General Data Protection Regulation
Table of Contents
- The Regulation
- EU Market Entry
- Authorized Representative
- Post-Market Surveillance
- Risks of Non-Compliance
The GDPR’s material scope covers the processing of all personal data, which relates to an identified or identifiable person. The territorial scope covers all processing, which was done in the context of the activities of an EU established controller or processor, irrespective of whether the processing itself was done in the Union. When the controller or the processor are located outside of the EU but offers goods or services to, or monitors the behaviour of data subject in the Union, the GDPR is applicable.
In summary, a company must comply with the GDPR if it processes personal data and:
- Has presence in the EU;
- Has no presence in the EU but processes personal data of data subjects located in the EU;
With regards to size, a company should comply with the GDPR if it:
- Has more than 250 employees; or
- Has less than 250 employees, but the processing it does impacts the rights and freedoms of data subjects, is not occasional or includes sensitive data.
With regards to sector, a company should comply with the GDPR:
- Regardless of sector;
- That includes companies manufacturers or legal manufacturers from a multitude of sectors (medical devices, in-vitro diagnostics, cosmetics, machinery, toys, automotive, pressure – just to name a few).
The Regulation: GDPR 2016/679/EU
The GDPR 2016/679/EU (General Data Protection Regulation) was adopted on April 14, 2016. In order to process personal data, data controllers and processors must comply with this regulation. The GDPR harmonizes the protection of fundamental rights and freedoms of natural persons with regards to the processing of their data and to ensure the free flow of personal data between Member States.
The GDPR is designed to protect natural persons from unlawful processing of their personal data. The requirements in the Regulation have to be met with regards to any processing of personal data in the context of the activities of an establishment of a controller or processor in the European Union, regardless of whether the processing itself takes place in the Union. If the controller or the processor is not established in the EU, the processing of personal data of data subjects who are in the EU for the purpose of offering goods or services or monitoring behaviour falls under the scope of the GDPR.
Personal data means any information that relates to an identified or identifiable natural person. An identifiable natural person is one who can, directly or indirectly, be identified with the help of identifiers (e.g. name, identification number, location data, physical, genetic or mental characteristics). The GDPR encourages the use of pseudonymisation for the stronger protection of personal data. Anonymous information cannot be attributed to a specific natural person and, therefore, falls outside of the scope of the GDPR.
Examples of personal data include:
- Name and surname;
- Home address;
- An email address, which contains the name of the data subject;
- Location data;
- Data held by hospitals or doctors, such as medical history and genetic data
- Information about education or employment, such as salary data, tax information and diploma.
- IP address of a single user
Processing covers any manual or automated operation which is performed on personal data. It includes collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.
For processing to be considered as legal, it must be done under one of the lawful bases of Article 6 (1) of the Regulation: consent (paragraph (a)); performance of a contract (paragraph (b)); compliance with a legal obligation (paragraph (c)); protection vital interests (paragraph (d)); public interest (paragraph (e)); or legitimate interests (paragraph (f)).
In case of a breach of the GDPR, the penalties can be as high as 4% of the annual global turnover of the company or EUR 20 Million, whichever is greater. The fines are dependent on the obligations which were infringed.
EU Market Entry: Compliance
In order to be able to lawfully process personal data, the controller or processor, have to do the following:
- Keep a record of processing activities, which should include:
- The name and contact details;
- The purposes of the processing;
- A description of the categories of data subjects and of the categories of personal data,
- The categories of recipients to whom the personal data have been or will be disclosed;
- Transfers of personal data to a third country or an international organisation, including the identification of that third country or international organisation and the documentation of suitable safeguards;
- Where possible, the envisaged time limits for erasure of the different categories of data; and
- Where possible, a general description of the technical and organisational security measures referred to in Article 32(1) of the GDPR
2. Comply with the requirements of the Regulation, and have written proof thereof, including but not limited to the obligations to:
- Process personal data lawfully, fairly and in a transparent manner (Article 1 (a) GDPR);
- Collect personal data for specified, explicit and legitimate purposes and do not further process it in a manner that is incompatible with those purposes (Article 1 (b) GDPR);
- Process personal data that is adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed (Article 1 (c) GDPR);
- Keep accurate and, where necessary, update the personal data processed (Article 1 (d) GDPR);
- Keep the personal data in a form which permits identification of data subjects for no longer than is necessary (Article 1 (e) GDPR); and
- Process personal data in a manner that ensures appropriate security (Article 1 (f) GDPR).
3. Process personal data only under one of the lawful bases under Article 6 of the GDPR.
4. Comply with the requirements related to: the information to be provided where personal data have or have not been collected from the data subject (Articles 13 and 14 GDPR); the right of access of the data subject (Article 15 GDPR); the right to rectification (Article 16 GDPR), erasure (Article 17 GDPR), restriction of processing (Article 18 GDPR), portability (Article 20 GDPR), object (Article 21 GDPR).
5. Appoint a European Representative if it does not have presence in the EU, but offers goods or services to, or monitors the behavior of data subjects located in the Union. Make sure to appoint a Representative, located in one of the Member States where the data subjects are.
Risks of Non-Compliance