The GDPR or General Data Protection Regulation, is the European regulation n°2016/679 that enshrines the protection of personal data as a fundamental right in its own right in the Charter of Fundamental Rights of the European Union in its article 8
Charter of Fundamental Rights of the European Union
Article 8 – Protection of personal data
1. Everyone has the right to the protection of personal data concerning him or her.
2. Such data must be processed fairly for specified purposes and on the basis of the consent of the data subject or some other legitimate basis laid down by law. Any person has the right to access and rectify the data collected concerning him/her.
3. Compliance with these rules is subject to supervision by an independent authority.
The GDPR was adopted definitively in April 2016. Its implementation for all member states of the European Union is to date from May 25, 2018.
Its Article 1.2 describes the purpose and objectives of the GDPR
|Article 1 – Purpose and objectives |
1. This Regulation establishes rules on the protection of individuals with regard to the processing of personal data and rules on the free movement of such data.
2. This Regulation protects the fundamental rights and freedoms of natural persons, and in particular their right to the protection of personal data.
3. The free movement of personal data within the Union shall not be restricted or prohibited on grounds relating to the protection of individuals with regard to the processing of personal data.
It is composed of 99 articles and 173 recitals, which detail the objective, to ensure a consistent and high level of protection of natural persons by strengthening the rights of data subjects and increasing the obligations of those who process such data
In its article 3, the GDPR specifies that the scope of application extends beyond the European Union, as long as the processing of personal data concerns individuals located in Europe
Article 3 – Territorial scope of application
1. This Regulation applies to the processing of personal data carried out in the course of the activities of an establishment of a controller or processor on the territory of the Union, whether or not the processing takes place in the Union.
2. This Regulation shall apply to the processing of personal data relating to data subjects who are in the territory of the Union by a controller or processor who is not established in the Union, where the processing activities relate to:
(a) offering goods or services to such data subjects in the Union, whether or not payment is required from such data subjects; or
(b) monitoring the conduct of such persons, to the extent that such conduct takes place within the Union.
3. This Regulation applies to the processing of personal data by a controller who is not established in the Union but in a place where the law of a Member State applies under public international law.
There are 6 fundamental principles that are listed in Article 5 of the GDPR. They are the basis for every GDPR compliance. The controller is responsible for compliance
1. Lawfulness, fairness, transparency
2. Purpose limitation
3. Data minimization
5. Limiting retention
6. Integrity and confidentiality
Article 5 – Principles for the processing of personal data
1. Personal data must be :
(a) processed lawfully, fairly and transparently with respect to the data subject (lawfulness, fairness, transparency);
(b) collected for specified, explicit and legitimate purposes and not further processed in a way incompatible with those purposes; further processing for archival purposes in the public interest, for scientific or historical research purposes or for statistical purposes shall not be considered, in accordance with Article 89(1), as incompatible with the original purposes (purpose limitation)
(c) adequate, relevant and limited to what is necessary for the purposes for which they are processed (data minimization)
(d) accurate and, where necessary, kept up to date; every reasonable step must be taken to ensure that personal data which are inaccurate, having regard to the purposes for which they are processed, are erased or rectified without delay (accuracy)
(e) kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which they are processed; personal data may be kept for longer periods insofar as they are processed exclusively for archival purposes in the public interest, for scientific or historical research purposes or for statistical purposes in accordance with Article 89(1), provided that the appropriate technical and organisational measures required by this Regulation to safeguard the rights and freedoms of the data subject are implemented (limitation of storage)
(f) processed in such a way as to ensure appropriate security of personal data, including protection against unauthorized or unlawful processing and against accidental loss, destruction or damage, by means of appropriate technical or organizational measures (integrity and confidentiality);
2. The controller is responsible for compliance with paragraph 1 and is able to demonstrate compliance (accountability).
The GDPR does not give any limit to the size or type of the companies concerned by the regulation. So whether you are a freelancer, a sole proprietorship, an SME or a multinational company. Private or public company or organisation. As long as you are located in Europe, or you process personal data of people residing in Europe, you are subject to the obligation to comply with the GDPR.
Penalties for not complying with the regulation can be severe, and can cost the company up to 20 million euros or 4% of the annual worldwide turnover. They can vary according to different criteria listed in Article 83 of the GDPR. The criteria include, among others
– The severity and duration of the breach;
– The measures taken to mitigate the harm to the data subjects; and
– The degree of cooperation, etc.
Article 83 – General conditions for imposing administrative fines
1. Each supervisory authority shall ensure that administrative fines imposed under this Article for violations of this Regulation referred to in paragraphs 4, 5 and 6 are, in each case, effective, proportionate and dissuasive.
2. Depending on the specific features of each case, administrative fines shall be imposed in addition to or instead of the measures referred to in Article 58(2)(a) to (h) and (j). In deciding whether to impose an administrative fine and in deciding the amount of the administrative fine, due account shall be taken in each individual case of
(a) the nature, seriousness and duration of the violation, taking into account the nature, scope or purpose of the processing concerned, as well as the number of data subjects affected and the level of harm they have suffered;
(b) whether the breach was committed intentionally or negligently
(c) any measures taken by the controller or processor to mitigate the damage suffered by the data subjects
(d) the degree of responsibility of the controller or processor, taking into account the technical and organizational measures they have implemented pursuant to Articles 25 and 32
(e) any relevant previous breaches by the controller or processor
(f) the degree of cooperation established with the supervisory authority in order to remedy the breach and mitigate any adverse effects
(g) the categories of personal data affected by the breach
(h) how the supervisory authority became aware of the breach, including whether and to what extent the controller or processor notified the breach
(i) where measures referred to in Article 58(2) have previously been ordered against the controller or processor concerned in respect of the same matter, compliance with those measures
(j) the application of codes of conduct approved pursuant to Article 40 or certification schemes approved pursuant to Article 42; and
(k) any other aggravating or mitigating circumstances applicable to the circumstances of the case, such as financial benefits obtained or losses avoided, directly or indirectly, as a result of the violation.
3. If a controller or processor deliberately or negligently violates more than one provision of this Regulation, in the context of the same processing operation or related processing operations, the total amount of the administrative fine may not exceed the amount set for the most serious violation.
4. Violations of the following provisions shall be subject, in accordance with paragraph 2, to administrative fines of up to EUR 10,000,000 or, in the case of an undertaking, up to 2 % of the total worldwide annual turnover in the preceding business year, whichever is higher
(a) the obligations of the controller and processor under Articles 8, 11, 25 to 39, 42 and 43;
(b) the obligations of the certification body under Articles 42 and 43;
(c) the obligations of the body responsible for monitoring codes of conduct under Article 41(4).
5. Violations of the following provisions shall be subject, in accordance with paragraph 2, to administrative fines of up to EUR 20 000 000 or, in the case of an undertaking, up to 4 % of the total annual worldwide turnover in the preceding business year, whichever is the higher
(a) the basic principles of a processing operation, including the conditions applicable to consent under Articles 5, 6, 7 and 9;
(b) the rights of data subjects under Articles 12 to 22
(c) transfers of personal data to a recipient in a third country or to an international organization under Articles 44 to 49
(d) all obligations under the law of the Member States adopted pursuant to Chapter IX
(e) failure to comply with an injunction, temporary or permanent restriction of processing or suspension of data flows ordered by the supervisory authority under Article 58(2), or failure to grant access as provided for, in breach of Article 58(1).
6. Failure to comply with an injunction issued by the supervisory authority pursuant to Article 58(2) shall, in accordance with paragraph 2 of this Article, be subject to administrative fines of up to EUR 20 000 000 or, in the case of an undertaking, up to 4 % of the total worldwide annual turnover in the preceding business year, whichever is the higher.
7. Without prejudice to the powers of the supervisory authorities to take remedial action under Article 58(2), each Member State may lay down rules determining whether and to what extent administrative fines may be imposed on public authorities and public bodies established in its territory.
8. The exercise by the supervisory authority of its powers under this Article shall be subject to appropriate procedural safeguards in accordance with Union law and the law of the Member States, including effective judicial review and due process.
9. If the legal system of a Member State does not provide for administrative fines, this Article may be applied in such a way that the fine is determined by the competent supervisory authority and imposed by the competent national courts, while ensuring that these legal remedies are effective and have equivalent effect to administrative fines imposed by the supervisory authorities. In any event, the fines imposed shall be effective, proportionate and dissuasive. The Member States concerned shall notify the Commission of the legal provisions they adopt pursuant to this paragraph by 25 May 2018 at the latest and, without delay, of any subsequent legal provisions or amendments thereto.
This is the end of this article, in which I have tried to explain simply, what the GDPR is, what is its scope, what are its fundamental principles and what are the consequences of a possible non compliance. But it is obvious that I have only scratched the surface of this regulation for this article, and that it obviously goes much further and that there are many things missing in this article.
I advise you to contact a specialist for your compliance, either a GDPR consultant or even better a former or current DPO