In May 2018 the 28 Member States of the European Union, including Cyprus adopted up-to-date rules for personal data processing implemented by the General Data Protection Regulation (EU 2016/679 of 27 April, 2016) (“GDPR”).
The effect of GDPR is not limited by the EU’s borders but extends to all commercial entities which deal with personal data of EU citizens and residents wherever such entities may be incorporated or perform their activities. The main goal of the GDPR is to guarantee protection of EU citizens without reference to the place of processing and storage of such data.
What does personal data under GDPR guidance include?
Personal data includes any information related to an individual. According to GDPR “personal data” means any information relating to an identified or identifiable individual person (“data subject”). An identifiable individual person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that individual person. The definition even includes the IP addresses of individuals.
GDPR provides special types of personal data classified as special and confidential personal data referred to racial or ethnic origin, political opinion, personal medical details, genetic and biometrical data, religious or philosophical beliefs and participation in labour union organizations, sex life and sexual orientation. Collection and processing of this type of data is generally prohibited with some exceptions explicitly set out by GDPR rules such as when processing is required for protection of vital interests of the data subject or another individual where the data subject is physically or legally incapable of giving the appropriate related consent.
Applicability of the GDPR
GDPR is applicable to government organizations, public and private companies which collect, process and transmit personal data related to their clients, employees, associates etc.
- If your organization is physically operating anywhere in the E.U
The GDPR does apply to you, and you must abide by its requirements. Some organizations may have a “shell” within the E.U. but not truly be offering services there. These circumstances vary and should be discussed with a privacy professional to determine applicability of the GDPR to your organization.
- If your organization is a controller or processor under GDPR (or both).
Controller refers to “the natural or legal person, public authority, agency, or another body which, alone or jointly with others, determines the purposes and means of the processing of personal data. Processor refers to “means a natural or legal person, public authority, agency, or another body which processes personal data on behalf of the controller. As it can sometimes be difficult for organizations to determine which of these roles (if not both) best describes them, an information security partner can be helpful in making a clear distinction. Organizations must know their role(s) to comply with their specific GDPR responsibilities.
- If your organization offers services to people who live in the EU
The GDPR differentiates between “offering” and “selling.” “Offering” means specifically targeting customers in the EU. “Selling” means you are not targeting EU residents, but, if an EU resident wants to purchase your product or service, you will still sell to them. If you are offering to EU residents, you are responsible for adhering to the GDPR. However, if you are simply selling to EU residents, the GDPR may not be applicable to your organization. If you are selling to EU residents, the applicability of GDPR to your organization depends on how much business you are doing there. If EU residents are a very small percentage of your revenue, you are more likely to fall out of the GDPR’s scope. However, if a significant part of your company’s revenue comes from EU residents, you are more likely to fall under the GDPR’s scope.
You may not feel you are offering or selling services to EU citizens. Some organizations are simply ingesting many data for analytical, technical, research, or other reasons. If this data contains information from EU citizens, GDPR may apply to you. GDPR would also likely apply to you if you are processing information for an EU company.
- If your company monitors activity or behaviour within the EU
For example, if your company provides an app that includes any level of monitoring (for instance, in order to complete “social portraits” to study and forecast their consumer choices), and you have users residing or even visiting the EU, you are in scope of the GDPR. Even if an app is only available outside the EU, but you track them while they are in the EU, you likely need to comply with the GDPR.
Organizations and companies must also:
- Assess their current data systems, policies and procedures;
- Identify risks involved with such current policies and procedures;
- Ensure that personal data are collected for a specific reason;
- Ensure that such personal data are processed only for the reason they were collected;
- Ensure that reporting of any breach of GDPR is communicated to the Commissioner for Data Protection;
- Store such personal data only for the minimum period required, always having received the consent of the data subject/individual;
- Adopt internal policies and implement measures such as minimizing the processing of personal data, pseudonymising personal data, enabling the data subject/individual to monitor the data processing etc.
Extension of rights of data subjects
GDPR creates a uniform legal basis by promoting the same duties and liabilities in all EU member states. GDPR significantly extends the rights of data subjects (EU citizens and residents) as to control of their own personal data. European customers have a right to request the confirmation of their personal data processing and information with respect to the place and purpose of such processing and to which third parties the personal data will be disclosed; period of processing; to clarify the source of obtainment of personal data and require to amend them; to require the termination of such processing, etc.
GDPR enhances the existing rights of data subjects, but also introduces new ones, such as:
- The right to be provided with information;
- The right of access;
- The right of rectifications;
- The right to be forgotten which means that personal data shall in some circumstances be erased without undue delay in order to prevent their disclosure and distribution at the request of the data subject (for instance, when such data is no longer necessary in relation to the purposes for which it was collected or otherwise processed; or personal data was unlawfully processed, etc.)
- The right to data portability is a novelty implemented by GDPR to policy on personal data processing. This right allows individuals to obtain and reuse their personal data across different services (to move, copy or transfer personal data from one company to another in a secure and safe way).
- The strict requirement of the existence of a valid consent by the data subject/ individual. Consent is considered valid only if it is freely given, informed, specific, unambiguous and clear in either writing or oral concerning the processing of personal data related to the data subject/individual.
- The right to object to automated decision-making, including profiling;
Implementation of strict penalties for breach of GDPR requirements shall in each case be “effective, proportionate and dissuasive” and are applied in addition to other measures as envisaged by GDPR.
Breaches of some provisions by businesses, could lead to fines of up to €20 million or 4% of global annual turnover for the preceding financial year, whichever is the greater will be applied in case of breach of basic GDPR principles for processing, including conditions for consent, data subjects’ rights infringement of transfers of personal data to a recipient in a third country or an international organization.
The authorities could impose fines on companies of up to €10 million or 2% of global annual turnover, whichever is greater in case of breach of obligations of the controller and the processor pursuant to breach of the responsibilities of a data protection officer or in case of breach of conditions applicable to a child’s consent.
Our team of lawyers can advise on all matters related to data protection legislation, privacy and confidentiality. We provide legal opinions in relation to data protection matters and draft contracts for your business in light of the GDPR provisions, as well as monitor and advise on regulatory developments.