General Data Protection Regulation (GDPR)

What You Need to Know About GDPR:

To Whom Does the GDPR Apply?

The GDPR is extremely broad! 

The GDPR applies if an organization:

  • Processes personal information and is located in the EU, irrespective of where the data processing physically occurs; or 
  • Is based outside of the EU but processes personal information as part of offering of goods or services to individuals in the EU, or monitors the behavior of individuals within the EU.

In plain English, the GDPR created rules for essentially any organization that handles personal information of an individual in the EU.

What are “Data Processors” and “Data Controllers”?

The terms data processor and data controller are important to organizations trying to understand how GDPR affects them. Under GDPR, a data controller is the entity responsible for making decisions about personal information, like how it will be collected, used, shared, retained, destroyed. If something goes wrong – i.e., a data breach or mishandling of data – they’re on the hook.

A data processor, on the other hand, is simply that: a party that processes the data on behalf of the data controller. They are contracted by the data controller to process the personal information only as instructed and only for the purposes of the controller, among other obligations. 

Companies need to determine if they are a “data processor” or a “data controller” because the law applies differently to each type of entity. Most of the GDPR’s compliance obligations attach to the data controller, however processors have some too.

When Does the GDPR Not Apply?

The GDPR offers very few exemptions from its scope, including: 

  • Personal or Household Activities: processing of personal information by an individual as part of a purely personal or household activity are out the GDPR’s scope;
    • Think: maintaining your own digital address book on your laptop. Your friend cannot utilize their GDPR right to delete to make you delete their phone number! 
  • Processing that is part of an activity that falls outside the scope of EU law;
    • Think: activities of an EU member state as it relates to their national criminal law.
  • Processing by competent authorities for certain criminal justice purposes and public security;
  • Certain processing by EU member states.

Small Business record-keeping exemption: Organizations employing less than 250 people are exempt from the requirement to maintain Records of Processing Activities (ROPAs), unless the processing they conduct represents a high risk to the rights and freedoms of data subjects, the processing is not occasional, or the processing includes special categories of data (sensitive data) or data relating to criminal convictions and offenses. We recommend all companies perform ROPAs because it helps them comply with other obligations under GDPR and also manage special categories of employee data effectively.

Unique Use Cases and personal information: The GDPR has rules related to specific use cases, including: 

  • Journalistic purposes or  academic, artistic, or literary expression:
  • Official documents (Article 86);
  • Processing in the context of employment (Article 88):
    • EU Member States can set rules for processing employees’ personal information, especially regarding consent conditions. These rules may include purposes like recruitment, contract performance, legal obligations, workplace management, equality, health, safety, and employment rights. They also cover processing information for employment termination.
  • Archiving In the public interest, scientific or historical research purposes or statistical purposes

Key Components of GDPR

What Constitutes Personal Information?

The GDPR covers “personal data,” or personal information, which is defined as any information relating to an identified or identifiable natural person (‘data subject’). An identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.


What Constitutes Special Categories of Personal Information under the GDPR?

Certain types of personal information are granted additional protection under the GDPR. These special categories are roughly equivalent to the US concept of sensitive personal information. Organizations are prohibited (unless below exceptions apply) from processing the following categories of personal information:

  • Racial or ethnic origin;
  • Political opinions;
  • Religious or philosophical beliefs; 
  • Trade union membership;
  • Genetic data or biometric data for the purpose of uniquely identifying a natural person;
  • Health data;
  • Sex life or sexual orientation

The processing of special categories of information is allowed in the following circumstances:

  • With the explicit consent of the data subject;
  • Where it is required by employment or social security and protection law;
  • The protection of vital interests;
  •  Limited activities of certain non-profits;
  • Where the data was made publicly available by the data subject;
  • Legal claims;
  • Substantial public interest or public health;
  • Certain healthcare scenarios; or
  • Archiving, research, and statistics in the public interest. 
Any Other Categories of Data I Should Think About?

The GDPR has specific rules for the processing of data related to criminal convictions and offenses.  

Fully anonymized data is not personal information under the GDPR and is therefore outside of its scope. 

Pseudonymized data, however, remains in scope. Pseudonymised data is data that has been processed such that the personal information can no longer be attributed to a specific data subject without the use of additional information, provided that (a) such additional information is kept separately, and (b) it is subject to technical and organizational measures to ensure that the personal information are not attributed to an identified or identifiable individual

For example: if the source data for the data that was anonymized still exists in a manner that can be used to identify an individual from the anonymized data, then the data is only pseudonymized and is subject to the GDPR. 

Is Consent Needed to Process Sensitive Personal Information?

In a word: Mostly! An organization must obtain express consent for processing sensitive personal information unless it meets the criteria for another exception to the prohibition on processing it (think, processing personal data is justified for legal, vital, public interest, medical, or research purposes, among others).

Is Consent Needed for any other Processing?

Unlike in the US, the GDPR requires a legal basis to process personal information. Consent is one legal basis. Therefore, unless another basis to process exists, consent is needed. The six legal basis are: 

  • Consent
  • Contractual obligations
  • Legal obligations
  • Vital interests (think the need to save a person’s life or prevent severe harm) 
  • Public interest
  • Legitimate interests (processing activities that a data subject would typically anticipate from an organization they provide their personal data to, such as fraud prevention) 

Additionally, under the ePrivacy Directive (another EU law that complements the GDPR), organizations most often need to obtain consent to place cookies on a device. The opt-in rules vary by country and B2B or B2C.

What Needs to be Included in the Privacy Notice?

A privacy notice must:

  • Be concise, transparent, intelligible, and in an easily accessible form
  • Be written in clear and plain language, particularly where the information is being provided to a child
  • Contain: 
    • The organization’s name and contact information, including its EU representative and Data Protection Officer where applicable;
    • The purposes for processing personal information;
    • The legal basis used for processing;
    • The legitimate interests (where applicable);
    • Recipients or categories of recipients of personal information;
    • Details about any transfers of personal information to countries outside the EEA and the safeguards that are in place;
    • Retention period or the criteria used to determine this period;
    • Data subject rights;
    • The right to withdraw consent at any time;
    • The right to file a complaint with a supervisory authority;
    • Whether providing personal information is required by law or contract, and the potential consequences of not providing the data (unless the data is obtained via another organization, then replace this with the categories of personal information obtained); and
    • The existence of automated decision-making, including profiling, and the logic, significance, and potential consequences of the decision-making
What Constitutes a Sale of Personal Information?

Unlike in the US, the GDPR does not specifically regulate the sale of personal information. Data subjects have a broad right to object to processing of their personal information, including sale. In this way, a sale is treated like any other processing of data and must be both fair and lawful, which means organizations need to have a purpose and legal basis for selling personal information.

How is the GDPR enforced?

The GDPR is enforced by national data protection authorities (DPAs), also referred to as supervisory authorities, within each EU member state. DPAs have the power to investigate,order compliance and issue fines up to €20 million or 4% of a company’s global annual turnover. 

Multiple DPAs may be involved in an enforcement case, in this situation the  European Data Protection Board (EDPB) works with them to ensure consistent application of the regulation across the EU.

Data Privacy is Just Good Business