Last Updated: May 25, 2018
- What is the GDPR?
The General Data Protection Regulation (GDPR) is a new law passed by the European Union in 2016, and is designed to ensure the security of personal data and granting individuals various rights over their data. Compliance with GDPR goes into effect May 25, 2018.
- Key terms under the GDPR
- Who is affected by GDPR?
The GDPR protects personal data of all European Union data subjects, whether or not the companies controlling or processing the data reside in the European Union. Furthermore, the GDPR applies to organizations residing in the European Union as well as organizations outside the European Union if they offer goods and services to European Union data subjects.
- What are the rights of individuals under the GDPR?
Individuals in the European Union are afforded certain rights under the GDPR. These rights include:
- The Right to be Informed. Under the GDPR, data subjects in the European Union have the right to be provided, in a concise and clear way, information about a controller’s processing activities, their personal data and how it might be used. This right is afforded so that individuals may make more informed decisions about the scope and consequences of the data they provide.
- The Right to Access. Data subjects must be afforded the right to access their personal data so as to better understand why it is being processes and to confirm it is being processed.
- The Right to Revision. Data subjects may request to have their information updated if it is inaccurate or incomplete.
- The Right to Erasure. Data subjects have the right to be forgotten under the GDPR. It is not absolute, but does allow individuals to request that their information be deleted if there is no longer a compelling reason to process such information.
- The Right to Restrict Processing. In certain circumstances, data subjects may restrict the processing of their personal data.
- The Right to Data Portability. Data subjects may ask data controllers to copy and transfer the data subject’s information to another service provider.
- The Right to Object. Data subjects are permitted to object to processing activities such as processing activities related to direct marketing purposes.
- What are the legal bases under the GDPR for processing an EU data subject’s personal data?
Article 6(1)(a) to (f) of the GDPR list various bases which allow an individual to process a data subject’s data. These include:
- Consent – the data subject has given consent to the processing of his or her personal data for one or more specific purposes;
- Contract – processing is necessary for performance of the contract;
- Legal Obligation – processing is required to comply with a legal obligation to which a controller is subject;
- Vital Interests – processing data is necessary to a protect a vital interest of the data subject (such as to protect someone’s life);
- Public Task – processing data is necessary to perform a task carried out in the public interest or in the exercise of official authority;
- Legitimate Interests – processing data is necessary for the legitimate interest pursued by an entity, except when such interest are overridden by the interest or fundamental rights afforded to a data subject; and
- Special Category Data – To lawfully process special category data (such as race, politics, religion, biometrics for identification purposes), separate conditions are required as stated in Article 9 of the GDPR.
- Meta and the GDPR