The GDPR 2016 has eleven chapters, concerning general provisions, principles, rights of the data subject, duties of data controllers or processors, transfers of personal data to third-party countries, supervisory authorities, cooperation among member states, remedies, liability or penalties for breach of rights, provisions related to specific processing situations, and miscellaneous final provisions. The GDPR also contains 173 recitals purposed to clarify scope and
rationale for the regulatory provisions, as well as its legislative intents Recital 4, for instance, begins by saying that the processing of personal data should be "designed to serve mankind".
General provisions The regulation applies if the data controller, or processor, or the data subject (person) is based in the EU. The regulation also applies to organisations based outside the EU if they collect or process personal data of individuals located inside the EU. The regulation does not apply to the processing of data by private persons provided that the purpose has no connection to a professional or commercial activity." (Recital 18). According to the
European Commission, "Personal data is information that relates to an identified or identifiable individual. If you cannot directly identify an individual from that information, then you need to consider whether the individual is still identifiable. You should take into account the information you are processing together with all the means reasonably likely to be used by either you or any other person to identify that individual." The precise definitions of terms such as "personal data", "processing", "data subject", "controller", and "processor" are stated in
Article 4. A single set of rules applies to all EU member states. Each member state establishes an independent supervisory authority (SA) to hear and investigate complaints, sanction administrative offences, etc. If consent to processing was already provided under the Data Protection Directive, a data controller does not have to re-obtain consent if the processing is documented and obtained in compliance with the GDPR's requirements (Recital 171).
Rights of the data subject Transparency and modalities Article 12 requires the data controller to provide information to the "data subject in a concise, transparent, intelligible and easily accessible form, using clear and plain language, in particular for any information addressed specifically to a child."
Information and access The
right of access (
Article 15) is a data subject right. In practice, however, providing such identifiers can be challenging, such as in the case of Apple's
Siri, where voice and transcript data is stored with a personal identifier that the manufacturer restricts access to, or in online behavioural targeting, which relies heavily on
device fingerprints that can be challenging to capture, send, and verify. Both data being 'provided' by the data subject and data being 'observed', such as about behaviour, are included. In addition, the data must be provided by the controller in a structured and commonly used standard electronic format. The right to
data portability is provided by
Article 20.
Rectification and erasure A
right to be forgotten was replaced by a more limited
right of erasure in the version of the GDPR that was adopted by the European Parliament in March 2014.
Article 17 provides that the data subject has the right to request erasure of personal data related to them on any one of a number of grounds, including noncompliance with
Article 6(1) (lawfulness) that includes a case (f) if the legitimate interests of the controller are overridden by the interests or fundamental rights and freedoms of the data subject, which require protection of personal data (see also
Google Spain SL, Google Inc. v Agencia Española de Protección de Datos, Mario Costeja González).
Right to object and automated decisions Article 21 of the GDPR allows an individual to object to processing personal information for marketing or non-service related purposes. This means the data controller must allow an individual the right to stop or prevent controller from processing their personal data. There are some instances where this objection does not apply. For example, if: • Legal or official authority is being carried out • "Legitimate interest", where the organisation needs to process data in order to provide the data subject with a service they signed up for • A task being carried out for public interest. GDPR is also clear that the data controller must inform individuals of their right to object from the first communication the controller has with them. This should be clear and separate from any other information the controller is providing and give them their options for how best to object to the processing of their data. There are instances the controller can refuse a request, in the circumstances that the objection request is "manifestly unfounded" or "excessive", so each case of objection must be looked at individually. are also, following the GDPR, considering legislation to regulate automated decision making under privacy laws, even though there are policy questions as to whether this is the best way to regulate AI.
Right to compensation Article 82 of the GDPR stipulates that any person who has suffered material or non-material damage as a result of an infringement of the GDPR has the right to receive compensation from the controller or processor for the damage suffered. In the judgment
Österreichische Post (C-300/21) the Court of Justice of the European Union gave an interpretation of the right to compensation. Article 82(1) GDPR requires for the award of damages
(i) an infringement of the GDPR,
(ii) (actual) damage suffered and
(iii) a causal link between the infringement and the damage suffered. It is not necessary that the damage suffered reaches a certain degree of seriousness. There is no European defined concept of damage. Compensation is determined nationally in accordance with national law. The
principles of equivalence and effectiveness must be taken into account: The "principle of equivalence" dictates that the procedure for EU cases must be equivalent to the procedure for a domestic case, and the "principle of effectiveness" requires that the procedure cannot render the law functionally ineffective. Data processors are only liable for damage caused by processing in breach of obligations specifically imposed on processors by the GDPR, or for damage caused by processing which is outside, or contrary to, the lawful instructions of the data controller.
Controller and processor sign in
Luxembourg with notification of data collection Data controllers must clearly disclose any
data collection, declare the lawful basis and purpose for data processing, and state how long data is being retained and if it is being shared with any third parties or outside of the EEA. Firms have the obligation to protect data of employees and consumers to the degree where only the necessary data is extracted with minimum interference with data privacy from employees, consumers, or third parties. Firms should have internal controls and regulations for various departments such as audit, internal controls, and operations. Data subjects have the right to request a
portable copy of the data collected by a controller in a common format, as well as the right to have their
data erased under certain circumstances. Public authorities, and businesses whose core activities consist of regular or systematic processing of personal data, are required to employ a
data protection officer (DPO), who is responsible for managing compliance with the GDPR. Data controllers must report
data breaches to national supervisory authorities within 72 hours if they have an adverse effect on user privacy. In some cases, violators of the GDPR may be fined up to €20 million or up to 4% of the annual worldwide turnover of the preceding financial year in case of an enterprise, whichever is greater. To be able to demonstrate compliance with the GDPR, the data controller must implement measures that meet the principles of data protection by design and by default.
Article 25 requires data protection measures to be designed into the development of business processes for products and services. Such measures include
pseudonymising personal data, by the controller, as soon as possible (Recital 78). It is the responsibility and the liability of the data controller to implement effective measures and be able to demonstrate the compliance of processing activities even if the processing is carried out by a data processor on behalf of the controller (Recital 74). When data is collected, data subjects must be clearly
informed about the extent of data collection, the legal basis for the processing of personal data, how long data is retained, if data is being transferred to a third-party and/or outside the EU, and any
automated decision-making that is made on a solely
algorithmic basis. Data subjects must be informed of their privacy rights under the GDPR, including their right to revoke consent to data processing at any time, their right to
view their personal data and access an overview of how it is being processed, their right to obtain a
portable copy of the stored data, their right to
erasure of their data under certain circumstances, their right to contest any automated decision-making that was made on a solely algorithmic basis, and their right to file complaints with a
Data Protection Authority. As such, the data subject must also be provided with contact details for the data controller and their designated data protection officer, where applicable. Data protection impact assessments (
Article 35) have to be conducted when specific risks occur to the rights and freedoms of data subjects. Risk assessment and mitigation is required and prior approval of the data protection authorities is required for high risks.
Article 25 requires data protection to be designed into the development of business processes for products and services. Privacy settings must therefore be set at a high level by default, and technical and procedural measures shall be taken by the controller to make sure that the processing, throughout the whole processing lifecycle, complies with the regulation. Controllers shall also implement mechanisms to ensure that personal data is not processed unless necessary for each specific purpose. This is known as data minimisation. A report by the
European Union Agency for Network and Information Security elaborates on what needs to be done to achieve privacy and data protection by default. It specifies that encryption and decryption operations must be carried out locally, not by remote service, because both keys and data must remain in the power of the data owner if any privacy is to be achieved. The report specifies that outsourced data storage on remote clouds is practical and relatively safe if only the data owner, not the cloud service, holds the decryption keys.
Pseudonymisation According to the GDPR,
pseudonymisation is a required process for stored data that transforms personal data in such a way that the resulting data cannot be attributed to a specific data subject without the use of additional information (as an alternative to the other option of complete
data anonymisation). An example is
encryption, which renders the original data unintelligible in a process that cannot be reversed without access to the correct
decryption key. The GDPR requires for the additional information (such as the decryption key) to be kept separately from the pseudonymised data. Another example of pseudonymisation is
tokenisation, which is a non-mathematical approach to protecting
data at rest that replaces sensitive data with non-sensitive substitutes, referred to as tokens. While the tokens have no extrinsic or exploitable meaning or value, they allow for specific data to be fully or partially visible for processing and analytics while sensitive information is kept hidden. Tokenisation does not alter the type or length of data, which means it can be processed by legacy systems such as databases that may be sensitive to data length and type. This also requires much fewer computational resources to process and less storage space in databases than traditionally encrypted data. Pseudonymisation is a
privacy-enhancing technology and is recommended to reduce the risks to the concerned data subjects and also to help controllers and processors to meet their data protection obligations (Recital 28). Business processes that handle personal data must be designed and built with consideration of the principles and provide safeguards to protect data (for example, using
pseudonymization or full
anonymization where appropriate). Data controllers must design information systems with privacy in mind. For instance, using the highest-possible privacy settings by default, so that the datasets are not publicly available by default and cannot be used to identify a subject. No personal data may be processed unless this processing is done under one of the six lawful bases specified by the regulation (
consent, contract, public task, vital interest, legitimate interest or legal requirement). When the processing is based on consent the data subject has the right to revoke it at any time.
Article 33 states the data controller is under a legal obligation to notify the supervisory authority without undue delay unless the breach is unlikely to result in a risk to the rights and freedoms of the individuals. There is a maximum of 72 hours after becoming aware of the data breach to make the report. Individuals have to be notified if a high risk of an adverse impact is determined. More details on the function and the role of data protection officer were given on 13 December 2016 (revised 5 April 2017) in a guideline document. Organisations based outside the EU must also appoint an EU-based person as a representative and point of contact for their GDPR obligations.
GDPR Certification Article 42 and 43 of the GDPR set the legal basis for formal GDPR certifications. They set the basis for two categories of certifications: • National certification schemes, whose application is limited to a single
EU/
EEA country; • European Data Protection Seals, which are recognized by all EU and EEA jurisdictions. According to Art. 42 GDPR, the purpose of this certification is to demonstrate “compliance with the GDPR of processing operations by controllers and processors”. There are over 70 references to certification in the GDPR, encompassing various obligations such as: The adoption of the European Data Protection Seals is under the responsibility of the
European Data Protection Board (EDPB) and is recognized across all EU and EEA
Member States. In October 2022, the Europrivacy certification criteria were officially recognized by the European Data Protection Board (EDPB) to serve as European Data Protection Seal.
Europrivacy was developed by the European research programme and is managed by the
European Centre for Certification and Privacy (ECCP) in Luxembourg.
Remedies, liability and penalties Besides the definitions as a criminal offence according to national law following
Article 83 GDPR the following sanctions can be imposed: • a warning in writing in cases of first and non-intentional noncompliance • regular periodic data protection audits • a fine up to €10 million or up to 2% of the annual worldwide turnover of the preceding financial year in case of an enterprise, whichever is greater, if there has been an infringement of the following provisions (
Article 83, Paragraph 4): • the obligations of the controller and the processor pursuant to
Articles 8,
11,
25 to
39, and
42 and
43 • the obligations of the certification body pursuant to
Articles 42 and
43 • the obligations of the monitoring body pursuant to
Article 41(4) • a fine up to €20 million or up to 4% of the annual worldwide turnover of the preceding financial year in case of an enterprise, whichever is greater, if there has been an infringement of the following provisions (
Article 83, Paragraph 5 & 6): • the basic principles for processing, including conditions for consent, pursuant to
Articles 5,
6,
7, and
9 • the data subjects' rights pursuant to
Articles 12 to
22 • the transfers of personal data to a recipient in a third country or an international organisation pursuant to Articles 44 to 49 • any obligations pursuant to member state law adopted under Chapter IX • noncompliance with an order or a temporary or definitive limitation on processing or the suspension of data flows by the supervisory authority pursuant to
Article 58(2) or failure to provide access in violation of
Article 58(1) == Exemptions ==