The General Data Protection Rule ( GDPR ) (EU) 2016/679 is a regulation in the EU law on data protection and privacy for all individuals within the European Union (EU) and the Area European Economy (EEA). It also discusses the export of personal data outside the EU and EEA regions. GDPR aims primarily to provide citizens and citizens with control over their personal data and to simplify the regulatory environment for international business by integrating regulations within the EU.
In place of the 95/46/EC Data Protection Guidelines, these rules contain terms and conditions relating to the processing of personally identifiable information (officially called data subject â ⬠in GDPR) within EU, and applies to all companies, regardless of location, which conducts business with the European Economic Area. Business processes that handle personal data should be built with data protection by design and by default , which means that personal data should be stored using pseudonymisation or full anonymization, and using privacy settings as high as possible by default, so that data is not publicly available without clear and informed consent, and can not be used to identify subjects without additional information stored separately. No personal data may be processed unless subject to the laws set by the rules, or if the controller or data processor has received confirmation of unambiguous and individual consent from the subject of the data. Data subject has the right to revoke this agreement at any time.
Personal data processors must clearly disclose any data collection, state the legal basis and purpose for data processing, how long data is retained, and whether it is shared with third parties or outside the EU. The data subject has the right to request portable copies of data collected by the processor in a general format, and the right to delete their data under certain circumstances. Public authorities and businesses whose core activities are centered around the processing of personal data on a regular or systematic basis are required to employ data protection officers (DPOs), who are responsible for managing compliance with GDPR. Businesses must report any data breach within 72 hours if they have adverse effects on user privacy.
It was adopted on April 14, 2016; because GDPR is a regulation, not a directive, it does not require the national government to pass a law that allows and is directly binding and enforceable. With Britain scheduled to leave the EU in 2019, Britain grants royal approval to the 2018 Data Protection Act on May 23, 2018, which contains equivalent regulation and protection.
Video General Data Protection Regulation
Content
Coverage
This rule applies if a data controller (organization that collects data from EU residents), or processor (the organization that processes data on behalf of a data controller such as a cloud service provider), or a data subject (person) based in the EU. In certain circumstances, the rule also applies to organizations based outside the EU if they collect or process personal data of individuals residing within the EU. The regulation does not apply to the processing of data by a person for "pure private or personal activity and thus has nothing to do with professional or commercial activity." (Recital 18)
According to the European Commission, "personal data is any information related to a person, be it related to his or her personal, professional or public life.It can be anything from name, home address, photo, email address, bank details, posting on the networking website social, medical information, or computer IP addresses. "
The regulation is not intended to be applied to the processing of personal data for national security activities or the enforcement of EU law; however, industry groups concerned about the potential for legal conflicts to question whether Article 48 of GDPR may be required to prevent data controls subject to third country law to comply with law orders from the country's law enforcement, judiciary or national security authorities to disclose to such authorities personal data of the EU, regardless of whether the data is within or outside the EU. Article 48 provides that any court or judgment and any decision of a third state administrative authority requiring the controller or processor to transfer or disclose personal data can not be recognized or enforced in any way except under international treaties, such as mutual legal assistance agreements applicable between the requested third country (non-EU) and the European Union or member country. The data protection reform package also includes separate Data Protection Guidelines for the police and criminal justice sectors that provide rules on the exchange of personal data at national, European and international levels.
A set of rules will apply to all EU member states. Each Member State shall establish an independent supervisory authority (SA) to hear and investigate complaints, administrative sanctions, etc. SA in each member country will work with other SA, provide mutual assistance and organize joint operations. If a business has many companies in the European Union, it will have one SA as the "ultimate authority", based on the location of its "primary establishment" where the main processing activities take place. The main authority will act as a "one-stop shop" to oversee all business processing activities across the EU (Articles 46-55 of GDPR). The European Data Protection Council (EDPB) will coordinate the SA. EDPB will replace Article 29 of the Data Protection Working Party. There are exceptions to data processed in the context of employment or in national security that may still be subject to individual country regulations (Article 2 (2) (a) and 88 of GDPR).
Legal basis for processing
Unless the subject of data has provided informed consent for data processing for one or more purposes, personal data can not be processed unless there is at least one legal basis for doing so. They include:
- For the legitimate use of data controllers or third parties, unless this interest is overridden by the Fundamental Rights Charter (especially in the case of children).
- To perform a task in the public interest or an authorized authority.
- To comply with the data controller's legal obligations.
- To fulfill contractual obligations with data subject.
- To perform a task upon request of a data subject that is in the process of entering into a contract with a data controller.
- To protect the important interests of the data subject or others.
If informed consent is used as a legal basis for processing, approval must be explicit for data collected and any intended data is used for (Article 7, defined in Article 4). Consent must be a specific, free, clear, and unambiguous affirmation given by the subject of the data; an online form that has the option of approval selected by default is a GDPR violation, because the agreement is not expressly affirmed by the user based on "opt-in". Additionally, some types of processing can not be "merged" into a single affirmation confirmation, as this is not specific to any data usage. (Recital 32).
Data controllers must not reject services to users who refuse approval to process those not actually required to use the service (Article 7 (4)). Approval can be withdrawn at any time. Approval for children, defined in the regulations as less than 16 years (although with options for member states to individually make it as low as 13 years (Article 8 (1)), must be provided by a parent or child custodian, and may verified (Article 8).
If approval for processing is provided under the Data Protection Guidelines, data controllers should not be approved if processing is documented and obtained in accordance with GDPR requirements (Appendix 171).
Responsibility and accountability
In order to demonstrate compliance with GDPR, data controllers must implement measures that comply with data protection principles based on design and by default. Data protection by design and by default (Article 25) requires data protection measures to be designed into the development of business processes for products and services. Such measures include pseudonymising personal data, by the controller, as soon as possible (Recital 78). It is the responsibility and responsibility of the data controller to implement effective measures and be able to demonstrate compliance with processing activities even if processing is performed by a data processor on behalf of the controller (Resital 74).
When data is collected, data subjects should be clearly informed about the level of data collection, legal basis for processing personal data, how long data is retained, if data is being transferred to third parties and/or outside the EU, and disclosure of any automated decision making only algorithmically based. The data subject must be accompanied by contact details for the data controller and the designated Data Protection Officer, if applicable. Data subjects should also be informed of their privacy rights under GDPR, including their right to revoke data processing permissions at any time, their right to view their personal data and access an overview of how it is processed, their right to obtain a portable copy of the stored data, to delete data in certain circumstances, the right to compete with automated decision-making made only on the basis of the algorithmic, and the right to file a complaint with the Data Protection Authority.
Assessment of the impact of data protection (Article 35) should be made when certain risks occur in the rights and freedom of the data subject. Risk and mitigation assessments are required and prior approval from data protection authorities is required for high risk.
Data protection by design and by default
Data protection by design and by default (Article 25) requires data protection to be designed into the development of business processes for products and services. Therefore, privacy settings should be set at a high level by default, and technical and procedural steps must be taken by the controller to ensure that processing, throughout the entire process life cycle, complies with the rules. Controllers should also implement mechanisms to ensure that personal data is not processed unless required for any particular purpose.
A report by the European Union Agency for Networking and Information Security outlines what needs to be done to achieve privacy and data protection by default. This specifies that encryption and decryption operations must be performed locally, not by remote services, since keys and data must remain in the data owner's power if there is privacy to be achieved. The report specifies that data storage being outsourced to the cloud is both practical and relatively secure if only the data owner, not the cloud service, holds the decryption key.
Pseudonymisation
GDPR refers to pseudonymisation as a necessary process when data is stored (as an alternative to other options of complete data anonymization) to transform personal data in such a way that the resulting data can not be attributed to a particular data subject without the use of additional information. An example is encryption, which makes the original data unintelligible and the process can not be reversed without access to the correct decryption key. GDPR requires additional information (such as decryption keys) to be stored separately from pseudonymized data.
Another example of pseudonymisation is tokenisasi, which is a non-mathematical approach to protect data at rest that replaces sensitive data with non-sensitive replacements, called tokens. Tokens have no meaning or extrinsic value or are exploited. Tokenisasi does not change the type or length of data, which means it can be processed by legacy systems such as databases that may be sensitive to length and type of data.
That require much less computing resources for processing and less storage space in the database than traditionally encrypted data. This is achieved by storing certain data that is fully or partially visible for processing and analytics while sensitive information remains hidden.
Pseudonymisation is recommended to reduce risks to the data subject and also to assist controllers and processors to meet their data protection obligations (Recital 28).
Access rights
The right of access (Article 15) is the right subject of data. It gives citizens the right to access their personal data and information about how this personal data is being processed. The data controller shall provide, upon request, an overview of the data categories being processed (Article 15 (1) (b)) as well as a copy of the actual data (Article 15 (3)). Furthermore, the data controller shall inform the subject of data about the details of processing, such as the purpose of processing (Article 15 (1) (a)), with whom the data is shared (Article 15 (1) (c)), and how he obtained the data (Article 15 (1) (g)).
Data subject must be able to transfer personal data from one electronic processing system to and to another, without being prevented from doing so by the data controller. The data that has been adequately anonymized is excluded, but the data is simply not identified but still possible to be linked to the individual concerned, such as by providing the relevant identifier, no. In practice, however, providing such identifiers can be a challenge, as in the case of Apple's Siri, where voice data and transcripts are stored with personal identifiers whose manufacturers are restricted to access, or in online behavioral targeting, which relies heavily on fingerprint devices that can challenge capture, transmit, and verify.
Both data are 'provided' by the subject of data and 'observed' data, such as about behavior, included. In addition, data must be provided by the controller in a standardized, commonly used electronic format. The right to data portability is provided by Article 20 of GDPR. Legal experts see in the last version of this measure a "new right" is made that "reaches beyond the scope of data portability between two controllers as set forth in [Article 20]".
Right to delete
The right to be forgotten is replaced with a more limited abolition in the GDPR version adopted by the European Parliament in March 2014. Article 17 provides that subject data have the right to request the removal of personal data which relates to them on any of a number of reasons, including non-compliance with Article 6 (1) (validity) covering the case (f) if the legitimate interests of the controlling are overridden by the interests or fundamental rights and freedoms of the data subject, requiring the protection of personal data (see also Google Spain SL, Google Inc. v Agencia EspaÃÆ' à ± ola de ProtecciÃÆ'ón de Datos, Mario Costeja GonzÃÆ'ález ).
Recording processing activities
Records of processing activities shall be maintained that include the purpose of processing, the categories involved and the estimated time limit. Records should be made available to regulatory authorities on request (Article 30).
Data protection officer â ⬠<â â¬
If processing is done by public authorities, except for courts or independent judicial authorities when acting in their judicial capacity or if, in the private sector, processing is carried out by controllers whose core activities consist of regularly requiring processing operations and systematic monitoring of data subjects, or processing in large-scale specialized data categories under Article 9 and personal data relating to beliefs and criminal offenses as referred to in Article 10, Data Protection Officers (DPOs) - persons with knowledge of law and data protection practices, shall be appointed to assist controllers or processors to monitor internal compliance with this rule.
DPOs are similar to compliance officers and are also expected to be proficient in managing IT processes, data security (including dealing with cyberattacks) and other important business continuity issues surrounding holding and processing personal and sensitive data. The required skills extend beyond the understanding of legal compliance with data protection laws and regulations. Further details on the function and role of data protection officers are provided on 13 December 2016 (revised 5 April 2017) in the guidance documents.
Organizations based outside the EU must also designate EU-based persons as representatives and contact points for their GDPR obligations (Article 27). This is a different role of the DPO, although there is an overlap in responsibilities which indicates that this role can also be held by the designated DPO.
Data violations â ⬠<â â¬
Under GDPR, the data controller is under a legal obligation to notify the regulatory authority without unnecessary delay unless the violation is unlikely to pose a risk to the rights and freedoms of the individual. There is a maximum of 72 hours after knowing the data breach to create a report (Article 33). Individuals should be informed if adverse impacts are determined (Article 34). In addition, the data processor must notify the controller without undue delay after acknowledgment of a breach of personal data (Art. 33).
However, notices to the subject of data are not required if the data controller has implemented the appropriate technical and organizational protection measures that make personal data unintelligible to anyone not authorized to access it, such as encryption (Article 34).
Sanctions
The following sanctions may apply:
- Written warning in case of first non-compliance and non-intentional
- regular periodic data protection audit
- penalties of up to EUR10 million or up to 2% of annual turnover worldwide in the previous financial year in respect of which company, whichever is greater, in the case of any violation of the following provisions: (Art. 83, para. 5 & amp; 6)
- controller and processor obligations pursuant to Articles 8, 11, 25 to 39, and 42 and 43
- the obligations of the certification body pursuant to Articles 42 and 43
- the obligations of the monitoring body in accordance with Article 41 (4)
- a fine of up to EUR 20 million or up to 4% of the annual annual turnover of the previous financial year in respect of the enterprise, whichever is greater, in case of any violation of the following provisions: (Article 83, Clause 4)
- the basic principles for processing, including provisions for approval, in accordance with Articles 5, 6, 7, and 9
- the rights of the data subject in accordance with Articles 12 to 22
- the transfer of personal data to a recipient in a third country or international organization pursuant to Articles 44 to 49
- any obligations under the laws of the member states adopted under Chapter IX
- non-compliance with a command or temporary or definitive limitation on processing or suspending the flow of data by a regulatory authority in accordance with Article 58 (2) or failure to grant access in violation of Article 58 (1)
B2B marketing
In GDPR there is a clear distinction between business to consumer (B2C) and B2B (business to business) marketing. Under GDPR there are six reasons to process personal data, it is equally valid. There are two relevant to direct B2B marketing, they are agree or legitimate interests . Recording 47 of GDPR states that "The processing of personal data for direct marketing purposes may be deemed to be carried out for legitimate purposes."
Using legitimate interest as a foundation for B2B marketing involves ensuring key provisions are met:
- "Processing must relate to the legitimate interests of your business or a specified third party, provided that the interests or fundamental rights of the data subject do not exclude the legitimate interests of the business."
- "Processing must be necessary to achieve the legitimate interests of the organization."
In addition, Article 6.1 (f) of GDPR states that processing is valid if it is "Required for the interest of a legitimate interest pursued by the controller or by a third party, unless such interest is ruled out by the interests or fundamental rights and freedoms of individuals who require the protection of personal information , especially where the individual is a child ".
Therefore, companies may continue to use marketing data for purposes of B2B engagement as long as appropriate measures are taken to ensure that data are aligned with specific goals or campaigns. One phrase that is now used is "Right Marketing to the Right People". As part of this company it is necessary to keep their marketing database and CRM up to date to implement a valid Legal Balance Examination.
The EU Commission stated that, "Integrated data privacy laws will create tremendous opportunities and motivate innovation for business not only in Europe but also for organizations that are willing to do business with European countries or already operate their business in European countries. " The Commission is aimed at companies to maintain communications and build rules that support each other's relationships to ensure best data practices through legitimate checks
Maps General Data Protection Regulation
Restrictions
The following cases are not covered by the rules:
- Legitimate intercepts, national security, military, police, justice
- Statistical and scientific analysis
- The deceased person is subject to national laws
- There are special laws regarding employer-employee relationships
- The processing of personal data by natural persons in purely private activities or household activities
Conversely, the entity or rather "company" should be involved in "economic activities" to be covered by GDPR. Economic activity is defined broadly under EU competition law.
Reception
Proposals for the new regulations have caused much discussion and controversy. Thousands of amendments are proposed.
The GDPR approval area has a number of implications for businesses that record calls as a matter of practice. A typical disclaimer is not considered sufficient to obtain the assumed consent to record the call. Additionally, when the recording has started, if the caller withdraws their approval, then the agent receiving the call must be able to stop the previously recorded recording and ensure the recording is not saved.
IT professionals expect that compliance with GDPR will require additional investment overall: more than 80 percent of those surveyed GDPR related expenditures are expected to be at least USD $ 100,000. The concern echoed in a report commissioned by Baker & amp; McKenzie found that "about 70 percent of respondents believe that the organization will need to invest an additional budget/effort to comply with approval, data mapping and transborder data transfer requirements under GDPR." The total cost for EU companies is estimated to be around EUR200 billion while for US companies the estimate is $ 41.7 billion. It has been argued that smaller businesses and startup companies may not have the financial resources to adequately comply with GDPR, unlike larger international technology firms (such as Facebook and Google) whose rules are intended to target first and foremost. Lack of knowledge and understanding of the regulations has also been a concern ahead of its application. The counter argument to this is that companies are made aware of these changes two years before they come into force and, therefore, must have enough time to prepare them.
Regulations, including whether a company should have a data protection officer, have been criticized for potential administrative burdens and unclear compliance requirements. Although data minimization is a requirement, with pseudonymisation being one of the possible means, the regulation does not provide guidance on how or what is an effective data de-identification scheme, with a gray area on what would be considered an inadequate pseudonymisation subject to Section 5 of law enforcement action. There is also concern about the adoption of GDPR in the blockchain system, due to transparent blockchain transaction records that remain in conflict with the nature of GDPR. Many media have commented on the introduction of the "right to explanation" of algorithmic decisions, but law scholars have since argued that the existence of such rights is very unclear without judicial trials and confined to the best.
Impact
Prospects to the effective date of GDPR cause many companies and websites to change their privacy policies and features around the world to meet their requirements, and provide email and change notices in place, even though at least two years to prepare and do so. This has been criticized for ultimately leading to a form of fatigue among end users over an excessive amount of messages. Experts also note that some incorrect reminder emails state that new approval for data processing must be obtained when GDPR is valid, although any previously obtained agreement is valid as long as it is properly documented and meets the requirements of GDPR (Detention 171). Phishing scams also appear using fake counterfeit email versions, and also argue that some GDPR notification emails may actually have been sent in violation of anti-spam laws. The mass adoption of GDPR privacy standards by international corporations has been cited as an example of the "Brussels effect", a phenomenon in which European laws and regulations are used as a global basis because of their gravity.
Floods of GDPR-related notifications also inspire memes, including privacy notifications that are delivered in unconventional ways (such as Ouija boards and Star Wars opening crawls), indicating that Santa Claus is "naughty" or a good List violates GDPR, and a recording of excerpts from the rules by former BBC Radio 4 broadcaster, in the style of Delivery Forecast late at night. A blog, GDPR Hall of Shame , was also created to display unusual GDPR notice submissions, and compliance efforts that contain gross violations of regulatory requirements. The author commented that the rule "has many details, in weeds, but little information on how to comply," but also recognizes that business has two years to comply, making some of its responses unwarranted.
On effective dates, some international websites begin blocking overall EU users (including Instant Messenger, Unroll.me, and newspapers owned by Tronc, such as the Chicago Tribune and Los Angeles Times ) or redirect them to their stripped service versions (in the case of National Public Radio and USA Today ) with limited functionality and/or no advertising, to remove their obligations. Some companies, such as Klout, and some online video games, stop operations completely to coincide with their implementation, citing GDPR as a burden on their continued operations, mainly because of the first business model. The volume of sales of online behavioral advertising placements in Europe fell 25-40% on May 25, 2018.
Facebook and its subsidiaries WhatsApp and Instagram, as well as Google LLC (targeting Android), were immediately sued by NOYB non-profit Max Schrems just hours after midnight on May 25, 2018, because they used "forced agreement". Schrems insists that both companies violate Article 7 (4) by not presenting opt-in for individual data-processing approval, and require users to approve all data processing activities (including those not actually required) or prohibited from using the service.
Timeline
- January 25, 2012: Proposal for GDPR released.
- October 21, 2013: The European Parliamentary Committee on Civil Liberties, Justice and Domestic Affairs (LIBE) has an electoral orientation.
- December 15, 2015: Negotiations between the European Parliament, the Council and the Commission (Formal Trilogue meeting) resulted in a joint proposal.
- December 17, 2015: LIBE Committee The European Parliament selects negotiations between the three parties.
- April 8, 2016: Adoption by the Council of the European Union. The only opposing member states are Austria, which argues that the level of data protection in some ways fell short compared to the 1995 directive.
- April 14, 2016: Adoption by the European Parliament.
- May 24, 2016: This Regulation comes into force 20 days after publication in the Official Journal EU Journal .
- May 25, 2018: The terms become direct applicable to all member states, two years after the rules come into force.
- July/August 2018: GDPR will apply in the EEA countries (Iceland, Liechtenstein and Norway) after the EEA Joint Committee and the three countries have agreed to follow the rules.
Digital Single Market UNION EUROPE
Single EU Digital Market Strategy Digital is related to "digital economy" activities related to business and people in EU. As part of the strategy, the GDPR and NIS Directive will be effective starting May 25, 2018. The proposed ePrivacy rule is also planned to take effect from May 25, 2018, but will be delayed for several months. The eIDAS regulation is also part of the strategy.
See also
- World Crime Convention, of the Council of Europe
- ePrivacy (EU) Regulations
- Office Information Commission, from UK
Footnote
References
External links
- EU Data Protection page
- Procedure 2012/0011/COD, EUR-Lex
- Multi-language HTML and PDF document rules, EUR-Lex
- General Data Protection Regulations, final version of April 27, 2016 (PDF)
- 2012/0011 (COD) - Personal data protection: free data processing and movement (General Data Protection Rules), European Parliament
- Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons in connection with the processing of personal data and on the free movement of such data, and cancellation of Directive 95/46/EC (General Data Protection Regulations) li>
Source of the article : Wikipedia