The new European General Data Protection Regulation (GDPR) will come into effect on 25 May 2018. It contains fundamental changes in the way personal data can be handled. The new data regulation will become one of the world’s strictest data privacy laws. There is a wealth of information, interpretations and statements regarding this topic throughout the internet. Here we have summarized the most important points for you.
1. Definition of Personal Data
GDPR redefines the concept of personal data. According to GDPR the following data is classified as personal:
Direct personal data
- Full Name
- ID or Social Security number
- Biometric data (e. g. fingerprints)
- Email address
- Address
- Telephone number
- Birthday
- Logins and Online Identifiers
Indirect personal data
- Economic data (e. g. account numbers, credit card number etc.)
- IP address
- Cultural and social data
- Physical, genetic and mental data if they can be traced back to an individual.
- Poorly pseudo-anonymized data
- Geolocation data
It should be noted that apparently non-personal data can in some cases clearly identify a person by combining it with other data sources. For example, the combination of gender and zip code can lead to a person being uniquely identified. Therefore, these must also be interpreted as personal data.
2. Definition of Roles
GDRP defines the following three roles in regard of data protection.
Data-Subject:
GDPR returns control over personal data back into the hands of the so-called “Data-Subjects”. In the case of GDPR, this is a natural person or individual, more precisely a European citizen.
Data-Controller:
A data controller is a natural or legal person, such as an agency, public authority or any other body that alone or jointly with others decides on the purpose of collecting and processing personal data. In the case of a website, this is the website operator.
Data-Processor:
The Data Processor is a natural or legal person who processes personal data on behalf of the Data Controller. For example, this would be: A service provider, an agency, a marketing tool, a business partner, etc.
A new feature of GDPR is that both the data processor and the data controller are taken into account and can be legally prosecuted. It is also important to note that although GDPR regulates the collection and processing of personal information from EU citizens, this also affects data controllers and data processors outside of the EU if you collect data on EU citizens.
3. Main Obligations of Data Controllers and Data Processors
- Protection of personal data by design and by default.
- The collection, storage and processing of personal information must be communicated in a clear and understandable manner.
- Obligation to store and process personal data only with the explicit consent of the data subject.
- Obligation to protect personal data against manipulation, theft and unauthorized access.
- Obligation to appoint a Data Protection Officer (for business activities in the EU).
- Obligation to report data leaks to the authorities and to inform the persons concerned.
- Obligation, to provide the data subject with information about their stored data upon request (up to a maximum of 30 days).
- Obligation to ensure that data can be completely deleted, anonymized or destroyed upon request.
- Obligation to keep the database up to date (this leads to an automatic expiry date, so to speak).
- Obligation to carry out a DPIA (Data Protection Impact Assessment) for very sensitive data.
- Obligation to define processes to follow in the event of a data breach.
- Obligation to inform the data subject about data transfers to other countries, especially outside of the EU.
- Obligation to use the data only for the purpose for which the data subject has given consent.
- Obligation to know the source of all personal data.
4. Pertinent Rights of the Data Subjects
- Right to transparent information and communication about the use of personal data
- Right to know when personal data is collected and processed
- Right to inspect the stored data
- Right to have the data corrected
- Right to have the data deleted (the right to be forgotten)
- Right to prohibit the processing / use of data
- Right to receive the data in a portable format
- Right to object (for example, at a later date)
- The right that data will not be processed automatically without consent if this has legal consequences (for example, when taking out insurance or applying for a credit card).
- Restrictions on rights: Whenever there are “higher laws”, they restrict the rights of the data subject. (For example, retention periods for invoices and contracts, national security, police investigations, etc.)
5. E-Privacy Directive (aka Cookie-Law)
If the above-mentioned obligations and rights are applied in absolute accordance with GDPR, any collection and processing of personal data is prohibited without consent. This would also prohibit cookies, among other things. However, the current European Directive on e-Privacy 2002 (e-Privacy Directive, Cookie-Law) recognizes that the use of cookies to operate and measure website performance and to improve online services is extremely important. It is therefore permitted to obtain an implied consent for the processing of this data. This has been taken into account for many years by the “cookie banners” on numerous websites. GDPR does not replace the existing e-privacy directive, so this remains valid. However, it is currently being revised and a new version is expected to be released in 2018. In terms of content, the use of the above-mentioned cookies is likely to continue to be permitted by implicit consent. However, this does not apply to marketing cookies that can be used for retargeting.
As you can see, GDPR brings with it many new developments, obligations and rights. Because of the threat of serious fines, it is highly recommended to check your website and online channels for GDPR compliance. We can support you to reach GDPR compliance. Request your individual quote for a GDPR-Compliance-Audit now.
If you have any questions about the new privacy policy, please send me an e-mail.