In may 2018, Europe switched to the updated personal data processing rules established by the General data protection regulation (EU Regulation 2016/679 of 27 April 2016 or the GDPR - General Data Protection Regulation). This regulation, which has direct effect in all 28 EU countries, replaced the framework Directive on the protection of personal data 95/46/EC of 24 October 1995. An important nuance of the GDPR is the extraterritorial principle of the new European rules for the processing of personal data, so you should pay attention to them if the services that your company provides are focused on the European or international market.
The new regulation provides EU residents with tools for full control over their personal data. Since May 2018, the responsibility for violation of the rules of personal data processing has been toughened: according to the GDPR, fines reach 20 million euros, or 4% of the annual global income of the company. In this article, we have analyzed the new rules of personal data processing in the EU and formulated recommendations for companies on how to respond to the GDPR.
Who is covered by the GDPR?
The GDPR has extraterritorial effect and applies to all companies processing personal data of EU residents and citizens, regardless of the location of such company. Of course, branches, representative offices of non-residents in the EU will have to meet the new requirements. Consider another (non-obvious) category of subjects.
Consider another (non-obvious} category of subjects in the following example:
Do companies have to comply with all GOPR requirements? Yes.
- services / products adapted to local languages of EU residents;
- services / goods are paid in local EU currencies;
- services / goods are provided on national top-level domains of EU countries.
This means that organizations that handle personal data of Europeans in the United States in the implementation of online sales (for example, Railways, airlines, hotels, hostels and other), subject to the GDPR and must comply with the new European regulation on the processing of personal data. It is important to note that in addition to the processing of personal data, the GDPR uses the concept of monitoring the behavior of data subjects, for this reason, another category of subjects falls under the GDPR. The GDPR applies to organizations established outside the EU if they (as controller or processor) control the behavior of EU residents (to the extent that such behavior takes place in the EU).
Monitoring may include:
- monitoring of resident in the EU on the Internet;
- using data processing techniques to profile individuals, their behavior or their relationship to something (for example, to analyze or predict personal preferences).
What is meant by personal data in the GDPR?
Personal data is any information relating to an identified or identifiable natural person (data subject) on which it can be determined directly or indirectly. Such information includes, but is not limited to, the name, location data, online identifier or one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that individual. The definition is broad and makes it clear that even IP addresses can also be personal data. It is important to note that there are certain types of personal data that fall into the category of special or confidential personal data. This information discloses: racial or ethnic origin, political views, religious or philosophical beliefs, and trade Union membership. In addition, this group includes genetic, biometric data used to identify individuals, the data on health status, information concerning sexual life or sexual orientation.
6 principles of data processing at the GDPR
- Legality, fairness and transparency. Personal data must be processed lawfully, fairly and transparently. Any information about the purposes, methods and volumes of personal data processing should be presented as accessible and simple as possible.
- Limitation of purpose. The data shall be collected and used only for the purposes stated by the company (online service).
- Data minimization. Personal data may not be collected to a greater extent than is necessary for processing purposes.
- Accuracy. Personal data that is inaccurate must be deleted or corrected (at the request of the user).
- Storage limit. Personal data should be stored in a form that allows the identification of data subjects for no longer than is necessary for processing purposes.
- Integrity and confidentiality. When processing user data, companies are required to protect personal data from unauthorized or illegal processing, destruction and damage.
Notice of cases of violation of the GDPR
Companies are required to notify regulators (and in some cases' data subjects) of any breach of personal data within 72 hours of the discovery of such breach.
A list of national personal data regulators for all EU countries is available on this website. There is also a Pan-European regulator, Working part 29 or working group on article 29. However, once the GDPR enters into force, the working group on article 29 will replace the new body - the European Data Protection Board (EDPB).
Rights of data subject (individual)
The GDPR significantly extends the rights of EU citizens and residents to control their personal data. European users have the right to request confirmation of the fact of processing of their data, the place and purpose of processing, the categories of personal data processed, which third parties personal data are disclosed, the period during which the data will be processed, as well as to specify the source of personal data received by the organization and demand their correction. Moreover, the user has the right to demand the termination of his data processing. The GDPR also provides for the right to be forgotten (right to erasure, right to be forgotten), which enables Europeans to delete their personal data on request in order to avoid their dissemination or transfer to third parties.