The General Data Protection Regulation was enacted to protect the data privacy rights of EU residents. Any collection, processing, storage, or transfer of data by a company is subject to GDPR. This regulation grants individuals residing in the EU certain rights to safeguard their data and complain about any regulation breach. Before the birth of GDPR, European Directive was in force which was in place to oversee the protection of persons, their data, and the free movement of data. The Directive has certain goals that the member states should achieve by enacting their laws in furtherance of such goals. Regulation on other hand is enforced as it is by every state. Hence, regulation is more efficient in the application of those laws throughout the Union. With the emergence of new technologies and the world becoming a global market, the data protection provisions in the EU directive did not meet today’s data protection needs. Hence, to improve the standards of data protection laws in the EU, GDPR was enacted which came into force on May 25th, 2018. General Data Protection Regulation talks about the Rights of Data Subjects, procedures to show compliance with the regulation, transfer to a third country or international organizations, authorities, and penalties.
GDPR is a regulation that applies to European Union Countries and European Economic Area Countries (Except the UK after Brexit). Any organization which is situated in the EU and processes the data of Data subjects in the EU must comply with GDPR. If an organization is situated outside the EU but offers services or products to EU data subjects in the EU or carries out activities that monitor the behaviour of data subjects in the EU, such organizations also must comply with regulations laid down in GDPR. The scope of GDPR must be understood in two types of contexts – the data under the scope of GDPR and the data subjects under the scope of GDPR.
Data – GDPR lays down regulations that apply to the personal data of data subjects which is subject to processing either by automated means of processing or otherwise and which shall form a part of a filing system. Personal data is any personal information of a natural person which could be used to identify such a person. For example name, identification number, location data, physical, social or mental data.
Data Subjects – GDPR protects the rights of a natural person whose personal data is to be processed or is being processed. It applies to EU citizens whether their location is in the EU or not. However, a Non-EU citizen who is residing in the EU is also subject to GDPR. Hence, the regulations of GDPR apply to EU citizens and residents both. Any personal data of a deceased person is not regulated by GDPR.
There are seven principles of GDPR on the base of which data protection laws are built. These principles can be used as a guide to understanding compliance with GDPR. These are lawfulness, fairness and transparency, purpose limitation, data minimization, accuracy, storage limitation, integrity and confidentiality, and accountability. Any organization or company collecting, or processing data of an EU resident should be aware of and adhere to these principles for better complying with GDPR.
According to the principles of GDPR, the personal data collected should be lawfully processed, and if consent is provided by a data subject for the processing of her personal data, then such processing is said to be lawful processing. But it is not as simple as obtaining consent and processing the data. Additionally, the controller must be able to prove that consent was obtained before processing any personal data. Consent by the Data Subject should be freely given, specific, informed, and unambiguous. If consent is obtained on the condition that the performance of a contract can only take place on the processing of unnecessary information such consent cannot be said to be freely given. The data subject may revoke her consent at any moment for the processing of her personal data. And the provision by the data controller for withdrawal shall be as easy as it is to give consent.
RIGHTS OF DATA SUBJECTS
GDPR provides the data subject with certain rights that they enforce against any organization collecting and processing their personal data. These rights are ascertained to empower the data subjects to ensure the privacy and protection of their personal data. The Data Subject should be informed of their Rights at the time of first communication from the Controller. The Supervisory Authority is also responsible for ensuring that Data Subjects know their rights.
Right to Access– The data subject has the right to inquire about whether his or her personal data is being processed and in case of personal data being processed, the information about the categories of data collected, the purpose of collection, recipients of the personal data, the period for which the data will be stored, the existence of automated decision-making and a few other rights.
Right to Erasure– The right to ask for the erasure of personal information has been given to the data subject. in cases where it is no longer needed, where consent has been withdrawn, data is unlawfully processed or
Right of Rectification– Any incorrect personal data that is collected and stored by Data Controller can be corrected by the Data Subject as a matter of right. This right also includes completing a piece of incomplete information collected and stored by the Data Controller.
Right to object– The Data Subject has the right to object to the processing of his data in her given situation. An objection can be raised if the data is being processed for direct marketing purposes (including profiling for marketing), for any task carried out in the public interest or legitimate interests of the Controller. The data subject has the right to object to the processing of personal data about him or her when it is done for statistical, historical, or scientific research purposes unless the processing is required to complete a job carried out in the public interest.
Right of Restriction of Processing– Data Subject has the right to ask the data controller to restrict the processing of her personal data in cases where personal data is incomplete, personal data is unlawfully processed when the decision of right to object in case of a legitimate interest of controller is pending, and when the personal data is no longer needed for purpose earlier stated.
Right of Data Portability– If the data has been processed based on the consent provided or completion of a contract to which the data subject is a party, such a Data Subject is entitled to receive the data that a Data Controller has gathered on him and to have it transferred without restriction to another Data Controller. However, the processing necessary for the controller to perform any job in the public interest or the exercise of their official authority is exempt from this right.
The Data Controller can show compliance with GDPR by adhering to the approved Code of Conduct or approved Certification Mechanisms. Only if the data processors offer sufficient guarantees to satisfy GDPR requirements and protect data subjects’ rights may they be hired by data controllers. If Data Processor adheres to the Code of Conduct or approved Certification Mechanisms, it is said that sufficient guarantees are provided. A Data Protection Impact Assessment is to be carried out if the processing will result in a high risk to the rights of Data Subjects or the case of Automated Processing. A supervisory Authority is also to be established to monitor the enforcement of this Regulation and carry out other tasks to ensure the protection of the personal data of Data Subjects. Any non-compliance with GDPR can attract fines of up to 20 million euros or 4% of the total worldwide annual turnover of the preceding financial year, whichever is higher.
Data Privacy as a domain is growing day by day as more awareness is created among the public. With the advancement in technology especially in the sector of data analytics where user data is used to provide services, it is important to maintain and keep checks on the lawful use of user data. Companies need to process user data not only on lawful bases but also with complete transparency. To show that user data is protected, and privacy is maintained, these companies have to show that they have complied with Data Privacy laws applicable in their jurisdiction and the jurisdiction in which they offer their services. GDPR proves to be the gold standard in terms of regulations of data protection. Huge fines cannot be sustained by organizations, leading them to comply with data protection laws. Supervisory Authorities have the power to investigate any complaints of violation or any grievance of Data Subjects. Supervisory Authorities have to approve the Code of Conduct, and Certification Mechanisms that can be used to show compliance with GDPR. Binding Corporate Rules must be followed by organizations while processing or handling personal data. All these measures and especially the exorbitant fines make most organizations comply with GDPR.
Author(s) Name: Shardul Hande (Savitribai Phule Pune University)