Law Minor: EU General Data Protection Act

Personal Data

Any information relating to an identified or identifiable natural person ('data subject').

Data Controller

The entity that determines the purposes and means of processing personal data.

Data Processor

The entity that processes personal data on behalf of the data controller.

GDPR

General Data Protection Regulation, a legislation in the EU that governs data protection and privacy.

Data Subjects' Rights

Rights granted to individuals regarding their personal data under GDPR. These rights include: (1) Right of access: Individuals can request access to their personal data and obtain information on how it is being processed. (2) Right to rectification: Individuals have the right to request the correction of inaccurate or incomplete personal data. (3) Right to erasure: Often referred to as the 'right to be forgotten,' individuals can request the deletion of personal data under certain conditions. (4) Right to data portability: Individuals can request to receive their personal data in a structured, commonly used, and machine-readable format, and they have the right to transmit that data to another controller. (5) Right to restriction of processing: Individuals can request the limitation of the processing of their personal data under certain circumstances. (6) Right to object: Individuals have the right to object to the processing of their personal data in relation to their specific situation. (7) Rights related to automated decision-making: Individuals can challenge decisions made solely by automated processes that significantly affect them, ensuring human intervention where necessary.

Extraterritorial Reach

The application of GDPR to organizations outside of the EU that process the personal data of EU citizens.

Consent (GDPR Definition)

A clear affirmative act by data subjects agreeing to the processing of their personal data.

Right to Erasure

Also known as the 'right to be forgotten,' this right allows individuals to request the deletion of their personal data under certain conditions. It is applicable when the personal data is no longer necessary for the purposes for which it was collected, when the individual withdraws consent on which the processing is based, or when the personal data has been unlawfully processed. The data controller must assess the request and inform the individual of the outcome, ensuring that the right to erasure is respected and upheld.

Data Protection Impact Assessment (DPIA)

A process to help organizations identify and minimize data protection risks.

Recital 23, GDPR

Clarifies that mere accessibility of a website in the EU is insufficient to determine intention to offer goods or services to EU data subjects.

Legitimate Interests

A legal basis for processing personal data under GDPR that permits processing when it is necessary for the purposes of legitimate interests pursued by the data controller or a third party, provided that such interests are not overridden by the fundamental rights and freedoms of the data subject.
- Requires a balancing test to assess whether the interests of the data controller outweigh the data subjects’ privacy rights.
Examples: processing for fraud prevention, direct marketing, or ensuring network security.

Data Breach

An incident where unauthorized access to personal data occurs.

Privacy vs Data Protection

Privacy refers to an individual's right to control personal information, while data protection focuses on safeguarding that data from unauthorized access.

Article 4(1) GDPR

Defines 'personal data' as any information relating to an identified or identifiable natural person.
An identifiable person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, identification number, location data, online identifier, or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural, or social identity of that natural person.

Accountability Principle

Data controllers must demonstrate compliance with GDPR principles and practices.

Article 5 GDPR

Outlines the principles of data processing. (lawfulness, fairness, and transparency)
- personal data must be processed lawfully and in a fair manner
- data must be collected for specified, legitimate purposes and not further processed in a manner incompatible with those purposes
- controllers must ensure the accuracy of data (keep it updated where relevant)
- Establishes the principle of data minimisation

Article 6 GDPR

Describes the lawful bases for processing personal data.
- Consent: The data subject gives clear consent for a specific processing operation
- Contractual necessity: Processing is necessary to fulfil a contract with the data subject or those necessary to establish a contract
- Legal obligation: to comply with a legal obligation the data controller is subject to
- Vital interest: protection of the life of the data subject or another natural person
- Public task: performance of a task carried out in the public interest or the exercise of official authority vested in the controller
- Legitimate interest: in the pursuit of legitimate interests of the controller or third parties

Article 7 GDPR

Details the conditions for obtaining valid consent from data subjects.
- Freely given: The individual should have a genuine choice, with no pressure or coercion involved.
- Specific: Consent must be given for one or more specific purposes, meaning it cannot be vague or blanket consent.
- Informed: Adequate information regarding the processing of personal data (purpose of processing, the identity of the data controller, the right to withdraw consent at any time)
- Unambiguous: The consent must be expressed through a clear affirmative action, such as opting in via a checkbox, rather than implied consent through inaction or pre-ticked boxes.

Article 9 GDPR

Specifies conditions for processing sensitive data.
- Explicit consent: The data subject provides clear and affirmative consent for the processing of their sensitive personal data for a specific purpose. This consent must be informed and given voluntarily.
- Vital interests: To protect the vital interests of the data subject or another natural person (especially when the data subject is incapable of giving consent due to physical or legal reasons)
- Public interest: Processing is necessary for reasons of substantial public interest, which must be laid down by law and must ensure appropriate safeguards for the rights of affected individuals.
- Legal claims: Processing is necessary for the establishment, exercise, or defense of legal claims or whenever courts are acting in their judicial capacity.

Article 12 GDPR

Requires data controllers to provide information to data subjects in a concise, transparent, intelligible, and easily accessible form.
(Purpose, Legal basis, category of data processed, recipients of data, retention (storage) period, data subject rights)

Article 13 GDPR

Mandates information that must be provided to data subjects when personal data is collected from them.

Article 15 GDPR

Gives data subjects the right to access their personal data and obtain a copy of it.

Article 32 GDPR

Stipulates the requirements for personal data security and outlines data controllers' obligations in terms of protection.
- Data Encryption
- Regular Security
- Testing
- Incident Response Plan (including containment, recovery, and reporting/notification)

Article 33 GDPR

Obligates data controllers to notify supervisory authorities of a data breach.

Article 44 GDPR

Addresses the transfer of personal data outside the EU and the conditions necessary for such transfers. And asserts that data transfers must be conducted with respect for the fundamental rights of individuals, safeguarding their privacy and ensuring compliance with GDPR's principles even when working with third countries.
- Adequacy Decisions: assesses whether a non-EU country provides an adequate level of data protection comparable to that guaranteed in the EU. If a country receives an 'adequacy decision,' data transfers can occur freely to that country without the need for additional safeguards.
- Appropriate Safeguards: In cases where no adequacy decision exists. These are binding corporate rules, standard contractual clauses adopted by the Commission, or other legally enforceable instruments.
- Specific Derogations: allows for transfers under certain circumstances, such as when the data subject has explicitly consented to the proposed transfer after having been informed of the possible risks, situations necessary for the performance of a contract, important for public interest, or necessary for the establishment, exercise, or defense of legal claims.

Article 8 GDPR

Specifies conditions for processing personal data of children, where valid consent must be obtained from guardians for children under 16.

Article 10 GDPR

Requires that personal data related to criminal convictions and offenses should only be processed under specific legal conditions.

Article 11 GDPR

Allows data controllers to avoid informing data subjects if that information proves impossible to provide or involves disproportionate effort.

Article 14 GDPR

Mandates that data subjects be informed when personal data has not been obtained directly from them, especially about the source of data.

Article 15 GDPR Summary

Gives data subjects the right to access personal data stored about them by requesting confirmation from the data controller.

Article 16 GDPR

Grants data subjects the right to request rectification of their personal data that is inaccurate or incomplete.

Article 17 GDPR

Establishes the right to erasure ('right to be forgotten'), allowing individuals to request deletion of personal data under certain conditions.

Article 18 GDPR

Provides data subjects the right to request restriction of processing under specified circumstances.

Article 19 GDPR

Instructs that data controllers must notify third parties when personal data has been rectified or erased.

Article 20 GDPR

Gives data subjects the right to data portability, allowing them to receive personal data in a structured format and transmit it to another controller.

Article 21 GDPR

Empowers data subjects to object to the processing of their personal data under certain conditions.

Article 22 GDPR

Grants individuals the right not to be subject to automated decision-making without human intervention, particularly if it significantly affects them.

Article 23 GDPR

Lists the conditions under which data controllers can restrict data subjects' rights, such as legal obligations or interests.
- Legal obligations: When compliance with legal obligations imposed on the data controller prevents them from fulfilling data subject rights
- Important public interest: When necessary for the performance of a task carried out in the public interest
- Defense of legal claims: Processing is necessary for the establishment, exercise, or defense of legal claims
- Research purposes: Where processing is necessary for statistical or scientific research, provided that such restriction is proportionate and safeguards the rights of the data subjects
- Prioritaization of rights: Restrictions must be documented, ensuring that the balance between the necessity of restriction and the rights of the data subjects is preserved.

Special Category Data/ Sensitive Data

A specific type of personal data that is subject to stricter conditions under GDPR, including data revealing racial or ethnic origin, political opinions, religious beliefs, health information, and sexual orientation.