The General Data Protection Regulation (GDPR) came into effect on 25 May 2018 to impose privacy obligations on organisations to protect personal information within Europe and also outside of Europe where data relates to people in the EU.
Article 5: The basic principles of the GDPR are:
The GDPR applies to:
Some key terms to note within the GDPR (defined in Article 4 of the GDPR):
Article 9: There are special categories of personal data where processing is prohibited without specific consent of the data subject or where processing otherwise lawfully allowed. These categories include data regarding:
Article 8: Processing of children's data is lawful if the child is over 16 years of age. If the child is under 16 years of age, parental consent must be obtained.
Profiling (Recital 71):
Anonymisation and pseudonymisation (Recital 26):
Health Data (Recital 35):
Genetic Data (Recital 34):
Biometric Data (Article 4):
The GDPR applies to Member States of the EU.
Data Protection Authorities (DPAs) in each Member State are to cooperate
The country where the 'main establishment' is located, will be the lead DPA
Subject to exceptions, transfer of data outside of the EU would constitute a breach of the Articles in Chapter V of the GDPR.
Transfer of data must be legal. If personal data is to be transferred outside of the EU, then transfer is permitted to the following countries:
If the country to which the data is to be transferred is not on the above list, then the organisation wishing to transfer personal data outside of the EU must complete the Standard Contractual Clauses (SCC) for data transfers between EU and non-EU countries.
Previously, the Privacy Shield proposed a framework to allow data transfer outside of the EU (for example, to the United States).
In the case of Data Protection Commissioner v Facebook Ireland Ltd, Maximilian Schrems and intervening parties (Case C-311/18), known as the 'Schrems II' case, the Court of Justice of the European Union held that the Privacy Shield was invalid, making transfers of personal data from the EU to the US unlawful.
On 7 October 2022, President Biden signed an Executive Order on 'Enhancing Safeguards for United States Signals Intelligence Activities' directing the steps the US will take to implement the US commitments under the European Union-U.S. Data Privacy Framework (announced March 2022. In the meantime, organisations will need to comply with Chapter V of the GDPR for transfers of data outside of the EU.
Article 15: a data subject can request a Data Subject Access Request.
The data subject can request disclosure of all personal data in an organisation’s possession
Code of practice – if data subject agrees to receive information in electronic form, that compiles, otherwise in permanent form
Must be responded to within 30 days
DSAR’s can be costly and time consuming
Can refuse if manifestly unfounded, excessive or repetitive
Exemptions eg legal professional privilege
Article 32: Appropriate technical and organisational measures to ensure a level of security appropriate to the risk:
The following may comprise appropriate technical and organisational measures: