4. European Union Privacy Law Basics
7. What are some of the key changes that GDPR brings about?
- Basis of data processing - Compliance obligations - Breach notification - Data protection officer - Enforcement - Use of processors - Profiling - Data subject rights - One-stop-shop
13. What is Use of processors?
Data controllers must have written agreements with data processors that - ensure processors act only in accordance with the controller's instructions, - implement appropriate security measures to protect the data, assist the controller with its compliance obligations, - return or destroy personal data at the end of the relationship, - and comply with the provisions of GDPR applicable to processors.
2. Who can be impacted by the GDPR?
If your business collects, stores, or uses personal information about European residents, then the GDPR can have a profound impact on your business processes.
8. What is Basis of data processing?
In order to process personal data, organizations must have a lawful basis to process the data, such as to fulfill the performance of an agreement with the data subject or by obtaining the consent of a data subject. To the extent that consent is the only lawful basis, that consent must be freely given, specific, informed, and unambiguous. In other words, organizations must give data subjects a genuine choice whether to allow their data to be processed and must agree via a clear statement or affirmative action. Requiring data subjects to grant broad consent to processing of their personal data when they register to use a service may not constitute freely given consent beyond processing that is necessary for providing the service. Additionally, organizations must be able to prove that they have obtained valid consent.
9. What is Compliance obligations?
Previous EU law directly regulated primarily data controllers; however, the GDPR places numerous direct compliance obligations on data processors. This includes requirements that processors only process data in accordance with the controller's instructions, not share data with other vendors without the consent of the controller, and implement appropriate security measures (which we discuss further in the next unit). Additionally, the law imposes several more compliance obligations on both data controllers and data processors to implement appropriate policies, assess the privacy impact of changes to business practices, and keep detailed records on data activities.
14. What is Profiling?
The GDPR places certain restrictions on the automated processing of personal data to evaluate a data subject—or, "profiling." This includes: - Monitoring or tracking data subjects to analyze or predict work performance, economic situation, health, behavior, preferences, or attitudes. - Automated processes that can result in a significant impact on an individual, such as denial of a job or credit application, are considered high risk and are permitted only in limited cases.
17. What is One-stop-shop?
The GDPR provides a central point of enforcement for organizations with operations in multiple EU member states by requiring such organizations to work with a lead supervisory authority for cross-border data protection issues.
5. When The GDPR went into effect?
The GDPR went into effect on May 25, 2018, and significantly expanded the privacy rights granted to individuals. It also placed many new obligations on organizations that handle personal information.
3. What does the EU's Data Protection Directive, adopted in 1995 require?
The directive required companies and governments to be: - Transparent about the personal data they process, - Have a legitimate purpose for their use of that data, - and exercise care in handling data.
4. Why EU legislators adopted the GDPR?
The directive was adequate for technology as it existed in 1995, but rapid changes in technology in the ensuing years necessitated an update. EU legislators adopted the GDPR to keep privacy law relevant in a world where far more data is collected than ever before. They also wanted to ensure a uniform law existed across the EU and avoid major differences between countries.
12. What is Enforcement?
Under previous EU law, data protection authorities in Europe had limited ability to punish companies that violated privacy law. Under the GDPR, authorities can fine companies up to the greater of €20 million or 4% of a company's annual global revenue, based on the seriousness of the breach and damages incurred.
10. What is Breach notification?
- Data controllers must report any data breach to their data protection authority as soon as possible and no later than 72 hours after becoming aware of the breach, unless the breach is unlikely to result in any harm to the data subjects. - If there is a high risk of harm, data controllers must report data breaches to the data subjects as soon as possible. - Data processors must also notify data controllers of data breaches as soon as possible.
6. What is GDPR?
- It establishes rules for how companies, governments, and other entities can process the personal data of data subjects who are in the EU. - Many of these rules already existed under previous EU law, but some rules are now stricter, some are less burdensome, and some are brand new. - The rules reach beyond the physical borders of the EU and apply to any organization, regardless of whether it has a physical presence in the EU, if it offers goods or services to people in the EU, or if it tracks the behavior of those people (including through the use of cookies).
11. Who is data protection officer?
Any organization that regularly processes sensitive personal data on a large scale or is involved in regular and systematic monitoring of data subjects must appoint a data protection officer to ensure the organization complies with privacy law.
16. What is Data subject rights?
The GDPR provides data subjects with a broad range of rights regarding their personal data. Data subjects can request that data controllers: - Provide them with access to all personal data the controller maintains about them, and - They can request that the data be corrected, deleted, frozen, or made portable (for example, downloaded). - Additionally, they can object to certain processing and revoke previously given consent.
15. Important note:
The GDPR retains existing restrictions on cross-border transfers of personal data to countries whose privacy laws are considered "inadequate," unless the organizations transferring and receiving the data take additional steps to ensure it is protected. In addition to endorsing existing measures like binding corporate rules and standard contractual clauses, the GDPR states that adherence to association codes of conduct or data protection certification programs approved by regulators can also be acceptable transfer mechanisms.
1. What is the passage of a comprehensive privacy law that European Union (EU) created, called?
The General Data Protection Regulation (GDPR).