General Data Protection Regulation (GDPR)

This month (more precise in 17 days) the General Data Protection Regulation (GDPR) becomes effective.

The new Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 repeals the Directive 95/46/EC. This is actually to be seen as an evolution of the former Data Protection Directive. The new GDPR extents the protection of natural persons with regard to the processing of personal data and on the free movement of such data.

Now it’s just about time to give you a few GDPR-key-facts in our TechBlog to outline important aspects of the new regulation. Please consider the following as an excerpt for somebody who hasn’t done a GDPR deep dive yet. Also this article would be interesting for consumers to get an overview of their rights starting on May 25th 2018.

Please note that I’m not a lawyer and partly this text is reflecting my own opinion. If you need to implement the GDPR I really urge you to consult a lawyer in order to do so!

Liabilities

In principle Controllers are liable.

Processors (e.g. cloud providers, software vendors) must provide sufficient guarantees to implement appropriate technical and organizational measures in such a manner, that processing will meet the requirements of the GDPR in order to ensure the protection of the rights of the data subject.

Territorial scope – Article 3

This Regulation applies to the:

  1. processing of a controller or a processor in the European Union (EU), regardless of whether the processing takes place in the EU or not.
  2. processing of personal data of data subjects who are in the EU by a controller or processor not established in the EU with relation to:
    • the offering of goods or services in the EU; or
    • the monitoring of their behaviour within the EU.
  3. processing of personal data by a controller not established in the EU, but in a place where Member State law applies by virtue of public international law.

General conditions for imposing administrative fines – Article 83

Penalties

Penalties are responsibilities of the EU member states.

Administrative Fines

Up to 10.000.000 EUR, or in the case of an undertaking, up to 2 % of the total worldwide annual turnover of the preceding financial year, whichever is higher:

(a) the obligations of the controller and the processor pursuant to Articles 8, 11, 25 to 39 and 42 and 43;
(b) the obligations of the certification body pursuant to Articles 42 and 43;
(c) the obligations of the monitoring body pursuant to Article 41(4).

Up to 20.000.000 EUR, or in the case of an undertaking, up to 4 % of the total worldwide annual turnover of the preceding financial year, whichever is higher:

(a) the basic principles for processing, including conditions for consent, pursuant to Articles 5, 6, 7 and 9;
(b) the data subjects’ rights pursuant to Articles 12 to 22;
(c) the transfers of personal data to a recipient in a third country or an international organisation pursuant to Articles 44 to 49;
(d) any obligations pursuant to Member State law adopted under Chapter IX;
(e) non-compliance with an order or a temporary or definitive limitation on processing or the suspension of data flows by the supervisory authority pursuant to Article 58(2) or failure to provide access in violation of Article 58(1).

Lawfulness of processing – Article 6

What is a lawful basis of processing data?

  • The data subject has given consent.
  • Processing is necessary:
    • for the performance of a contract;
    • for compliance with a legal obligation;
    • in order to protect the vital interests of the data subject;
    • for the performance of a task carried out in the public interest;
    • for the purposes of the legitimate interests pursued by the controller.

Consent – Article 7, 8

Who gives explicit consent and how is it obtained?

  • Consent must be given explicit for:
    • data collected and the purposes data is used for (article 7; defined in article 4);
    • children and must be given by the child’s parent or custodian, and needs to be verifiable (article 8);
  • data controllers must be able to prove “consent” (opt-in);
  • consent may be withdrawn – Right to object (article 21).
    • It shall be as easy to withdraw as to give consent.

Right of access – Article 15

  • Right to get access to their personal data and information about how these personal data are being processed;
  • The data controller has to provide:
    • an overview of the categories of data that are being processed;
    • a copy of the actual data;
  • The data controller has to inform the data subject on details about the processing such as:
    • the purposes of the data processing;
    • with whom the data is shared;
    • how is the data acquired.

Right to erasure – Article 17

  • Also called “right to be forgotten”;
  • Right to obtain the erasure of personal data without undue delay if:
    • data are no longer necessary for the purposes for which they were collected;
    • the data subject withdraws consent;
    • there is no other legal ground for the processing;
    • the personal data have been unlawfully processed;
    • the personal data have to be erased for compliance with a legal obligation.

Right to data portability – Article 20

  • Ability to transfer personal data from one electronic processing system to another;
  • based on consent of the data subject;
  • carried out automatically;
  • via a commonly used machine-readable format.

Data protection by design and by default – Article 25

  • Implement data protection principles:
    • data minimization;
    • pseudonymisation;
    • integrate necessary safeguards into processing.
  • Ensure that, only personal data which are necessary for each specific purpose of the processing are processed.
  • That obligation applies to:
    • the amount of personal data collected;
    • the extent of their processing;
    • the period of their storage and their accessibility.

Records of processing activities – Article 30

  • Records of processing activities must be maintained including:
    • purposes of the processing;
    • categories involved;
    • envisaged time limits;
    • where applicable, transfers of data to a third country or an international organisation.
  • These records must be made available to the supervisory authority on request.

Security of processing – Article 32

  • Taking into account the:
    • state of the art;
    • costs of implementation;
    • nature, scope, context and purposes of processing.
  • Ensuring security via the:
    • pseudonymisation and encryption of personal data;
    • ability to ensure the ongoing confidentiality, integrity, availability;
    • ability to restore the availability and access to personal data.

Notification of a personal data breach to the supervisory authority – Article 33

  • Controller shall notify the supervisory authority within 72 hours;
  • Processor shall notify the controller without undue delay;
    • describing the nature including where possible, the categories and approximate number of data subjects and data records concerned;
    • communicating the name and contact where more information can be obtained;
    • describing the likely consequences of the personal data breach;
    • describing the measures taken or proposed to be taken by the controller to address the personal data breach.

Communication of a personal data breach to the data subject – Article 34

  • When the personal data breach is likely to result in a high risk to the rights and freedoms of natural persons, the controller shall communicate without undue delay;
  • the data breach shall be described in clear and plain language and contain at least the information and measures referred to in article 33;
  • not be required if:
    • the controller has implemented and applied appropriate technical and organisational protection measures;
    • the data is no longer likely to materialise;
    • it would involve disproportionate effort. In such a case public communication is more adequate.

Data protection officer – Article 37, 38, 39

  • Controller and processor shall designate a data protection officer if:
    • processing is carried out by public authority;
    • data subjects are systematic monitoring on a large scale;
    • special categories are processed as described in article 9:
      • ethic origin;
      • political opinion;
      • religious/philosophical beliefs;
      • biometric/genetic data;
      • sexual orientation.

This seems to be a lot to consider when implementing GDPR. The good news: Intershop already took care of these challenges, providing our ICM with implemented GDPR functionalities. Read more about GDPR compliance with Intershop in our next TechBlog post.

General Data Protection Regulation (GDPR)
Tagged on: