GDPR Compliance Obligations
The EU General Data Protection Regulation (GDPR) applies to:
- Businesses that process personal data in the context of an EU establishment's activities, regardless of whether the processing takes place in the EU.
- Non-EU businesses with no EU establishment that process personal data in connection with:
- offering goods or services to EU-based individuals (free or paid); or
- monitoring individual's behavior that takes place in the EU.
- Businesses not established in the EU that are subject to EU member state law by virtue of public international law.
EU member states may also establish local legislation that both aligns their own historic data protection laws with the GDPR and addresses local exceptions or variations permitted by the GDPR.
GDPR Compliance Obligations Include:
- A requirement that entities have a legal basis to process personal data (Article 6). The GDPR recognizes multiple legal bases for processing personal data, including:
- Consent from the data subject;
- Consent must satisfy specific requirements, including that it be freely given, specific, informed, and unambiguous and the controller must be able to show it obtained consent (Articles 4(11) and 7). Implied consent and opt-out consent are not valid under the GDPR (Article 4(11))
- That processing is necessary to perform a contract to which the data subject is a party;
- That processing is necessary to comply with the controller’s legal obligation;
- That processing is necessary to protect the vital interests of the data subject or of another natural person;
- That processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller;
- That processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child.
- Consent from the data subject;
- Certain types of personal data processing under the GDPR require explicit consent, including when relying on consent to:
- Process special categories of personal data (Racial and ethnic origin, Political opinions, Religious and philosophical beliefs, Trade union membership, Health, sex life, or sexual orientation, Genetic and biometric data) (Article 9(1));
- Transfer personal data cross-border; and
- Make decisions based on automated personal data processing. (Articles 9, 22, and 49)
- Parental consent is required for processing data of children under 16 years old. However, EU member states can lower the age of consent to a minimum of 13. (Article 8)
- Prohibits processing special categories of personal data unless an exception applies (Article 9).
- When relying on consent to process special categories of personal data, the controller must obtain explicit consent (Article 9(2)(a)).
- The GDPR prohibits processing special categories of personal data unless an exception applies, such as data subject consent, and permits processing criminal conviction and offense data only under certain conditions.
- Non-EU-based organizations engaging in certain activities must designate an EU representative in writing, subject to limited exceptions (Article 27). This requirement does not apply to: “processing which is occasional, does not include, on a large scale, processing of special categories of data as referred to in Article 9(1) or processing of personal data relating to criminal convictions and offences referred to in Article 10, and is unlikely to result in a risk to the rights and freedoms of natural persons, taking into account the nature, context, scope and purposes of the processing.”
- A Data Protection Officer is required in certain circumstances (Article 37). The controller and the processor shall designate a data protection officer in any case where:
- the processing is carried out by a public authority or body, except for courts acting in their judicial capacity;
- the core activities of the controller or the processor consist of processing operations which, by virtue of their nature, their scope and/or their purposes, require regular and systematic monitoring of data subjects on a large scale; or
- the core activities of the controller or the processor consist of processing on a large scale of special categories of data pursuant to Article 9 or personal data relating to criminal convictions and offences referred to in Article 10.
- The data protection officer may be a staff member of the controller or processor, or fulfil the tasks on the basis of a service contract. The controller or the processor shall publish the contact details of the data protection officer and communicate them to the supervisory authority.
- A Data Protection Impact Assessment is required where the entity processes data in certain types of high-risk scenarios, such as:
- New technologies;
- Profiling;
- Automated processing;
- Large scale processing of special categories of personal data;
- Systematic monitoring of a publicly accessible area on a large scale.
- This requires consultation with data protection authorities if an impact assessment reveals there will be residual high risks to data subjects during/ after the processing of the data. (Article 35).
- Controllers and processors must maintain a record of processing activities, subject to limited exceptions (Article 30). The documentation requirement does not apply to controllers and processors that employ fewer than 250 persons unless at least one of the following conditions applies (Article 30(5), GDPR):
- The processing is likely to result in a risk for the data subject's rights and freedoms;
- The processing is not occasional; or
- The processing includes special categories of personal data or criminal conviction and offense data (Articles 9(1) and 10, GDPR).
- Controllers must comply with the data processing principles (Article 5(1)) and demonstrate compliance (Article 5(2).
- The principles include that personal data shall be:
- processed lawfully, fairly and in a transparent manner in relation to the data subject (‘lawfulness, fairness and transparency’);
- collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes; further processing for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes shall, in accordance with Article 89(1), not be considered to be incompatible with the initial purposes (‘purpose limitation’);
- adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed (‘data minimization’);
- accurate and, where necessary, kept up to date; every reasonable step must be taken to ensure that personal data that are inaccurate, having regard to the purposes for which they are processed, are erased or rectified without delay (‘accuracy’);
- kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed; personal data may be stored for longer periods insofar as the personal data will be processed solely for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes in accordance with Article 89(1) subject to implementation of the appropriate technical and organizational measures required by this Regulation in order to safeguard the rights and freedoms of the data subject (‘storage limitation’);
- processed in a manner that ensures appropriate security of the personal data, including protection against unauthorized or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organizational measures (‘integrity and confidentiality’).
- Demonstrating compliance: The GDPR approves the use of codes of conduct (Article 40, GDPR) and certifications (Article 42, GDPR) to demonstrate compliance with certain GDPR requirements. Signing up to a code of conduct or certification scheme is voluntary. Participating in certification programs or adhering to established codes may help demonstrate compliance with: Responsibilities of the controller (Article 24, GDPR); Data protection by design and by default (Article 25, GDPR); Processor requirements (Article 28, GDPR); Security of processing (Article 32, GDPR); Data protection impact assessment (Article 35, GDPR); Transfers subject to appropriate safeguards (Article 46(2), GDPR).
- The principles include that personal data shall be:
- Direct marketing is permitted if the controller satisfies the GDPR's requirements for lawfully processing personal data and handling data subject objections to direct marketing (Articles 6 and 21).
- Transparency requirement (see Transparency Guidelines):
- The GDPR's transparency obligation to data subjects is an overarching obligation which impacts three general areas including:
- Providing specific information to data subjects to ensure fair processing (Articles 13 and 14, GDPR);
- Communicating with data subjects about their data processing rights (Articles 15 to 22, and 34, GDPR);
- How controllers facilitate the exercise of data subject rights (Article 12(2), GDPR).
- The GDPR requires controllers to demonstrate that they process personal data transparently. The transparency requirement applies throughout the data processing lifecycle, including:
- Before or at the start of data processing when the controller collects the personal data from the data subject or a third party;
- Throughout the period of data processing including when communicating with data subjects about their rights;
- At specific points during data processing, for example, when data breaches occur or when processing materially changes. (Article 5(2), GDPR; Transparency Guidelines, at 6.)
- Personal data must be collected for specified, explicit, and legitimate purposes and not processed in a manner that is incompatible with those purposes, subject to limited exceptions. This means that, generally, the controller cannot process personal data for any purposes other than those notified to the data subject on collection of the personal data (Article 5(1)(b), GDPR). Further processing beyond that which the data subject originally anticipated is only permitted if the new processing is compatible with the initial processing purpose. Where the new processing is compatible with the initial processing no new legal basis, separate from that which allowed the original personal data collection, is required (Recital 50, GDPR).
- The GDPR's transparency obligation to data subjects is an overarching obligation which impacts three general areas including:
- Entities subject to the GDPR must honor Data Subject rights requests (Article 15(1)-(2)):
- Right to access personal data, obtain certain information about the processing, and receive a copy of certain personal data, on request (Articles 12 and 15)
- The right to know the actual identity of personal data disclosure recipients, whenever possible (the GDPR requires businesses to provide data subjects with the actual identity of personal data recipients, except in limited circumstances.) (Article 15(1)-(2));
- The right to request erasure of personal data in specific circumstances (Article 17);
- The right to obtain rectification without undue delay or to supplement incomplete personal data (Article 16);
- The right to object to data processing in certain circumstances (Article 21);
- The right to restrict data processing in certain circumstances, such as when a data subject contests the data's accuracy or while a processing objection is pending (Article 18);
- The right to data portability, which includes the right to:
- Receive a copy of certain personal data from the controller in a commonly used and machine-readable format and store it for further personal use on a private device;
- Transmit certain personal data to another controller;
- Have certain personal data transmitted directly from one controller to another where technically possible. (Article 20(1), (2).)
- The right not to be subject to a decision based solely on automated processing, including profiling, which has legal or other significant effects on the data subject, subject to certain exceptions (Article 22)
- The GDPR requires appropriate technical and organizational security measures to ensure a level of security appropriate to the risk (Articles 25 and 32).
- Businesses must design systems for data protection by default (“privacy by design”) (Article 25).
- Data breach notification responsibility: Controllers experiencing a data breach must notify:
- The relevant supervisory authority no later than 72 hours after the breach, unless the breach is unlikely to pose a risk of harm (Article 33).
- The data subject without undue delay if the breach poses a high risk of harm (Article 34).
- The GDPR requires processors to notify the controller without undue delay when they become aware of a personal data breach (Article 33(2)).
- Data Processor Contracts: A contract or other mechanism that includes specified terms must govern processor relationships (Article 28(3)). This applies where a covered entity is engaging a vendor or other processor to provide services where the vendor will have access to the personal data the entity controls.
- Examples of some common required terms in data processor contracts include provisions that:
- Describe the subject matter, purpose, and duration of processing.
- Clearly define the rights and obligations of both parties.
- Commit each person processing data to a duty of confidentiality.
- Pass obligations on to subcontractors.
- Require the processor's cooperation with audits and compliance assessments.
- Examples of some common required terms in data processor contracts include provisions that:
- Cross-border data transfers: The GDPR prohibits personal data transfers outside of the EEA, and only permits personal data transfers outside of the EEA if: A European Commission decision determines that the recipient country provides an adequate level of protection (Article 45, GDPR); or the controller or processor provides appropriate safeguards and provided data subjects can enforce their legal rights and have effective legal remedies (Article 46, GDPR). There are a few different mechanisms entities can use for this, including standard contractual clauses, or adherence to an approved certification program such as the Data Privacy Framework (DPF). DPF participants can transfer personal data from the EU to the US without completing a transfer impact assessment (TIA) or putting additional safeguards in place as the adequacy decision for the DPF replaces the adequacy assessment in the TIA. Participation of the DPF is restricted to US legal entities who are subject to the jurisdiction of the Federal Trade Commission and Department of Transport. Eligible organizations must self-certify compliance with a detailed set of privacy principles which are similar to the previous EU-US Privacy Shield principles.
- The GDPR's requirements do not apply to personal data that an organization anonymizes so that a data subject is no longer identifiable. In contrast, the GDPR considers pseudonymized data to be information about an identifiable natural person because the controller or others may reidentify the data. Although the GDPR recognizes that pseudonymization can reduce risks to data subjects, pseudonymized data is not exempt data from all of the GDPR's requirements. (Recitals 26 and 28.)
- General information on GDPR enforcement and penalties:
- Failing to comply with the GDPR carries substantial penalties and may result in fines of up to EUR20 million or 4% of the organization's total worldwide annual revenue for the preceding financial year, whichever is higher (Article 83(5), GDPR).
- Data subjects may file complaints with their supervisory authority (Article 77, GDPR).
- They may also file private judicial actions (Articles 78 and 79, GDPR).