Data Protection Directive
The European Directive 95/46/EC governs the processing of personal data in the EU and will now be replaced by the GDPR as of May 25, 2018. The Directive introduced minimum standards, which had to be implemented by separate legislation in each EU Member State. This gave Member States the option to extend the scope of the Directive or retain pre-existing higher standards, or decide not to take full advantage of derogations, which explains why different data protection standards apply across Europe. It can be found online: https://ec.europa.eu/justice/policies/privacy/docs/95-46-ce/dir1995-46_part1_en.pdf
The General Data Protection Regulation (GDPR) was adopted as Regulation (EU) 2016/679 of the European Parliament and of the Council on April 27, 2016.
In contrast to the Data Protection Directive, the GDPR is intended to apply directly in each EU Member State without the need for implementing legislation, and to create a framework within which more detailed rules can be made. This harmonizes the legislation across Europe [see Territorial scope]. For example, the requirement to notify the DPA [see DPA] of new processing will be abolished (except in a limited number of cases) and be replaced by an obligation to document all processes. Controllers [see Data controller] and processors [see Data processor] must agree on the responsibilities between them; otherwise, they will be jointly and severely liable. The Regulation can be found online: https://eur-lex.europa.eu/legal-content/EN/TXT/
The e-Privacy Directive was first adopted as Directive 2002/58/EC of the European Parliament and of the Council. It is currently controlling the privacy rights applied to electronic communications technology and content. The Directive can be found online: https://eur-lex.europa.eu/LexUriServ/LexUriServ.do
Following the adoption of the GDPR, the e-Privacy Directive will be revised to comply with the GDPR and address the technological innovations created since the Directive’s last amendment in 2009. A draft proposal of the Regulation titled “Regulation on Privacy and Electronic Communications” was released on January 10, 2017. The Regulation will be applicable to any provider of electronic communications services or to any entity that processes electronic communications data. It will impact the way organizations interact electronically with EU citizens, including user tracking, data collection in user devices, and direct marketing. The draft Regulation and the related documents can be found online: https://ec.europa.eu/digital-single-market/en/news/proposal-regulation-privacy-and-electronic-communications
The European Data Protection Supervisor (EDPS) was established in 2004 with the goal being to ensure that EU institutions and bodies respect people’s right to privacy when processing their personal data. In its main functions, EDPS (1) supervises the EU administration’s processing of personal data to ensure compliance with privacy rules, handles complaints, and conducts inquiries; and (2) advises EU institutions and bodies on all aspects of personal data processing and related policies and legislation.
The Article 29 Working Party
The Article 29 Working Party (“A29WP”) is a non-regulatory data protection body. Its main function is to provide expert advice and make recommendations to the Member States and to the public regarding data protection and processing of personal data. The body itself consists of representatives of the EU’s national data protection authorities, the European Data Protection Supervisor (“EDPS”), and the European Commission. It has been transformed into the “European Data Protection Board” (“EDPB”) under the GDPR.
The European Data Protection Board will replace the Article 29 Working Party, and its functions will include ensuring consistency in the application of the GDPR, advising the EU Commission, issuing guidelines, codes of practice and recommendations, accrediting certification bodies, and issuing opinions on draft decisions of supervisory authorities.
DPA / Supervisory Authority / Lead Authority
DPAs are the national data protection authorities tasked with privacy and personal data protection. Each Member State appointed a DPA body to implement and enforce local data protection law, and to offer guidance. DPAs have significant enforcement powers, including the ability to levy substantial fines.
A data subject is a natural person. Examples of a data subject can be an individual, a customer, a prospect, an employee, a contact person, etc.
Any information relating to an identified / identifiable individual, whether it relates to his or her private, professional, or public life. Can be anything from a name, photo, email address, bank details, posts on social networking sites, medical information, IP address, or a combination of the data that directly or indirectly identifies the person.
Sensitive personal data
The GDPR refers to sensitive personal data as “special categories of personal data.” The special categories of data include racial or ethnic origin, political opinions, religious or philosophical views, trade union membership, sexual orientation, and health, genetic and biometric data where processed to uniquely identify an individual. Personal data relating to criminal convictions and offenses are not included, but similar extra safeguards apply to its processing.
Any organization, person, or body that determines the purposes and means of processing personal data, controls the data and is responsible for it, alone or jointly. Examples when the data controller is an individual include general practitioners, pharmacists, and politicians, where these individuals keep personal information about their patients, clients, constituents etc. Examples of organizations can be data controllers, for profit or not for profit, private or government-owned, large or small, where those organizations keep personal information about their employees, clients, etc.
A data processor processes the data on behalf of the data controller. Examples include payroll companies, accountants, and market research companies.
An appointment of a Data Protection Officer is obligatory if: (1) processing is carried out by a public authority; or (2) the “core activities” of a data controller / data processor either require “the regular and systematic monitoring of data subjects on a large scale,” or consist of processing of special categories of data or data about criminal convictions “on a large scale.”
Accountability is the ability to demonstrate compliance with the GDPR. The Regulation explicitly states that this is the organization’s responsibility. In order to demonstrate compliance, appropriate technical and organizational measures have to be implemented. Best practice tools such as privacy impact assessments and privacy by design are now legally required in certain circumstances.
Consent is any “freely given, specific, informed and unambiguous” indication of the individual’s wishes by which the data subject, either by a statement or by a clear affirmative action, signifies agreement to personal data relating to them being processed for one or more specific purposes.
The affirmative action, or a positive opt-in, means that the consent cannot be inferred from silence, pre-ticked boxes, or inactivity. It should also be separate from terms and conditions, and have a simple way to withdraw it. Public authorities and employers will need to pay special attention to ensure that consent is freely given.
The existing consents do not have to be refreshed automatically in preparation for the GDPR, but they have to meet the GDPR standard for being specific, granular, clear, opt-in, properly documented, and easily withdrawn. If not, change your consent mechanisms and seek fresh GDPR-compliant consent, or find an alternative to consent.
If a business is established in more than one Member State, it will have a “lead authority,” determined by the place of its “main establishment” in the EU. A supervisory authority that is not a lead authority may also have a regulatory role, for example where processing impacts data subjects in the country where that supervisory authority is the national authority.
Privacy Impact Assessment (PIA)
The GDPR imposes a new obligation on data controllers and data processors to conduct a Data Protection Impact Assessment (also known as a privacy impact assessment, or PIA) before undertaking any processing that presents a specific privacy risk by virtue of its nature, scope, or purposes.
Processing is any operation performed on personal data (sets), such as creation, collection, storage, view, transport, use, modification, transfer, deletion, etc., whether or not by automated means.
Profiling is any form of automated processing of personal data intended to evaluate certain personal aspects relating to an individual, or to analyze or predict in particular that person’s performance at work, economic situation, location, health, personal preferences, reliability, or behavior.
This is the data subject’s right to obtain from the data controller, on request, certain information relating to the processing of his/her personal data.
The territorial scope of the GDPR includes the European Economic Area (EEA – all 28 EU member states), Iceland, Lichtenstein, and Norway, and does not include Switzerland.
A third party is any natural or legal person, public authority, agency, or any other body other than the data subject, the controller, the processor, and the persons who, under the direct authority of the controller or the processor, are authorized to process the data.
The transfer of personal data to countries outside the EEA or to international organizations is subject to restrictions. As with the Data Protection Directive, data does not need to be physically transported to be transferred. Viewing data hosted in another location would amount to a transfer for GDPR purposes.