Key Concepts and Implications
On May 25, 2018, the EU General Data Protection Regulation (GDPR) came into effect across Europe, requiring global businesses handling information from EU citizens to demonstrate compliance. This regulation introduced several significant updates, including an expanded definition of personal data. Recognizing what constitutes personal data is crucial in delineating an organization’s data scope.
Personal Data under GDPR encompasses information related to a natural person that directly or indirectly identifies them, such as a name, ID number, location data, or unique identifier. Once this understanding is established, it’s essential to grasp the data processing concepts and the responsible roles.
GDPR Terminology:
Controller:
- The entity (individual or organization) determines the purpose and means of personal data processing.
Processor:
- The entity processes personal data on the controller’s behalf.
Processing:
- Any operation on personal data, automated or not, including collection, recording, organization, storage, retrieval, transmission, and erasure.
- Controllers selecting processors to handle data must agree to a contract ensuring the same data protection level as mandated by the regulation. This safeguards controllers from bearing total penalties if processors breach the law.
The Right to Data Erasure:
The right to erasure, also known as the ‘right to be forgotten,’ extends the existing requirement in the Data Protection Directive. This right allows consumers to request their data’s effective disposal. The GDPR broadens this right to cover data present on the internet. Individuals can request their removal from the public domain under specific circumstances.
The Right to Erasure Applies When:
- The individual withdraws consent.
- Individual objects to processing without overriding legitimate interest.
- Personal data is unlawfully processed.
- Personal data is processed concerning the offer of security services to a minor.
- Unlike the Data Protection Directive, GDPR doesn’t limit erasure to substantial distress or damage; however, these factors strengthen the case.
- In some instances where erasure doesn’t apply, organizations can refuse requests.
Organizations Can Refuse Erasure When Personal Data is Processed for:
- Legal claims defence.
- Public health reasons in the public interest.
- Archiving purposes (e.g., research or statistics).
- Freedom of expression and information exercise.
- Legal obligations or public interest tasks.
- Embracing GDPR’s nuanced language empowers businesses to navigate complex data protection requirements while ensuring compliance and bolstering consumer trust.
No responses yet