Introduction to privacy regulations in European Union
Keywords
- Natural person – a living, breathing human being
- Legal person – not natural person, but have their own legal rights – corporations, partnerships
- Personal data – identified or identifiable natural person (name, id number, location data, online id, specific to the physical, physiological, genetic, mental, economic, cultural or social identity
- Processing – operation(s) performed personal data (set) automated or
not such as
- Collection
- Recording
- Organization
- Structuring
- Storage
- Adaption or alteration
- Retrieval
- Consultation
- Use
- Disclosure by transmission
- Dissemination or otherwise making available,
- Alignment or combination
- Restriction
- Erasure or destruction
- Profiling – to evaluate certain personal aspects relating to natural persons
- Art. 4 GDPR – Definitions - General Data Protection Regulation(GDPR) (gdpr-info.eu)
Background
- Enacted from 25ht May, 2018
- It replaced data protection rules across Europe that were almost two decades old
- Designed to harmonize data privacy laws across all of its member countries
- Introduced big changes, but built on previous data protection rules
- GDPR guide lines has 99 articles
- Member countries were given the ability to make their own small changes to suit their needs
- Fines up to 10 mil euros or 2% global turnover
General provisions
Subject matter and objectives
- Rules related to the protection of natural persons with regard to processing of personal data and free movement of personal data
- Protects fundamental rights and freedoms of natural persons and in particular their right to the protection of personal data
- Free movement – within the EU, should not be restricted or prohibited for reasons connected with the protection of natural persons with regard to the processing of personal data.
Scope
- Regulations applies to the processing of PD wholly or partly by automated / other than automated (part of a filing system)
- For union institutions, bodies, offices and agencies - EUR-Lex - 32001R0045 - EN (europa.eu)
- Other union legal acts – Article 98
Out of scope
- outside the scope of Union law
- member states carrying out activities mentioned here
- By a natural person for a personal or household activity
- A competent authorities for the purpose of the prevention, investigation, detection or prosecution of criminal offences, execution of criminal penalties, safeguarding against and prevention of threats to public security
Principles
-
Personal data shall be
-
Lawfulness, fairness and transparency
-
Purpose limitation - Collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes, If further processed adhere to Art. 89 GDPR – Safeguards and derogations relating to processing for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes - General Data Protection Regulation (GDPR) (gdpr-info.eu)
-
Data minimization - adequate, relevant and limited to what is necessary
-
Accuracy – accurate and kept updated.
-
Storage limitation – not longer than necessary – for longer times adhere to items mentioned here
-
Integrity and confidentiality – appropriate security measures to be taken, not only breaches
-
-
Controller shall be responsible for and be able to demonstrate compliance
Rights of the data subject
- Right of access
- Right to rectification
- Right to erasure (right to be forgotten)
- Right to restriction of processing
- Notification obligation – rectification, erasure or restriction of processing
- Right to data portability
- Right to object
Controller and processor
Controller – responsible for implementing measures to ensure that processing occurs pursuant to GDPR
Processor – is tasked by the text of the privacy law with helping the controller with certain tasks, including information necessary to demonstrate compliance
Eg. 99x Uses MiHCM for HR purposes in the organization. So 99X is the controller, MiHCM is the processor
Joint controllers – two or more controllers jointly determines the purposes and means of processing