EU Privacy Law

right to erasure

"right to be forgotten", this right empowers data subjects to request that a data controller delete or remove their personal data in situations such as the following: when the data is no longer needed for the original purpose, when the data subject withdraws consent, or when the data subject objects to the processing and the controller has no overriding legitimate interest in the processing

data subject

A "natural person" who can be directly or indirectly identified by information such as a name, an identification number, location data, an online identifier (such as a username), or their physical, genetic, or other identity

controller

An entity that determines the purposes and means of processing of personal personal data

processor

An entity that processes personal data based on the instructions of a controller

personal data

Any information relating to an identified or identifiable data subject.

processing

Anything that is done to or with personal data

anonymous data

Data that cannot ever be connected to an identified or identifiable person

general data protection regulation

GDPR

one stop shop

GDRP provides a central point of enforcement for organizations with operations in multiple EU member states by requiring such organizations to work with a lead supervisory authority for cross-border data protection issues

basis of data processing

In order to process personal data, organizations must have a lawful basis to process the data, such as to fulfill the performance of an agreement with the data subject or by obtaining the consent of a data subject.

sensitive personal data

Personal data pertaining to racial or ethnic origin, political opinions, religious or philosophical beliefs, trade-union membership, information about health, sex life and sexual orientation, and genetic or biometric data

pseudonymous data

Personal data that cannot be tied to a specific data subject without additional information that is stored separately, with technological measures to ensure the data is not combined with that additional information

accountability

a data controller is responsible for implementing measures to ensure that the personal data they control is handled in compliance with the principles of the GDPR. This includes appointing a data protection officer, imposing contractual obligations on processors, and using the principles of "privacy by design" and "privacy by default". Additionally, a data controller must be able to demonstrate compliance, including by keeping a record of processing activities and conducting privacy impact assessments

usage limitations

administrative or technological controls can be used to limit the organization's use of data to the purposes for which it collected the data

security

administrative, physical, and technological security measures are necessary to prevent unauthorized access, use, modification, disclosure, or deletion of personal data

standard contractual clauses

also known as "model clauses", these are legal contracts between parties who are transferring personal data from Europe to countries outside the EEA. The European Commission drafted and approved the standard contractual clauses, which contain detailed obligations related to the protection of personal data.

binding corporate rules

also known as BCRs, these are company-wide data protection policies approved by European data protection authorities to facilitate transfers of personal data from the European Economic Area (EEA) to countries outside the EEA. BCRs are based on strict privacy principles established by European Union data protection authorities and require intensive consultation with those authorities

data protection impact assessments

analyses of new processing activities to identify and address privacy risks

data protection officer

any organization that regularly processes sensitive personal data on a large scale or is involved in regular and systematic monitoring of data subjects must appoint a data protection officer to ensure the organization complies with privacy law

encyrption

contrary to some reports, the GDPR does not require organizations to encrypt personal data. However, depending on the circumstances, the law encourages encryption as an effective way to help ensure the security and confidentiality of personal data. In particular, the law suggests that encryption may be appropriate for sensitive personal data and specific types of data managed by highly regulated companeis

use of processors

data controllers must have written agreements with data processors that ensure processors act only in accordance with the controller's instructions, implement appropriate security measures to protect the data, assist the controller with its compliance obligations, return or destroy personal data at the end of the relationship, and comply with the provisions of GDPR applicable to processors

breach notification

data controllers must report any data breach to their data protection authority as soon as possible and no later than 72 hours after becoming aware of the breach, unless the breach is unlikely to result in any harm to the data subjects

assessments

data protection impact assessments must be conducted for each high risk data processing activity

right to object

data subjects can in certain cases object at any time to the processing of their personal data, in particular if the processing is for direct marketing purposes

data rectification

data subjects can request that a controller correct or complete personal data if the data is inaccurate or incomplete

restriction of processing

data subjects can request that a controller stop access to and modification of their personal data. For example, the controller can mark or use technological means to ensure that such data will not be further processed by any party

data access

data subjects have the right to confirm with a data controller whether the organization is processing their personal data. If it is, the controller must provide the data subject with information about such processing, including the specific data processed, the purposes of the processing, and the other parties with whom such data has been shared

training

employees and vendor training must be delivered to raise awareness regarding privacy policies, processes, and requirements, as well as to report concerns and suspicious data activity

the EU-US privacy shield and swiss-us privacy shield

frameworks designed by the US department of commerce, along with the European Commission and Swiss government, to provide companies with a mechanism for complying with European data protection requirements when they're transferring personal data from Europe to the United States. Companies certify compliance with the US Department of Commerce and are subject to oversight and enforcement by the US Federal Trade Commission.

anonymization

if data is truly anonymized, then the data does not constitute personal data under the GDPR. However, the bar to be considered anonymous is high: it must be impossible for any individual to be identified from the data by any further processing or by combining it with other information

data portability

in certain cases, data subjects have the right to ask a controller to provide their personal data in a structured, commonly used, and machine-readable format (.csv file) so that they can transmit their own personal data to another company

data subject rights

mechanisms and procedures are needed to manage data subject consent preferences and respond to complaints and requests for access, rectification, restriction, portability and deletion

privacy notices

must be provided wherever personal data is collected, including through the use of website cookies and tags

accuracy

organizations can collect only personal data that's adequate, relevant, and limited to what's necessary for the intended purpose

data minimization

organizations can collect only personal data that's adequate, relevant, and limited to what's necessary for the intended purpose

purpose limitation

organizations can collect personal data only for specified, explicit, and legitimate purposes. They cannot further process personal data in a manner that's incompatible with those purposes.

fairness and transparency

organizations must always process personal data lawfully, fairly, and in a transparent matter

vendor management

organizations must have contracts with affiliates, vendors, and other third parties that collect or receive personal data, including standard contractual clauses or other mechanisms to legalize data transfers outside the EU

security

organizations must use appropriate technical and organizational security measures to protect personal data against unauthorized processing and accidental disclosure, access, loss, destruction, or alteration. Depending on the specific use case and personal data processed, the use of data segregation, encyrption, pseudonymization and anonymization is recommended, and in some cases required, to help protect personal data

accuracy

personal data must be accurate and, where necessary, kept up to date

data deletion

personal data must be kept only for as long as it's needed to fulfill the original purpose of collection

compliance obligations

previous EU laws directly regulated primarily data controllers; however, the GDPR places numerous direct compliance obligations on data processors, including requirements that processors only process personal data in accordance with the controller's instructions, not share data with other vendors without consent of the controller, and implement appropriate security measures

incident response

processes must be created to detect and respond to security breaches, including remediating the breach and notifying all necessary parties

pseudonymization

the GDPR encourages organizations to use pseudonymization as a risk-based measure to protect data security and the rights of individuals. In certain scenarios, organizations can utilize pseudonymization as a measure to enable the use of data beyond the original purpose. For instance, pseudonymization may constitute a sufficient safeguard against risks from profiling. However, pseudonymized data is still considered personal data under the GDPR

profiling

the GDPR places certain restrictions on the automated processing of personal data to evaluate a data subject-or, "profiling". This includes monitoring or tracking data subjects to analyze or predict work performance, economic situation, health, behavior, preferences, or attitudes. Automated processes that can result in a significant impact on an individual, such as denial of a job or credit application, are considered high risk and are permitted only in limited cases

data subject rights

the GDPR provides data subjects with a broad range of rights regarding their personal data. Data subjects can request that data controllers provide them with access to all personal data the controller maintains about them, and they can request that the data be corrected, deleted, frozen, or made portable. Additionally, they can object to certain processing and revoke previously given consent.

privacy by default

this is the idea that organizations must always use the most "privacy friendly" default settings when collecting, processing, or storing data. For example, when giving individuals a choice over how much of their data is processed, the default setting should always be the choice with the least amount of processing. When selecting a retention period, the default must be the shortest possible retention period.

privacy by design

this is the idea that when organizations plan a new processing activity or develop or implement a new product, service, or feature, they must design such activities and products with the GDPR principles in mind, to ensure they put appropriate safeguards in place to protect privacy

enforcement

under previous EU law, data protection authorities in Europe had limited ability to punish companies that violated privacy law. Under the GDPR, authorities can fine companies up to the greater of 20 million pounds or 4% of a company's annual global revenue, based on the seriousness of the breach and damages incurred