Applies to controllers and processors established in EU, regardless of whether the processing takes place in the EU or not. Applies to controllers and processors who are not established in EU but offer goods and services to data subjects in EU and/or monitor their behavior.
Key GDPR Articles
For the purpose of the Regulation there is a list of the terms and their corresponding definitions.
This article defines the essence of the GDPR in terms of principles related to processing of personal data. They are as follows:
- lawfulness (including the need for a legal ground to process personal data), fairness and transparency;
- purpose limitation;
- data minimisation;
- storage limitation;
- integrity and confidentiality;
This article defines what is considered lawful processing of personal data. In summary for a processing to be considered as lawful at least one of the following should apply:
- Data subject has given consent
- Processing is necessary for the performance of a contract
- Controller has legal obligation to comply with another law
- The processing is required to protect vital interests of the data subject
- The processing is required for performing a task of public interest or in the exercise of official authority
- The processing is required for the purposes of the legitimate interests pursued by the controller
Be advised that there are exceptions in some particular cases and additional legal advice is needed.
This article defines how consent should be acquired. It is generally advised that issuing consent should be a last resort activity. This is due to the fact that consent must be freely given, and its request shell be resented in a manner that is clear and an intelligible and easily accessible form, using clear and plain language.
This article defines what is considered special category of personal data. It is important to know that special categories of personal data are prohibited to collect except in some specific scenarios.
Regulations considers following categories as special:
- data revealing racial or ethnic origin
- political opinions
- religious or philosophical beliefs
- trade union membership
- processing of genetic data
- biometric data for the purpose of uniquely identifying a natural person
- data concerning health
- data concerning a natural person’s sex life or sexual orientation
Be noted there are lots of exceptions when special categories can be processes.
This set defines the rights of the data subject. It is important to note the transparency principle when personal data is collected. When information is provided to data subject is must be in a concise, transparent, intelligible and easily accessible form, using clear and plain language. There is thorough set of information that should be provided when personal data is collected (Art. 13). Rights that are defined in the regulation are as follows:
- Transparency and information (Art. 12, Art. 13, Art. 14);
- Right if access (Art. 15);
- Right to rectification (Art. 16);
- Right to erasure – “Right to be forgotten” (Art. 17);
- Right to restriction of processing (Art. 18);
- Right to data portability (Art. 20);
- Right to object (Art. 21);
- Right not to be subject to a decision based solely on automated processing, including profiling (Art. 22).
This article defines responsibility of the controller towards ensuring data protection and the ability to demonstrate that. To achieve that controllers shall implement appropriate technical and organizational measures taking into account the nature, scope, context and purposes of processing as well as the risks of varying likelihood and severity for the rights and freedoms of natural persons. There is general misunderstanding what “appropriate” means in this situation. There are many cases that this particular requirement is neglected by organizations, which may cause financial losses in terms of penalties for not complying.
“Appropriate” must be perceived as following the best practices in information security. This is challenging to deliver having in mind how complex matter information security is. It is advised to consult professional in the field and to constantly follow the latest security report of the respected authorities (CERTs, Leading vendors in information security, industry adopted best practices and standards).
This article defines the guidelines related to data protection. The principles of data protection by design and by default are core mechanism to increase security of personal data processing. The goals of hose principle will enforce “security first” culture.
This article defines the relationship between data controllers and data processors. Data controllers may engage only processors that provide adequate security guarantees. Contracts must set out the subject matter, duration of processing, and the obligations and rights of the controller. In addition, the processor must agree to some specific contractual obligations, requiring them to:
- process personal data only on the instructions of the controller, including the transfer of data to third countries;
- ensure that staff are bound by confidentiality;
- ensure the security of the data;
- only use sub-processors with the consent of the controller;
- assist with the handling of individual rights;
- assist with complying with security and breach requirements;
- return or delete all personal data at the end of the contract; and
- allow audits and other monitoring to prove compliance.
Any sub-processing must be subject to the same obligations that are included in the head contract and it is the processor’s responsibility to ensure that such a contract is entered into.
This article defines what needs to be included into the register of processing activities. There are slightly different requirements for the data controller and data processor. It practically enforces organization to thoroughly prepare personal data mapping and beside contact details it includes:
- the purposes of the processing;
- description of the categories of data subjects and of the categories of personal data
- the categories of recipients to whom the personal data have been or will be disclosed;
- transfers of personal data to a third country or an international organization;
- time limits for erasure of the different categories of data;
- description of the technical and organizational security measures
Those rules do not apply to an enterprise or an organization employing fewer than 250 persons unless the processing it carries out is likely to result in a risk to the rights and freedoms of data subjects, the processing is not occasional, or the processing includes special categories of data.
This article gives additional guidelines towards implementation of security measures. As the article mandates they should be appropriate to the risk for the rights and freedoms of natural persons. Which again underlines the importance of risk-based approach towards data protection. Furthermore, it shall be taken into account the risks:
- of accidental or unlawful destruction,
- unauthorized disclosure of,
- or access to personal data transmitted, stored or otherwise processed.
These articles define data breach notification process. It enforces 72 hours notification rule to the supervisory authority after the controller become aware of the data breach. It is also defined the strict order and information parameters that should be reported (Art. 33). Art. 34 defines what and in which circumstances should be communicated in relation to a data breach.
This article thoroughly describes when and how data protection impact assessment should be conducted. This is one of the most complicated processes and requires special attention and priority in the journey towards compliance.
This set of articles defines the process of DPO designation (Art. 37), position of the DPO in the organization (Art. 38) and the tasks of the DPO (Art. 39).
According to Art. 40 (1): The Member States, the supervisory authorities, the Board and the Commission shall encourage the drawing up of codes of conduct intended to contribute to the proper application of this Regulation, taking account of the specific features of the various processing sectors and the specific needs of micro, small and medium-sized enterprises. This instrument will allow Associations and other bodies representing categories of controllers or processors to prepare codes of conduct appropriate for their specific sector of business. But how it will unfold is yet to be seen.
According to Art. 42 (1): The Member States, the supervisory authorities, the Board and the Commission shall encourage, in particular at Union level, the establishment of data protection certification mechanisms and of data protection seals and marks, for the purpose of demonstrating compliance with this Regulation of processing operations by controllers and processors. The specific needs of micro, small and medium-sized enterprises shall be taken into account. It is important to note that such certification when available does not reduce the responsibility of the controller of the processor for compliance. When such certification procedures become available, they should not be issued for more than three years.
This set of articles defines the rules for transferring personal data outside European Economic Area (EEA). The matter is complex, so consultancy to subject matter expert is highly advisable. In a nutshell there is a general prohibition on transfers of personal data to jurisdictions outside EEA, unless strict conditions are met. (Model clauses, adequacy determinations and binding corporate rules – BCRs.). As this is sensitive matter for global organizations it is recommended to:
- Perform complete analysis of the data flows;
- Review cloud service agreements;
- Ensure that an appropriate measure such as Model clauses or BCRs are in place;
- Ensure that appropriate safeguards are in place when organization receiving the controller’s personal data uses sub-contractors;
- Monitor adequacy status of importing countries or territories.
This set of articles define how Supervisory authorities operate. From business perspective it is good to note what are the SAs’ tasks defined in Art. 57 (1) and their respective powers, defined in Art 58. The principles of cooperation and consistence are also defined throughout Art. 60-66.
Art. 83 defines General conditions for imposing administrative fines. It is good to note Art. 83 (2) as it defines what shell be considered before imposing an administrative fine. It requires further reading, but the summary of the fines is as follows:
Up to 10 000 000 EUR, or in the case of an undertaking, up to 2 % of the total worldwide annual turnover of the preceding financial year, whichever is higher for infringements related to:
Obligations to Article:
- 8 (Conditions applicable to child’s consent in relation to information society services),
- 11 (Processing which does not require identification),
- 25 (Data protection by design and by default),
- 39 (Tasks of the data protection officer),
- 42 (Certification),
- 43 (Certification bodies)
Up to 20 000 000 EUR, or in the case of an undertaking, up to 4 % of the total worldwide annual turnover of the preceding financial year, whichever is higher for infringements related to:
Obligations to Article:
- 5 (Principles),
- 6 (Lawfulness of processing),
- 7 (Conditions for consent),
- 9 (Processing of special categories of personal data),
- 12-22 (Data subjects’ rights),
- 44-49 (Transfers of personal data to third countries or international organisations)
- Non-compliance with an order by the supervisory authority as referred to in Article 58(2).