EU Data Protection Directive
The EU Data Protection Directive (95/46/EC) set out general data protection principles and obligations that required European Union (EU) member states to transpose and implement. It was the first EU-wide legislation that protected individuals’ privacy and personal data use. It was eventually replaced by the GDPR in May of 2018.
General Data Protection Regulation (GDPR)
The GPDR is the European Union regulation that went into effect May 25, 2018, and currently governs the data protection framework in Europe. The law has a broad scope that impacts organizations that process the personal data of EU residents, wherever they are located in the world. The GDPR is meant to harmonize the EU data protection landscape and protect the rights and freedoms of EU individuals.
The e-Privacy Directive (2002/58/EC) of the European Parliament and of the Council is currently controlling the privacy rights applied to electronic communications technology and content. It was amended in 2009 and is legally binding on all EU member states and requires local implementation.
- Among many requirements, the legislation mandates websites obtain consent before placing cookies for marketing purposes.
European Data Protection Supervisor (EDPS)
The EDPS, established in 2004, is the data protection regulator for the European Union as an entity that aims to protect the rights and freedoms of data subjects. The two main functions are to supervise the compliance of processing personal data as well as handle any complaints and conduct inquires. The second is to advise EU institutions, such as the Parliament, Commission, and Council of the European Union, on all personal data processing aspects related to policies and legislation. The EDPS also acts as a secretariat to the European Data Protection Board (EDPB).
European Data Protection Board (EDPB)
Replacing the Article 29 Working Party, the EDPB’s role is to ensure the consistent application of the GDPR, as well as supporting cooperation between regulators by publishing advice, guidance, recommendations, and best practices. It is compromised of the heads of the supervisory authorities of the member states and the EDPS. The supervisory authorities elect a chairperson, with certain powers, from their membership.
DPA, Supervisory Authority, Lead Authority
Data Protection Authorities (DPAs) are independent public entities appointed to enforce privacy or data protection laws and regulations in the EU. DPAs provide advice on data protection issues and handles complaints from individuals. Each member state has its own DPA with enforcement powers such as imposing fines that total 4% of a company’s global annual revenue.
A data subject is defined as an identified or identifiable natural person about whom personal data is processed.
- An example is an individual, a customer, prospect, employee, etc.
A data controller is defined as an organization, individual, public authority, or any other body which alone or jointly with others determines the means and purposes of processing personal data. They’re the ones who have a relationship with the data subject.
- Obligations include: allowing individuals to exercise the right to access their information, keeping records of consent, ensuring compliance with international data transfers, subject to fines and claims from data subjects.
A data processor is an organization or individual that processes information on behalf of a data controller. They have no decision-making authority and can’t do anything with data unless instructed by the controller.
- An example is a payroll company, accountant, or research company.
Data Protection Officer (DPO)
A DPO is a staff member or contractor hired to ensure and demonstrate compliance with data protection laws. The GDPR specifies an appointment of a DPO is obligatory if either processing is carried out by a public authority, on a large scale, or includes special categories. They must be experts in data protection laws and practices and should communicate with supervisory authorities, conduct DPIAs, advising the organizations on the GDPR and how to comply.
Personal data is one of the main terms in the EU and is broadly defined in the GDPR to define any information relating to an identified or identifiable natural person. Information can be anything such as a name, photo, address, IP address, job title, bank details, or a combination of data that directly or indirectly identifies an individual.
Not sure what counts as personal data? Use this 4-Step Process to determine what classifies as personal data.
- Any Information – anything from a name to address.
- Relating to – especially combined, for example, a job title might not relate to a single person but combined with a name it could.
- Identified or Identifiable – refers to indirect identification
- Natural Person – the data subject, distinguished from a corporation
Sensitive Personal Data
GDPR also refers to sensitive personal data as special categories because its processing has a more profound impact on an individual’s privacy rights. Therefore, it has a higher standard of protection.
Essentially sensitive personal data is:
- Personal Data Revealing: racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership
- For the Purposes of Uniquely Identifying a Natural Person: with genetic or biometric data
- Data Concerning: Health or sexual orientation.
Consent is any “freely given, specific, informed and unambiguous” indication of the individual’s wishes by which the data subject, either by a statement or by clear affirmative action, signifies agreement to personal data relating to them being processed for one or more specific purposes.
Consent should be:
- Freely – in clear distinguishable from other matters, intelligible, and in clear and plain language.
- Specific – data subjects must be informed of all intended purposes for processing personal data at the time of consent.
- Informed – for consent to be legitimate data subjects must be informed, at least, of the controller’s identity, the purpose of processing, and information about how processing may affect data subjects.
- Unambiguous – an indication of one’s wishes, absolutely clear, and requires a clear positive, affirmative action.
Data Subjects' Rights
Access & Rectification
The access and rectification right gives data subjects entitlements to request certain information obtainable from the controller. Must be free of charge, unless making copies in which a small administration fee may be charged.
Right to Be Informed
The right to be informed right allows EU citizens to be informed about the collection and the use of their personal data at the time of collection. Organizations that collect personal data must provide individuals with the following information in a concise, transparent, intelligible, easily accessible format:
- Purpose of processing personal data
- Retention periods for the data
- Who the data will be shared with
Data portability gives individuals the right to obtain and transfer their data to a different controller or service in a “commonly structured and machine-readable form”. Individuals only have this right when:
- Your lawful basis for processing information is consent or the performance of a contract
- You are carrying out the processing by automated means
Right to Erasure
The right to erasure is also known as the “Right to be Forgotten” when data subjects may request their personal data to be erased and no longer processed.
Right to Restriction of Processing
The right to restriction of processing describes the marking of stored personal data with aim of limiting processing in the future. Different from erasure, as it allows personal data to continue to be stored without further being processed.
Right to Rectification
The right to rectification provides individuals with the right to request a modification to their data, including correction of errors and updating incomplete information.
Right to Object
The right to object gives a data subject the right to object to the processing of their personal data, however, it is not an absolute right. Individuals may have the right to object if that processing is for:
- A task carried out in the public interest
- The exercise of official authority
- Legitimate interest
Automated processing provides data subjects the right to not be subject to a decision based solely on automated processing, including profiling, which produces legal effects.
- Layered Notices – contains multiple layers of increasingly detailed notices
- “Just-in-Time” Notices – delivered right at or before a user accepts a service or product helping facilitate a meaningful choice.
- Standardized Icons – challenge to create human and machine-readable icons that accurately reflect the meaning of the extract.
General GDPR Terminology
Data Processing is any operation performed on personal data which includes many actions in the data lifecycle including collection, restriction, organization, alteration, disclosure, destruction, storage, and more.
When relying on the legitimate interest of the controller or third party, it’s up to the controller to demonstrate that the data subject’s fundamental rights have not been compromised. When using legitimate interest as one of the legal bases for processing personal data, you should:
- Ensure the purpose is legitimate
- Ensure processing is necessary to the legitimate interest
- Inform data subjects at the time of collection
- Balance interests with the data subjects’ interests
- Uphold fundamental rights and freedoms
Cross Border Data Transfers
The cross-border data transfer of personal data to countries outside the European Economic Area (EEA) or to international organizations is subject to restrictions. Data does not need to be physically transported to be classified as transferred. Viewing data in another location would be equated to a transfer for GDPR purposes.
There are three options for data transfers:
- Adequate Decisions – indicates there is an adequate level of data protection for a country, territory, or sector.
- Appropriate Safeguards – legal tools designed to ensure the recipients of EU personal data are bound to continue to protect that data to a European-like standard.
- Derogations – an exemption from the prohibition on transferring personal data outside the EEA.
A data breach is a security incident leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, personal data transmitted, stored, or processed. The GDPR instituted new rules for notification of supervisory authorities and data subjects following the discovery of a data breach, depending on the risk the breach presents to the rights and freedoms of data subjects.
- Data Breach Notification – If discovered by a processor, must inform controller without undue delay. When discovered by a data controller must notify the supervisory authority and affected subjects without undue delay and within 72 hours.
- The notification must include information such as: who is impacted, how many, what types of data, contact information, consequences, and a follow-up.
- A controller might not have to notify subjects if:
- They have a prior implementation of safeguards
- Post-breach actions reduce the risk
- An individual notice requires disproportionate effort.
Data Protection By Design
Data protection by design is when an organization builds data security and privacy compliance prior to processing and incorporates it in the planning phase. Only data that is considered “absolutely necessary for the completion of duties” may be stored and processed.
Data Protection by Default
Data protection by default is when an organization limits the collection, processing, storage, and accessibility of data. Essentially, the implementation of appropriate technical and organizational measures for ensuring that, by default, only personal data that is absolutely necessary for each specified purpose of processing. It applies to the amount of data being collected, the extent of the processing, the period of storage, and accessibility.
- An example of an appropriate organizational measure to minimize the processing of personal data is to pseudonymize personal data as soon as possible. Pseudonymization is the processing of personal data in a way that it can no longer be attributed to a specific data subject without the use of additional information.
Data Protection Impact Assessment (DPIA)
A DPIA is a process where companies can systematically assess and identify the privacy and data protection impacts of any products they offer and the services they provide. It can also help demonstrate compliance to supervisory authorities.
- A DPIA is required when processing is likely to present a high risk to the rights and freedoms of data subjects. Examples include automated processing, large scale of special categories, systematic monitoring of a publicly accessible area on a large scale.
- A DPIA should include the description of the processing, necessity, proportionality, and risks of processing, and measures to address risks.