Written by Dr Alex Borg
The European Union General Data Protection Regulation (GDPR) is a set of rules about how government, companies and other entities should process the personal data of data subjects. The GDPR lays out responsibilities for organizations to ensure the privacy and protection of personal data, provides data subjects with certain rights, and assigns powers to regulators to ask for demonstrations of accountability or even impose fines in cases where an organization is not complying with GDPR requirements.
In this article, I have decided to delve only into the Regulation’s most salient articles to give the readers a clear understanding of its importance in this day and age.
- Lawful, fair and transparent processing
The entities that process personal data are asked to process the personal data in a lawful, fair and transparent manner.
- Limitation of purpose, data and storage
The entities are expected to limit the processing, collect only that data which is necessary, and not keep personal data once the processing purpose is completed.
- Data subject rights
The data subjects have been assigned the right to ask the entity what information it has about them, and what the entity does with this information. In addition, a data subject has the right to ask for correction, object to processing, lodge a complaint, or even ask for the deletion or transfer of his or her personal data.
When the company intends to process personal data beyond the legitimate purpose for which that data was originally collected, a clear and explicit consent must be asked from the data subject. Once collected, this consent must be documented, and the data subject is allowed to withdraw his consent at any moment.
- Personal data breaches
The entities must maintain a Personal Data Breach Register and, based on the severity of the breach, the regulator and the data subject should be informed within 72 hours of identifying the breach.
- Privacy by Design
Entities should incorporate organizational and technical mechanisms to protect personal data in the design of new systems and processes; that is, privacy and protection aspects should be ensured by default.
- Data Protection Impact Assessment
To estimate the impact of any changes or new actions within a new business process, a Data Protection Impact Assessment should be conducted prior to implementing any change or new action.
- Data transfers
Data Controllers have the obligation to ensure the protection and privacy of personal data when that data is being transferred outside the entity, to a third party and/or other organization within the same entity.
- Data Protection Officer
When there is significant processing of personal data in an entity, the entity should assign a Data Protection Officer who would advise the company about compliance with EU GDPR requirements.
- Awareness and training
Entities must create awareness among employees about key GDPR requirements, and conduct regular training to ensure that employees remain aware of their responsibilities with regard to the protection of personal data and identification of personal data breaches as soon as possible.
Some important judgements have been delivered since the coming into force of the GDPR.
In the landmark judgement – the Nordic Legal Precedent – Google lost its GDPR case on the ‘right to be forgotten’. Finland’s Supreme Court ordered Google to omit any personal data, including all connected URL links, from its search engine, of a convicted murderer.
Following the important Mario Costeja González case (Case C-131/12) “inadequate, irrelevant or no longer relevant” data is to be deleted.
On 5th June 2018 the European Court of Justice decided that administrators of Facebook fan pages were jointly responsible with Facebook for the processing of data related to visitors to the site.1
The recent landmark judgement delivered on the 9 March 2017 by the Court of Justice of the European Union in the Salvatore Manni case (C-398/15 Manni) develops the ‘right to be forgotten’ further in that such right is not absolute and does not give a blanket right to be forgotten. The protection of third parties may take precedence over the individual right to be forgotten.
The GDPR should not be taken lightly. It is an important piece of legislation which will surely revolutionise the way Government, companies and other entities handle personal data. Infringements of this Regulation may result in the infliction of tens of thousands of Euros.