The General Data Protection Regulation (GDPR) was approved and adopted by the EU Parliament in April 2016 came into force on May 25, 2018 regulates the use of personal information of all EU citizens and residents.
GDPR applies to all businesses and organizations that operate in the EU, including law firms and consulting firms, real estate companies offering golden visa and citizenship schemes, handling personal data of clients. The new rules specify how personal data is handled, stored, processed and deleted with regards to data protection and privacy of clients.
The GDPR not only applies to organisations located within the EU but it will also apply to organisations located outside of the EU if they offer goods or services to, or monitor the behaviour of EU data subjects. It applies to all companies processing and holding the personal data of data subjects residing in the European Union, regardless of the company’s location.
GDPR applies to any business that: processes personal data by automated or manual processing. Even if your business only processes data on behalf of other companies, you still need to abide by the rules.
- One Union, one law: a single set of rules makes it simpler and cheaper for companies to do business in the EU.
- One-stop-shop: in most cases, companies only have to deal with one Data Protection Authority (DPA).
- European rules on European soil: companies based outside the EU must apply the same rules as European companies when offering their goods or services to individuals in the EU.
- Risk-based approach: the GDPR avoids a burdensome, one-size-fits-all obligation and instead tailors obligations to the respective risks.
- Rules fit for innovation: the GDPR is technology neutral.
GDPR Applies
The GDPR applies if: your company processes personal data and is based in the EU, regardless of where the actual data processing takes place; or your company is established
According to the GDPR, actions such as collecting, using and deleting personal data all fall within the definition of processing personal data.
- Do you monitor your premises via CCTV?
- Consult a database containing personal data for business purposes?
- Send promotional emails?
- Delete (digital) employee files or shred documents? Or
- Post a photo of a person on your website or social media channels?
If you answered ‘yes’ to any of these, then your company is certainly processing personal data
Record keeping: companies with less than 250 employees are not required to keep records unless the data processing is not incidental or involves sensitive information.
Companies must provide individuals with information on who is processing what and why
Personal data
Personal data refers to any information that relates to an identified or identifiable, living individual. This can include:
- a name and surname;
- a home address;
- an email address such as [email protected];
- an identification card number;
- location data (for example the location data function on a mobile phone)*;
- an Internet Protocol (IP) address;
- a cookie ID*;
- the advertising identifier of your phone;
- data held by a hospital or doctor, which could be a symbol that uniquely identifies a person.
Examples of not personal data
- a company registration number;
- an email address such as [email protected];
- anonymised data.
Under GDPR, all EU member states must treat cookies and other technical identifiers as personal data and consent is required. Cookies are pieces of tracking data which are placed by websites on users’ browsers for analytics or advertising.
Sensitive data
If the personal data you collect includes information on an individual’s health, race, sexual orientation, religion, political beliefs or trade union membership, it is considered sensitive. Your company can only process this data under specific conditions and you may need to implement additional safeguards, such as encryption.
Consent
The GDPR applies strict rules for processing data based on consent.
Children
Personal data pertaining to a child based on consent, then parental consent is required. However, as the age threshold varies between 13 and 16 amongst different countries, it is advised that you consult national law.
What is data processing?
Processing covers a wide range of operations performed on personal data, including by manual or automated means. It includes the collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available,alignment or combination, restriction, erasure or destruction of personal data.
Examples:
- staff management and payroll administration;
- access to/consultation of a contacts database containing personal data;
- sending promotional emails*;
- shredding documents containing personal data;
- posting/putting a photo of a person on a website;
- storing IP addresses or MAC addresses;
- video recording (CCTV).
Data processor vs controller
Data protection rules distinguish between the data controller and the data processor, with different obligations applying to each. Whereas the data controller determines the purpose and means of processing the personal data, the data processor only processes the personal data on behalf of the data controller.
Transferring personal data outside the EU?
The GDPR applies to the European Economic Area (EEA), which includes all EU countries plus Iceland, Liechtenstein and Norway. When personal data is transferred outside the EEA, the protections offered by the GDPR should travel with the data. This means that to export data abroad, companies must ensure that certain safeguards are in place. The GDPR offers a diversified toolkit of mechanisms to transfer data to third countries.
According to the GDPR, such transfers are allowed when:
- The country’s protections are deemed adequate by the EU; or
- Your company, for instance, takes the necessary measures to provide appropriate safeguards, such as by including specific clauses in the contract concluded with the non-European importer of the personal data; or
- Your company, for instance, relies on specific grounds for the transfer (called ‘derogations’) such as the consent of the individual. For more information on the rules applying to international data transfers, consult the European Commission’s Communication on Exchanging and Protecting Personal Data in a Globalised World
Brexit
All Union primary and secondary law will cease to apply to the United Kingdom from 30 March 2019, 00:00h (CET) (‘the withdrawal date’). The United Kingdom will then become a ‘third country’. In view of the considerable uncertainties, in particular concerning the content of a possible withdrawal agreement, all stakeholders processing personal data are reminded of legal repercussions, which need to be considered when the United Kingdom becomes a third country. Subject to any transitional arrangement that may be contained in a possible withdrawal agreement, as of the withdrawal date, the EU rules for transfer of personal data to third countries apply. Read more here
Fines and Penalty
Failure to comply with the GDPR may result in significant fines — of up to EUR 20 million or 4% of your company’s global turnover for certain breaches. The DPA may impose additional corrective measures, such as ordering the cessation of the processing of personal data. You should also consider the reputational damage that noncompliance could cause
Data breaches
A personal data breach occurs when there’s a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data processed. If this happens, the organisation holding the personal data must notify the supervisory authority without undue delay. Concerned individuals must also be informed on high risk data breaches
Read more: https://ec.europa.eu/info/law/law-topic/data-protection_en