The increase of the exchange of data between economic and social, public and private sectors across the Union has created the need for a stronger and more coherent data protection framework. The EU General Data Protection Regulation will need to be complied with within and outside the EU territory and is therefore especially relevant for all business that are active on an international level.

The General Data Protection Regulation (GDPR) will replace the current existing EU Data Protection Directive 95/46/EC and will be directly applicable in all Member States without the need for implementing national legislation on the 25 May 2018. In 1995 the EU Data Protection Directive was incorporated into the EEA Agreement in a slightly adapted version resulting in the Directive applying to all EEA countries. Once adopted in the EU, the GDPR will also need to be incorporated into the EEA Agreement to apply also in the EEA countries. While maintaining the same core principles of the Directive, this Regulation introduces significant changes to the IT operations of businesses and the way these businesses, within and outside the EU, process personal data of their EU resident customers. A single set of rules will apply to all EU member states and each member state will establish an independent Supervisory Authority to sanction administrative offences, investigate complaints etc. Currently, Switzerland also revises its Data Protection Act, which will take over several features of the GDPR.

The Regulation focuses on the right of individuals to have control over their own personal data, more significantly on the right to data portability, that is, the right to transport his/her personal data from one organization to another.

It is aimed to provide legal certainty, coherence and transparency and to provide natural persons in all Member States with the same level of legally enforceable rights. It defines the obligations and responsibilities for data controllers and processors so as to ensure consistent monitoring of the processing of personal data. Sanctions in all Member States will be uniform and there will be an effective cooperation between the supervisory authorities of different Member States.

To Whom Does this Regulation Apply?

This Regulation applies if the data controller (the organization that collects data from EU residents), or processor (the organization that processes data on behalf of the data controller), or the data subject (the Person) is based in the EU. Therefore, this Regulation applies even to the processing of personal data of data subjects who are in the EU by a controller or processor not established in the EU (e.g. Switzerland). Non-EU data controllers and processors will need to consider the effects of the Regulation on their operations.

What is 'Personal Data'?

Personal Data is any information relating to an individual, whether it relates to his or her private, professional or public life. This can include a name, a home address, photo, email address, bank details, posts on social networking websites, medical information etc.

Processing

This refers to any operation which is performed on personal data, whether by automated means or not, for instance, collection, recording, organisation, storage, adaptation, alteration, retrieval, consultation, use, disclosure, erasure or destruction.

Personal data is to be processed lawfully, fairly and in a transparent manner and shall be collected for a specified, explicit and legitimate purpose/s. They shall be limited to what is necessary in relation to the purpose they are processed.

Processing shall be lawful only if at least one of the following conditions applies:

  1. the data subject has given his/her consent to the processing of his/her data for one or more specific purposes;
  2. processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract;
  3. processing is necessary for compliance with a legal obligation to which the controller is subject;
  4. processing is necessary in order to protect the interests of the data subject or of another natural person;
  5. processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller;
  6. processing is necessary for the purpose of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests of fundamental rights and freedoms of the data subject which require protection of personal data, especially in the case of a child.

Consent

Where processing is based on consent, the controller must be in a position to demonstrate that the data subject has consented to the processing of his/her personal data. If such consent is given in a written declaration, which declaration also concerns other matters, the request for consent for processing must be presented in a clear, unequivocal manner from the other matters. Consent cannot be given for a blanket purpose.

The data subject shall have the right to withdraw his/her consent at any time but this withdrawal shall not affect processing lawfully done before withdrawal.

September 2017

To view the full article, please click here

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.