pursued by controller (6 (1)(f)). Controller must comply unless he has compelling legitimate grounds that overrides the interests, rights and freedoms of the DS.
DS has a right to object against processing of data for marketing purposes.
Subject has the right to opt-out of automated processing (including profiling) (exceptions)
Conflict with union on member state law which safeguards national security, defence, public security, investigation of criminal offenses etc.
Controller must implement appropriate technical and organisational measures to ensure compliance.
Data controller must implement measures which meet the principles of data protection by default and by design. Data protection needs to be designed into products, services and business processes (“Privacy by design”). Data controller must take technical and procedural methods to make sure that processing complies with GDPR.
Examples of privacy by design:
Pseudonymisation (where possible) (recital 78): It should not be possible for data to be attributed to a specific data subject without the use of additional information. Example 1: encryption (which can be reversed with decryption key). Encrypted data needs to be kept separately from the pseudonymised data. Example 2: tokenization.
Report by EU Agency for Cybersecurity
Recital 74: The controller is liable for unlawful processing by a processor, if he fails to implement effective measures.
Organizations outside of EU - which regularly offer of goods or services to data subjects in the EU; and/or monitor the behaviour of data subjects in the EU, as far as their behaviour takes place within the EU - must appoint an EU-based point of contact for GDPR obligations. Can be a natural person or a corporation. Functions as a point of contact for privacy supervisors and data subjects.
Controller may only work with processors who can comply with GDPR (sufficient guarantees to implement appropriate technical and organizational measures). This relationship should be governed by a contract that sets out the subject-matter and duration of the processing, the nature and purpose of the processing, the type of personal data and categories of data subjects and the obligations and rights of the controller. The contract should include additional GDPR-mandated clauses.
Processor may only process the data as per instructions of the controller.
Data controller must notify the (national) Supervisory Authority (SA) in case of a data breach, unless if it’s unlikely to result in a risk to rights & freedoms of data subjects. Notification needs to happen within 72 hours after becoming aware. Data subjects need to be informed of a breach if a high risk of an adverse impact is determined.
Data processors need to notify the controller without undue delay.
Besides potentially being classified as a criminal offense according to national law (Art. 83 GDPR), the following sanctions can be imposed:
Art. 83 (4): Up to 10 Million or 2% of annual worldwide turnover (whichever is higher) in case of infringement of:
the obligations of the controller and the processor pursuant to Articles 8, 11, 25 to 39, and 42 and 43
the obligations of the certification body pursuant to Articles 42 and 43
the obligations of the monitoring body pursuant to Article 41(4)
Art. 83 (5&6): Up to 20 Million or 4% of annual worldwide turnover (whichever is higher) in case of infringement of:
the basic principles for processing, including conditions for consent, pursuant to Articles 5, 6, 7, and 9
the data subjects' rights pursuant to Articles 12 to 222
the transfers of personal data to a recipient in a third country or an international organisation pursuant to Articles 44 to 49
any obligations pursuant to member state law adopted under Chapter IX
noncompliance with an order or a temporary or definitive limitation on processing or the suspension of data flows by the supervisory authority pursuant to Article 58(2) or failure to provide access in violation of Article 58(1)
National security, military police, justice, lawful interception
Scientific and statistical analysis
Processing of personal data by a natural person in the course of a purely personal or household activity
An entity or more precisely an "enterprise" has to be engaged in "economic activity" to be covered by the GDPR (Art. 4 18). Economic activity is defined broadly under European Union competition law