What is the GDPR?
The General Data Protection Regulation is a major step in digital privacy and is the result of an extensive process developed in European values. The 99 legal articles in the Regulation aim at strengthening laws on data protection, thereby giving EU citizens control over their personal data, while stressing the ideas of freedom, security and equality within the European Union. The Regulation will apply from 25th of May 2018.
A proposed legislation was made by the European Commission in 2012, and was finely tuned in 2013 by the Edward Snowden case, which increased the need of such action. After four years of debate, the most promoted law in the history of the EU was published on the 4th May 2016 in the EU Official Journal.
The GDPR shadows the need to reform the current Data Protection Directive. This was adopted within the European Union in 1995, during the early years of the internet. The GDPR considers the recent technological developments, as well as the implementations on personal data and online security.
User’s rights regarding your data
User, as a data subject, now own his/her data. Some of your personal data consists of socially oriented categories that contain things such as race, ethnicity, gender, bio-data, sexual orientation, and political and religious opinions, which cannot be held without user’s consent. User have certain rights that are set to safeguard user’s freedom and help user control his/her personal data. It is the controller’s responsibility to ensure that user’s rights are respected according to the Regulation. User’s personal data can only be stored for the time frame necessary to the purposes of the collection. From now on, the user is king!
These rights ensure that user have freedom to control his/her personal data and make sure it is not processed if user have not given consent, unless there are necessary reasons in the legislation or for public interest. It is the controller and processor’s responsibility to follow the Regulation. User’s personal rights could be bypassed by the Member State for scientific, historical or statistical purposes or for archiving. Also, user’s personal data cannot be deleted if it relates to criminal convictions or if there are strong legal grounds for keeping it. When these rights are not applied there must be proper safeguards, which respect the Regulation, and the principle of minimization. This principle demands that only the data necessary for the specific purpose should be processed
User have the right to:
Right to be informed (Art. 13, 14)
User have the right to be informed about how, why and where his/her data is used. It is the controller’s responsibility to inform you by request.
Right to be forgotten (Art. 17)
Within the new Regulation, user now have the right to “be forgotten”. If user want his/her data to be deleted from any server or data storage, even if user have previously given consent, user can have it deleted.
Right of rectification and restriction (Art.16, 18)
User can have his/her data corrected at all times if any information about user appears to be inaccurate or incomplete. It is the right of rectification. User can also request a limitation to the access and handling of his/her data, which is the right of restriction.
Right to object (Art. 21, 22)
User have the right to object, if user have been automatically profiled. User also have the right to object if it affects user significantly. Furthermore, user can object to direct marketing.
Right to portability (Art. 20)
If user is unhappy with the way his/her data has been treated, it is possible for user to move his/her data to another controller.
Infringed rights and the right to complain
As user is the data owner, the regulation aims at protecting user when companies or third parties infringe his/her rights.
In the case of a security breach, which poses a high risk for user’s rights, the controller must contact and inform user. Furthermore, user should receive contact information from the data controller, if user require more details about the breach and the procedure which follows. This information must be conveyed to user in an easy and understandable language.
User have the right to complain to any of the parties involved in the process. If user’s complaint is not dealt with within three months, user have the right to take his/her case to court in his/her country. User also have the right to compensation, and free legal advice.
Controllers and processors can be fined by the supervisory authority – a company can be fined €20 million or 4% of their annual turnover of the preceding year (whichever higher).
Who controls data?
The processor is any individual, company or organization that handles personal data. The processor responds to the data controller.
The controller is any company or organization in charge of ensuring and documenting that the users’ data is processed in accordance to the Regulation.
Before the GDPR, only the controller was reliable for the handling of personal data and there were no consequences for processors in case of infringement. Now, the controller and processor are both responsible for the application of the Regulation and will both be held accountable in case of infringement. This radically changes the relationship between the two of them and will significantly contribute to the creation of a new business culture in the Union.
Data Protection Officer (DPO)
A data protection officer (DPO) is in charge of monitoring the processing of personal data when the organization is a public authority or is processing personal data on a large scale. He/she is appointed and supported by the controller and/or the processor, but is completely independent from the EU – he/she must, however, cooperate with the supervisory authority.
The controllers and the processors respond to the supervisory authority, a public authority which must be established in each member State. The supervisory authority is responsible for monitoring the application of the Regulation, in order to protect the fundamental rights and freedom of users in relation to processing.
It is the supervisory authority’s task to promote public awareness and understanding of the user’s risks, rules, safeguard and rights. It is completely independent from the member State and only responds to the European Commission. Member States must provide the means for the supervisory authority to complete its tasks, but they cannot control their activities. The supervisory authority also deals with cases of infringement and may address fines or suspend data transfers if the Regulation is not complied with.
The European Data Protection Board is composed of the head of the supervisory authority from each Member State and of the European Data Protection Supervisor (or their respective representatives).
The Commission (which is composed of representatives from each country) has a representative on the Board, but cannot vote. The Chair of the Board shall communicate the activities of the Board to the Commission. The Board has its own power and may not take instructions from any other entity.