If you do business in the European Union, you have to be familiar with the European GDPR (General Data Protection Regulation). This article is designed to give an overview of the Regulation. It does not give legal advice to any one person or company. If you have any questions about the need to comply or whether you are in compliance, please see an attorney.
The European GDPR goes into effect May 25, 2018. Its goal is to standardize the data protection requirements of the countries of the EU, and provides transparency and control for consumers over the data collected by organizations. It covers the 28 countries in the EU as well as Lichtenstein, Iceland, and Norway.
The fact that a business is established outside the EU has no effect on the compliance requirements.
At the end of this article we have links to the text of the Regulation, as well as a few other articles that may be helpful in understanding it and how to prepare.
The Regulation limits the ability to collect and retain personal data. Personal data is defined as (Article 4(1)):
“any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person”.
You have to have a lawful basis for collecting personal data. The lawful basis must be determined in advance, must be documented, and cannot be changed after it has been established unless there is a clear link between the first and second purpose. If you have received consent and want to change you must contact the person and receive fresh consent.
There are 6 lawful bases for collecting data (Article 6):
1. Consent: If you have received clear and unambiguous consent from the person. This consent must be actively given…ie they must check the box giving you permission. Pre-checked boxes (or anything of that sort) are not allowed.
2. Contract: If it is necessary in order to comply with a contract you have with the person.
3. Legal Obligation: If it is necessary in order to comply with the law.
4. Vital Interest: If it is necessary to protect someone’s life.
5. Public Task: If you need it in order to perform a task in the public interest interest.
6. Legitimate interests: The information is necessary for your legitimate interests, unless there is good reason to protect the individual’s personal data which overrides your legitimate interests.
Article 15 covers the information you must give people when asking for consent.
This includes:
- your intended purposes for processing the personal data,
- the lawful basis for the processing,
- The right of the individual to lodge a complaint,
- The people or organizations who will have access to the data.
See Article 15 for a complete list.
The Rights of the Individual
The GDPR provides the following rights for individuals:
The right to be informed
The right of access
The right to rectification
The right to erasure
The right to restrict processing
The right to data portability
The right to object
Rights in relation to automated decision making and profiling.
These rights are explained in detail in Articles 14 through 22.
Records to be maintained:
It is very important that you keep proper documentation about your data collection activities. Article 30 goes into detail regarding the required documentation you must maintain.
It includes:
- The names of the people in charge of collecting and maintaining data (the “controller” and the “processor”)
- Why you are collecting the data
- The intended recipients of the data
- If possible, the length of time you intend to keep the data
Please see Article 30 for an exhaustive list.
We hope this has been a helpful introduction to the requirements of the GDPR. The Regulation itself is relatively easy to read and understand. We encourage you to become familiar with its requirements if you do business with anyone in the European Union.
Again, this is not meant to contain any specific legal advice. For legal questions, please see an attorney.
Additional resources:
The full text of the regulation is here
The ICO also has a guide explaining the 12 steps you need to take to get ready.
To see how Commission Junction is responding to the Regulation, go here.
[Footer-Blog-Posts-Join-Now]