The EU General Data Protection Regulation
The EU General Data Protection Regulation (GDPR)
The EU General Data Protection Regulation (GDPR) came into force as of 25th May 2018. The adoption of the GDPR is a crucial step in the recognition of the value of personal data and the importance of data protection. In the times when technologies are increasingly making use of personal data, data protection has become even more pertinent than before. The appearance of new risks and dangers related to the use of personal data, and people’s concerns about the misuse by companies and governments reiterated the need to articulate requirements for personal data use, and to clarify rights and obligations of the potential stakeholders. Below is an overview of the main terms and principles established by the GDPR supported by references to certain articles of the GDPR.
Territorial and Material Scope
The GDPR applies to data controllers (i.e., persons / organizations which define purposes and means of data processing) based in the EU, and also to controllers based outside the EU when their processing activities take place within the EU. Basically, the GDPR applies only to data processing done (wholly or partly) by automated means. Automated processing can be triggered when, for instance, an automated decision refers to and/or may significantly affect the EU resident, or is fully based on automated processing.
Personal Data and Processing
Art. 4 GDPR defines personal data as “any information relating to an identified or identifiable natural person (“data subject”); […] a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, […] economic, cultural or social identity of that natural person”. Processing is any operation performed on personal data such as collection, recording, structuring, storage, retrieval, dissemination, destruction (art. 4 GDPR).
Data controller is responsible that processing complies with the following principles: lawfulness, fairness and transparency; purpose limitation; data minimization; accuracy; storage limitation; integrity and confidentiality (art. 5 GDPR). More information: https://ec.europa.eu/info/law/law-topic/data-protection/reform/rules-business-and-organisations_en
Data Subject Rights
The GDPR sets out the data subject rights the exercise of which allows data subjects to manage and have control over their personal data: information and access; rectification and erasure; restriction and portability; objection and complain to a supervisory authority; withdrawing consent. More information: https://ec.europa.eu/info/law/law-topic/data-protection/reform/rights-citizens_en
In order to comply to the GDPR the project consortium developed a set of legal, technical and organizational measures to ensure that processing is performed in accordance with the GDPR requirements, continuously reviewed and updated when necessary.
Data Protection Authorities, independent public authorities that supervise compliance with the GDPR: https://edpb.europa.eu/about-edpb/board/members_en
Access to the GDPR text: https://eur-lex.europa.eu/eli/reg/2016/679/oj