When a new regulation comes up, when a new directive has to be applied, when any kind of legal changes occur, everybody speaks about the consequences, procedures, to do lists, worries, but just a few of us takes really care about the content.
GDPR stands for General Data Protection Regulation (Regulation (EU) 2016/679) and it will enter into force on the 25th of May 2018. After four years of negotiations, it was released in April 2016 by the European Parliament and European Council. It replaces the 1995 EU Data Protection Directive (Directive 95/46/EC) and the member states Data Protection Acts. The main goal of the new regulation is to upgrade the old directive to the new technical challenges, to unify and harmonize the national data protection laws across the EU, to strengthen the obligations on those who process the personal data of EU individuals and enhance the rights of EU individuals to protect their privacy. GDPR is about natural persons and their private data but it has an effect on all the entities, companies, bodies, which are processing personal data.
In this section we will understand how GDPR defines personal data, we will know who the main actors of the GDPR are and we will know which are the connections between them.
What is personal data?
The GDPR definition is more detailed, compared to the previous directive’s and the local legislation’s explanations. GDPR takes it “as any information relating to an identified or identifiable natural person|” who is called data subject. (Art. 4 (1))
- Any data: including name, last name, digital identifiers, etc.
- Related to: the information as a stand-alone is not a personal data, should be related to a person. For example, if you take an Excel sheet with last names it can be not considered as personal data. It should bound with a first name, birthday, passport number, position in the company, etc.
- Identified natural person: is one that is clearly known, named, identified in the true sense of being recognized, singled out.
- With an identifiable natural person things get a bit more complicated in practice. Online identifiers like IP addresses, login IDs, and specific data like biometric identifiers, geographic location data, video footage, customer loyalty histories, social media posts and photos, which can reflect some features of the natural person, combined with his or her unique identifiers could help us to understand who we are talking about.
A more specific category is the sensitive data, when we see a sensitive relation with fundamental rights and freedom, like racial and ethnical origin, biometric data, data related to health issues, memberships, etc. This kind of data needs a special treatment.
Now we will introduce you the key actors of the GDPR, who has dealings with the personal data:
Controller: the entity, which determine the purposes and means of the processing of the personal data. (Art. 4 (7)) Bear in mind, the controller is the only one who has direct contact with the data subject.
Processor: the entity, which processes personal data on behalf of the controller. (Art. 4 (8))
Between the two should exist a binding contract, which establishes the nature and purpose of the
processing, the type of personal data and categories of data subjects and the obligations and rights of
the controller. (Art. 28 (3-4))
The processing means operations performed on personal data such as collection, structuring, storage, adaptation or alteration, retrieval, use, misuse, erasure or destruction. (Art. 4 (2)) Here we will face several situations that we never considered dangerous before, including emailing my colleagues phone number to another person, calling a person without having a previous agreement, which gives us the right to do that. And here we are linking to the consent.
Consent of the data subject means any freely given and unambiguous indication, which gives an agreement
to the processing of his or her personal data. (Art. 4 (11))
Here we should take care on the granularity. For each desire should be a specific consent, and the data subject should have the right to choose to which one he/she wants to give his/her consent. The data subject has to have the right to withdraw anytime any of these consents, this should be treated in a flexible and transparent way.
There would be much more to speak about, but the other terms I connected to specific subjects, will be elaborated in the upcoming articles.