Regulation (EU) 2016/679 of the European Parliament replaces the EU 1995 General Data Protection Regulation (GDPR). Unlike the 1995 GDPR, which was intended to be transposed into national laws, it applies uniformly across the European Union/European Economic Area. The Regulation codifies the protection of personal data pertaining to all people within the EU.
In 2012, the European Commission proposed a comprehensive reform of data protection in the European Union (EU). The goals of this reform are to “give citizens back control over their personal data, and to simplify the regulatory environment for business,” and in particular, to create a Digital Single Market with the same data protection rules across the EU.
Personal data means any data pertaining to an “identified or identifiable natural person.” This may include online identifiers such as IP addresses and cookie identifiers, which can be combined with other information to identify individuals.
Under the Regulation, the “controller” is the party that determines the purpose and means of processing personal data; this is usually the party that collects data. A “processor” or “third party” refers to an entity engaged to process data on behalf of the controller. Controllers and processors have many of the same obligations under the Regulation, but controllers are responsible to monitor their processors’ compliance.
Personal data must be processed lawfully, fairly, and in a transparent manner. It can only be collected and processed for “specified, explicit and legitimate purposes,” and must not be further processed in ways inconsistent with the initial purposes. Data should be adequate, relevant, and necessary to the specified purposes. It should be accurate, and where necessary, kept up to date. Inaccurate data must be rectified or erased without delay. Personal data should be kept only as long as necessary for the specified purposes. It should be protected from unlawful or unauthorized processing, loss, destruction, or damage. The controller will be accountable to demonstrate compliance.
Consent must be established by a “clear affirmative act” that indicates “freely given, specific, informed and unambiguous” consent to the processing of one’s personal data. Information pertaining to consent should be clearly distinguishable from other matters included in a written declaration, and must be intelligible, easily accessible, in clear and plain language. Data subjects have the right to withdraw consent at any time, and withdrawing consent must be as simple as giving consent. Data subjects should not be compelled to disclose personal information unnecessary for service delivery in order to receive a service.
Personal data may only be lawfully processed if one of the following applies: The data subject has given consent to the processing of his/her personal data for specific purposes Processing personal data is necessary to perform a contract to which the data subject is party, or to take steps at the data subject’s request prior to entering a contract (e.g., processing personal data required for employment or insurance coverage) Processing is necessary for compliance with the controller’s legal obligations (under EU law, not other countries’ laws) (e.g., providing information to law enforcement authorities) Processing is necessary to protect the vital interests of the data subject or another natural person (e.g., reporting an imminent risk of suicide or homicide) Processing is necessary in the performance of a task in the public interest or in the exercise of official authority vested in the controller (e.g., tracking vaccine administration for public health purposes) Processing is necessary for legitimate interests of the controller or a third party that are not overridden by the data subject’s rights and freedoms
Even more stringent restrictions apply to sensitive “special categories” of data; that is, data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, in addition to genetic data, biometric data for the purpose of identification, data concerning a person’s health, sex life or sexual orientation. Processing is only permitted with the data subject’s explicit consent for specific purposes, or for certain exceptional purposes, in legal, medical, and public health contexts, for example. Personal data related to criminal convictions and offences may only be processed under the control of official authority, or as authorized by EU or member state law.
Certain business practices common in North America are not aligned with the EU Data Protection Regulation. North American businesses that offer services to people in the EU or monitor their online behaviour will have to: Stop buying and selling personal data. Buying or selling e-mail lists, customer data collected through rewards programs, or personal information from social media accounts is not allowed. Know where your clients live. Organizations need to know which of their clients are covered by EU law, or choose to implement the Regulation across the board. Respond to requests from data subjects. Organizations that collect personal data and sub-contractors engaged to process it both need to be prepared to handle requests for data access, rectification, erasure, and more from individuals. Audit sub-contractors. Organizations that sub-contract data processing are liable for sub-contractors’ data protection practices, and are obligated to stipulate data protection measures in contracts and audit compliance with these provisions. Reconsider cloud services. Organizations are now responsible and liable for ensuring that they only entrust personal data to parties that will handle it in compliance with the Regulation. This may have serious implications for organizations that use US-based cloud services to manage personal data; most of these service providers do not have policies aligned with EU law.
Lecture 1: what is the gdpr
What is the GDPR?
Introduction to the New EU Regulation:
Key Principles and Changes
In this lecture, you will learn:
1. What is the GDPR and what are its main requirements?
2. Does my organization need to comply with the new regulation?
3. What broad changes does the new regulation introduce?
4. What common business practices will need to change?
What is the GDPR?
• EU General Data Protection Regulation (1995) –
replaced by two new laws:
• Regulation (EU) 2016/679 of the European Parliament
“on the protection of natural persons with regard to
the processing of personal data and on the free
movement of such data”
• Directive (EU) 2016/680 (governs European law
Why new laws?
• 2012 – European Commission proposal for a
comprehensive reform of data protection
• “give citizens back control over their personal data, and
simplify the regulatory environment for business”
• Clarify individual rights in the digital age
• Create a “Digital Single Market” within the EU
Regulation (EU) 2016/679
• Codifies the protection of personal data pertaining
to all people within the EU
• Adopted on April 27, 2016
• Enters into force May 25, 2018
Regulation (EU) 2016/679
Underlying principle: Protection of personal data is a
• Individual data subjects have fundamental rights
• Organizations that handle personal data are
responsible to provide for data subjects’ rights
What is personal data?
Data pertaining to an
“identified or identifiable
• Includes online identifiers (IP
addresses, cookie identifiers)
What is processing of personal
Who are controllers and processors?
• Controller determines the purpose and means of
processing personal data; usually the collector of
• Processors are engaged to process data on behalf
of the controller
• Controllers are responsible to monitor processors’
Does my company need to comply
with the new regulation?
• The Regulation applies to:
• All organizations established in the EU that
process personal data
• Processing of personal data by organizations
outside the EU that are offering goods or
services to people in the EU, or that are
monitoring the behaviour of people within
the EU (e.g., online tracking)
Key Principles of the Regulation
Limitation of processing
Limitation of Processing
• Personal data must be processed only for specified,
explicit and legitimate purposes
• Data must not be further processed in ways
inconsistent with the initial purposes
• Data should be adequate, relevant, and necessary
• Data should be accurate and kept up-to-date where
• Data should be kept only as long as necessary
• A clear, affirmative act
• “freely given, specific, informed and unambiguous”
• Information related to consent should be clearly distinguishable from
other information in a notice
• Information must be intelligible, easily accessible, in clear and plain
• Right to withdraw consent
• Services cannot be withheld on condition of consent
Age of Consent
• Age of consent for information society services (e.g., social media) is
16 unless a lower age (not lower than 13) is specified by an EU
• Parental consent required for children
• One of the following conditions must be met:
• Consent from the data subject
• Processing is necessary for a contract
• Processing is necessary for compliance with EU laws
• Processing is necessary to protect a person’s vital interests
• Processing in the public interest or exercise of official authority
• Legitimate interests of the controller or a third party that are not overridden
by the data subject’s rights and freedoms
Special Categories of Data
• Data revealing racial or ethnic origin, political opinions, religious or
philosophical beliefs, or trade union membership, in addition to
genetic data, biometric data for the purpose of identification, data
concerning a person’s health, sex life or sexual orientation
• Need data subject’s consent, except in certain legal, medical, and
public health contexts
Key Changes: New Rights and
From European Commission Fact Sheet:
Questions and Answers – Data Protection Reform. 21 Dec. 2015
1. Right to be Forgotten
2. Informed Consent
3. Right to Data Portability
4. Individual Breach Notification
5. Data Protection by Design and by Default
6. Mandatory Data Protection Officer
Right to Be Forgotten
• Personal data should be deleted when the data subject no longer
wants it to be processed, unless there is a legitimate reason to retain
the data (e.g., to complete a contract or comply with legal
• More information is to be made available to persons, in clear and
plain language, about how their personal data will be processed
• Will be enforced especially with regard to services intended for children
• Informed consent must be indicated by a clear affirmative action
Right to Data Portability
• Data subjects have a right to a copy of their personal data in an
appropriate format, and where possible, to transfer their data directly
from one service provider to another
• E.g., individuals should be able to transfer their photos from one social
network to another
Individual Breach Notification
• Data subjects have a right to be notified personally of data breaches
that pose a risk to their rights and freedoms, without undue delay
Data Protection by Design and by Default
• Mandates the implementation of data protection by
design and by default
• Recommends technical safeguards such as anonymization,
pseudonymization, and encryption as well as organizational
Mandatory Data Protection Officer (DPO)
• Under Article 37, a DPO appointment is required if an
organization’s core activities consist of regular and
systematic monitoring of personal data on a large scale
(both data controllers and processors)
• Also where profiling or processing special categories of
• Precise credentials are not provided, but the DPO sould
have “expert knowledge of data protection law and
Data Protection Officer Responsibilities
• Informing and advising the organization of their obligations to
comply with the GDPR and other data protection laws.
• Monitoring compliance with the GDPR and other privacy laws,
including managing internal data protection activities, training data
processing staff, and conducting internal audits.
• Advising or conducting data protection impact assessments (DPIAs)
• Working and cooperating with the controller’s or processor’s
designated supervisory authority and acting as the contact point for
the supervisory authority on issues relating to the processing of
• Being available for inquiries from data subjects
• Violation of key provisions can be punished by fines of up to €20
million or 4% of worldwide annual turnover for the preceding
financial year, whichever is greater
• Burden is on the data controller to prove no liability
How companies are responding:
• Stop buying and selling personal data (e.g., email lists, customer data,
social media data)
• Know where your clients live (or implement EU requirements across
• Prepare to respond to requests from data subjects (e.g., access,
• Audit sub-contractors for compliance
• Reconsider cloud services