EU Privacy Law
right to erasure
"right to be forgotten", this right empowers data subjects to request that a data controller delete or remove their personal data in situations such as the following: when the data is no longer needed for the original purpose, when the data subject withdraws consent, or when the data subject objects to the processing and the controller has no overriding legitimate interest in the processing
data subject
A "natural person" who can be directly or indirectly identified by information such as a name, an identification number, location data, an online identifier (such as a username), or their physical, genetic, or other identity
controller
An entity that determines the purposes and means of processing of personal personal data
processor
An entity that processes personal data based on the instructions of a controller
personal data
Any information relating to an identified or identifiable data subject.
processing
Anything that is done to or with personal data
anonymous data
Data that cannot ever be connected to an identified or identifiable person
general data protection regulation
GDPR
one stop shop
GDRP provides a central point of enforcement for organizations with operations in multiple EU member states by requiring such organizations to work with a lead supervisory authority for cross-border data protection issues
basis of data processing
In order to process personal data, organizations must have a lawful basis to process the data, such as to fulfill the performance of an agreement with the data subject or by obtaining the consent of a data subject.
sensitive personal data
Personal data pertaining to racial or ethnic origin, political opinions, religious or philosophical beliefs, trade-union membership, information about health, sex life and sexual orientation, and genetic or biometric data
pseudonymous data
Personal data that cannot be tied to a specific data subject without additional information that is stored separately, with technological measures to ensure the data is not combined with that additional information
accountability
a data controller is responsible for implementing measures to ensure that the personal data they control is handled in compliance with the principles of the GDPR. This includes appointing a data protection officer, imposing contractual obligations on processors, and using the principles of "privacy by design" and "privacy by default". Additionally, a data controller must be able to demonstrate compliance, including by keeping a record of processing activities and conducting privacy impact assessments
usage limitations
administrative or technological controls can be used to limit the organization's use of data to the purposes for which it collected the data
security
administrative, physical, and technological security measures are necessary to prevent unauthorized access, use, modification, disclosure, or deletion of personal data
standard contractual clauses
also known as "model clauses", these are legal contracts between parties who are transferring personal data from Europe to countries outside the EEA. The European Commission drafted and approved the standard contractual clauses, which contain detailed obligations related to the protection of personal data.
binding corporate rules
also known as BCRs, these are company-wide data protection policies approved by European data protection authorities to facilitate transfers of personal data from the European Economic Area (EEA) to countries outside the EEA. BCRs are based on strict privacy principles established by European Union data protection authorities and require intensive consultation with those authorities
data protection impact assessments
analyses of new processing activities to identify and address privacy risks
data protection officer
any organization that regularly processes sensitive personal data on a large scale or is involved in regular and systematic monitoring of data subjects must appoint a data protection officer to ensure the organization complies with privacy law
encyrption
contrary to some reports, the GDPR does not require organizations to encrypt personal data. However, depending on the circumstances, the law encourages encryption as an effective way to help ensure the security and confidentiality of personal data. In particular, the law suggests that encryption may be appropriate for sensitive personal data and specific types of data managed by highly regulated companeis
use of processors
data controllers must have written agreements with data processors that ensure processors act only in accordance with the controller's instructions, implement appropriate security measures to protect the data, assist the controller with its compliance obligations, return or destroy personal data at the end of the relationship, and comply with the provisions of GDPR applicable to processors
breach notification
data controllers must report any data breach to their data protection authority as soon as possible and no later than 72 hours after becoming aware of the breach, unless the breach is unlikely to result in any harm to the data subjects
assessments
data protection impact assessments must be conducted for each high risk data processing activity
right to object
data subjects can in certain cases object at any time to the processing of their personal data, in particular if the processing is for direct marketing purposes
data rectification
data subjects can request that a controller correct or complete personal data if the data is inaccurate or incomplete
restriction of processing
data subjects can request that a controller stop access to and modification of their personal data. For example, the controller can mark or use technological means to ensure that such data will not be further processed by any party
data access
data subjects have the right to confirm with a data controller whether the organization is processing their personal data. If it is, the controller must provide the data subject with information about such processing, including the specific data processed, the purposes of the processing, and the other parties with whom such data has been shared
training
employees and vendor training must be delivered to raise awareness regarding privacy policies, processes, and requirements, as well as to report concerns and suspicious data activity
the EU-US privacy shield and swiss-us privacy shield
frameworks designed by the US department of commerce, along with the European Commission and Swiss government, to provide companies with a mechanism for complying with European data protection requirements when they're transferring personal data from Europe to the United States. Companies certify compliance with the US Department of Commerce and are subject to oversight and enforcement by the US Federal Trade Commission.
anonymization
if data is truly anonymized, then the data does not constitute personal data under the GDPR. However, the bar to be considered anonymous is high: it must be impossible for any individual to be identified from the data by any further processing or by combining it with other information
data portability
in certain cases, data subjects have the right to ask a controller to provide their personal data in a structured, commonly used, and machine-readable format (.csv file) so that they can transmit their own personal data to another company
data subject rights
mechanisms and procedures are needed to manage data subject consent preferences and respond to complaints and requests for access, rectification, restriction, portability and deletion
privacy notices
must be provided wherever personal data is collected, including through the use of website cookies and tags
accuracy
organizations can collect only personal data that's adequate, relevant, and limited to what's necessary for the intended purpose
data minimization
organizations can collect only personal data that's adequate, relevant, and limited to what's necessary for the intended purpose
purpose limitation
organizations can collect personal data only for specified, explicit, and legitimate purposes. They cannot further process personal data in a manner that's incompatible with those purposes.
fairness and transparency
organizations must always process personal data lawfully, fairly, and in a transparent matter
vendor management
organizations must have contracts with affiliates, vendors, and other third parties that collect or receive personal data, including standard contractual clauses or other mechanisms to legalize data transfers outside the EU
security
organizations must use appropriate technical and organizational security measures to protect personal data against unauthorized processing and accidental disclosure, access, loss, destruction, or alteration. Depending on the specific use case and personal data processed, the use of data segregation, encyrption, pseudonymization and anonymization is recommended, and in some cases required, to help protect personal data
accuracy
personal data must be accurate and, where necessary, kept up to date
data deletion
personal data must be kept only for as long as it's needed to fulfill the original purpose of collection
compliance obligations
previous EU laws directly regulated primarily data controllers; however, the GDPR places numerous direct compliance obligations on data processors, including requirements that processors only process personal data in accordance with the controller's instructions, not share data with other vendors without consent of the controller, and implement appropriate security measures
incident response
processes must be created to detect and respond to security breaches, including remediating the breach and notifying all necessary parties
pseudonymization
the GDPR encourages organizations to use pseudonymization as a risk-based measure to protect data security and the rights of individuals. In certain scenarios, organizations can utilize pseudonymization as a measure to enable the use of data beyond the original purpose. For instance, pseudonymization may constitute a sufficient safeguard against risks from profiling. However, pseudonymized data is still considered personal data under the GDPR
profiling
the GDPR places certain restrictions on the automated processing of personal data to evaluate a data subject-or, "profiling". This includes monitoring or tracking data subjects to analyze or predict work performance, economic situation, health, behavior, preferences, or attitudes. Automated processes that can result in a significant impact on an individual, such as denial of a job or credit application, are considered high risk and are permitted only in limited cases
data subject rights
the GDPR provides data subjects with a broad range of rights regarding their personal data. Data subjects can request that data controllers provide them with access to all personal data the controller maintains about them, and they can request that the data be corrected, deleted, frozen, or made portable. Additionally, they can object to certain processing and revoke previously given consent.
privacy by default
this is the idea that organizations must always use the most "privacy friendly" default settings when collecting, processing, or storing data. For example, when giving individuals a choice over how much of their data is processed, the default setting should always be the choice with the least amount of processing. When selecting a retention period, the default must be the shortest possible retention period.
privacy by design
this is the idea that when organizations plan a new processing activity or develop or implement a new product, service, or feature, they must design such activities and products with the GDPR principles in mind, to ensure they put appropriate safeguards in place to protect privacy
enforcement
under previous EU law, data protection authorities in Europe had limited ability to punish companies that violated privacy law. Under the GDPR, authorities can fine companies up to the greater of 20 million pounds or 4% of a company's annual global revenue, based on the seriousness of the breach and damages incurred