Introduction

It has been one year since General Data Protection Regulations ("GDPR")1 came into force. Much of the confusion, panic and stress in the various organizations are quietening down. We now have some understanding of what GDPR is and why all organizations were scrambling to comply. We are understanding now how it trickles to Indian corporates. This is the first in a series of articles we propose to write on this topic.

The General Data Protection Regulations (EU) 2016/679 more commonly referred to as GDPR Regulations have been brought into effect by the European Union ("EU") on 21 May 2018. These Regulations are intended to empower the ordinary man to have more power and control over his data i.e. how it is to be shared, stored, how long it may be stored, in what form it should be stored etc. Being an EU legislation, it protects people within EU and European Economic Areas (EEA).

This is in stark contrast to the United States of America which has sector specific data protection laws such as Federal Trade Commission Act (unfair and deceptive trade practices), HIPAA in the Healthcare sector and so on. Further, state laws address the more specific issues such as privacy, data security issues, data breaches, security issues among others.

We are writing a series of articles (watch out for more info) on these GDPR Regulations and how it affects businesses.

This first part is meant only to give readers a basic idea of GDPR and what it entails.

Who Does GDPR apply to?

GDPR only protects the personal data of a natural person. Therefore, corporate entities would not be protected under these regulations. It further only applies to those natural persons who are within the territorial jurisdiction of the EU. GDPR does not provide that such persons have to be citizens of the EU countries.

The Regulations also do not apply to the processing of personal data by a natural person in the course of a purely personal or household activity.

Who does GDPR affect?

GDPR affects those organizations in EU that are processing the data of the natural persons within EU. It also applies to those organizations which are situated outside EU, but either offer their goods or services to the persons in EU, or monitor the behavior of the data subjects in EU.

Any company that is processing or holding the personal data of a data subject situated in EU shall be affected by GDPR.

What is intended to be protected?

GDPR protects personal data which includes the name, number, location, information that relates to other factors such as physical, psychological, genetic, mental, economic, cultural or society identity of a natural person.

Prohibited Categories of Personal Data2

GDPR strictly prohibits processing of any personal data which reveals any special category of a person. The various special categories are inter-aliaracial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, processing of genetic data for the purpose of uniquely identifying a natural person, data concerning a natural person's sex life or sexual orientation.

However, GDPR also provides for exemptions which exempt the controllers and processors from the special category prohibition:

  1. Explicit Consent: If any person gives an explicit consent for the processing of their personal data, for either one or more specific purpose. However, even this exemption has an exception i.e. if the Union or Member State law prohibits such an exemption.
  2. Employment: This exemption is necessary for employers to carry out their obligations and to exercise any specific rights pertaining to the personnel in the field of employment and social security and social protection law.
  3. Vital Interest: This is when data processing is necessary to protect the vital interest of the person or another natural person, and such person is unable to give their consent, either physically or legally.
  4. Membership Organizations: When processing is carried out by an organization in the course of its legitimate activities. Such an organization should have taken appropriate safeguards. The organization may be a foundation, association or any other not-for-profit body with a political, philosophical, religious or trade union aim. The data may be processed on the condition that the processing relates solely to the members or to former members of the body or to persons who have regular contact with it in connection with its purposes and that the personal data is not disclosed outside that body without the consent of such person.
  5. Publicly Disclosed Data: When the data has been made public by the person himself.
  6. Legal Proceedings: When processing the data is necessary for the establishment, exercise or defense of legal claims or whenever courts are acting in their judicial capacity.
  7. Substantial Public Interest: When processing is necessary for substantial public interest.
  8. Medicine: When processing is necessary for the purpose of preventive or occupational medicine, for the assessment of the working capacity of the employee, medical diagnosis, the provision of heath or social care or treatment or the management of health or social care systems and services.
  9. Public Health: When processing is necessary for public interest in the areas of public health such as protection against serious cross border threats to heath or ensuring high standards of quality and safety of health care and medicinal products.
  10. Research: When processing is necessary for either public interest or for scientific purposes or for historical purposes or for statistical purposes.

The Processor and the Controller3

The personal data of a person is processed by the processor, who is further controlled by the Controller. Processing of the data would include collecting, organizing, recording, structuring, storing, adapting, altering retrieving, using, destructing the data. A Controller can be anyone from a natural or legal person to a public authority, agency or any other body which determines the purpose and means of processing the personal data. In some scenarios, the processor and the controller may be the same.

Conclusion

Personal data of a person, many times gets breached or stolen. The GDPR Regulations, have now made sure that any organization under whose surveillance such a breach takes place is held liable for such breach. This in turn leads to all organizations around the world, be it Google, Yahoo, Facebook or Instagram to update their privacy policies and make them severer and more difficult to violate. GDPR has further provided for the maximum penalties which would be levied if such GDPR is breached by an organization. The maximum fine levied on such an organization is a fine up to 4% of their annual global turnover or ? 20 million, whichever is higher.4

- Archana Balasubramanian / Rhea Sethi

Published Date: June 24, 2019

Footnotes

1. https://gdpr-info.eu/, last visited on 21 June 2019.

2. https://www.gdpreu.org/the-regulation/key-concepts/special-categories-personal-data/, last visited on 21 June 2019.

3. https://gdpr-info.eu/art-4-gdpr/, last visited on 21 June 2019.

4. https://gdpr-info.eu/art-83-gdpr/, last visited on 21 June 2019.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.