By Robert Bond[1]
The EU General Data Protection Regulation (GDPR)[2] came into force on 25 May 2018, and continues to have a significant impact upon Legal and Compliance. While the vast majority of companies to which GDPR applies have taken the necessary steps to comply with its requirements, newcomers will want to have a thorough understanding of its scope to determine their exposure.
Applicability
Certainly GDPR applies to controllers and processors that have subsidiaries or affiliates in the EU. A controller is a business that makes decisions in relation to personal data, whereas a processor is a third party that carries out processing on the instructions of the controller.
GDPR also has an extra territorial nature. It applies to any controller or processor that is not located in the EU but has processing activities related to either the offering of goods or services to data subjects in the EU, irrespective of whether a payment is required or not—or where the processing activities relate to the monitoring of the behaviour of EU citizens so far as that behaviour takes place within the EU.
Many businesses are subject to GDPR whether or not they have entities in the EU. If GDPR applies to controllers or processors outside the EU, and if they process large volumes of sensitive data, or if such processing could result in a risk to the rights and freedoms of individuals, then they need to designate in writing a representative who is established in a member state located where the data subjects are. When processing of EU citizens’ personal data takes place in several member states, the representative needs to be appointed in the member state where most of the EU citizens are located whose data is being processed.
The role of the representative is to sit between the controller or processor and the relevant supervisory authority and/or data subjects. The representative will need to respond to investigations or communications from the relevant supervisory authority and/or from data subjects and need to have in place a suitable contract to define roles and responsibilities. The designation of a representative does not affect the primary responsibility and liability of the controller or processor under GDPR.
Data Protection Principles
GDPR lays out data protection principles, which are that personal data must be:
-
Processed fairly, lawfully, and in a transparent manner;
-
Collected for specified, explicit, and legitimate purposes and not further processed in a way incompatible with those;
-
Adequate, relevant, and limited to what is necessary in relation to the purposes for which personal data is processed;
-
Accurate and, where necessary, kept up to date;
-
Kept in the form which permits identification of data subjects for no longer than is necessary;
-
In accordance with data subjects rights;
-
In a way that ensures appropriate security of the personal data;
-
Not transferred to a third country or to an international organisation if the provisions of GDPR are not complied with.