Vaidavi
Intellectual Property Rights

General Data Protection Regulation (GDPR)

Abstract –

The General Data Protection Regulation (GDPR)-a set of rules designed to give European citizens more control over their personal data- is undeniably the most consequential change in European Union’s (EU) data privacy regulation in the last two decades. It replaced the outdated Data Protection Directive (DPD) 95/46/EC which was introduced in 1995, in order to empower the data privacy by being applied to all companies processing personal data of European citizens, regardless of the company’s location. In this article, the most significant parts and topics about this regulation are being presented as well as an assessment about its results and actual impact.

Introduction –

The EU general data protection regulation (GDPR) is the strongest privacy and security law in the world. This regulation updated and modernized the principles of the 1995 data protection directive. It was adopted in 2016 and entered into application on 25 May 2018. The GDPR defines:

individuals’ fundamental rights in the digital age
the obligations of those processing data
methods for ensuring compliance
sanctions for those in breach of the rules

The General Data Protection Regulation (or GDPR for short) is a law that was approved by the European Union in April 2016 and went into effect on May 25, 2018. It replaced an earlier law, the Data Protection Directive, and was set up to regulate the way companies process and use the personal data they collect from consumers online. It also has rules in the way that information is moved, whether that's partly or entirely through automated means.

Rights Under GDPR

The GDPR provides the following rights for individuals. However, each right has its limitations with respect to circumstances under which it will not be exercised. For example, any “manifestly unfounded or excessive” request of a data subject may be refused to be exercised by the controller, in particular, because of its repetitive character

The Right To Be Informed - Individuals have the right to be informed about the collection and use of their personal data. This includes information to be provided in “a concise, transparent, intelligible and easily accessible form, using clear and plain language” to data subjects.
The Right Of Access - Consumers have the right to access their personal data withheld by an organization, to be informed of appropriate safeguards relating to transfer of their personal data, and to obtain a copy of their personal data.
The Right To Rectification - The GDPR includes a right for individuals to have inaccurate personal data rectified, or completed if it is incomplete.
The Right To Erasure - This right entails that the controller erases personal data without undue delay upon a data subject’s request. The right to erasure is also known as ‘the right to be forgotten’.
The Right To Restrict Processing - Individuals have the right to request the restriction or suppression of their personal data. As per Article 18 of the GDPR, data subjects must be informed before any such restriction is lifted.
Rights In Relation To Automated Decision Making And Profiling - Article 22 of the GDPR allows right not to be subject to decision based solely on automated processing, including profiling that has legal or similarly significant effects on data subjects.
The Right To Object - The GDPR gives individuals the right to object to the processing of their personal data in certain circumstances. There exists an absolute right to object to data being processed for direct marketing purposes.
The Right To Data Portability - The right to data portability allows individuals to obtain and reuse their personal data for their own purposes across different services in a structured, commonly used and machine-readable format. It allows data subjects to move, copy or transfer their personal data easily from one IT environment i.e. from one controller to another in a safe and secure way, without affecting its usability. The right to data portability may not be exercised where it is not technically feasible to do so.

GDPR COMPONENTS

Personal data

The General Data Protection Regulation (GDPR) applies to personal data, which includes information relating to an identifiable or identifiable person. Sensitive data, such as racial or ethnic origin, political opinions, religious beliefs, trade union membership, genetic data, biometric data, and health data, requires special care such as encryption. Privacy policies are used by service providers to communicate their information processing practices and serve as binding legal agreements between website operators and users. Websites across the EU must display cookie consent notices, or cookie banners, to users about the use of cookies by the website and associated third parties. Consent according to GDPR rules is required for any information stored on a user's system, even if it does not contain personal information.

Data Processing

According to Article 4, data processing includes any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organization, structuring , storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available , alignment or combination, restriction, erasure or destruction.

Data Controller

The GDPR legislation requires websites across the EU to display cookie consent notices, also known as cookie banners, to users about the use of cookies by the website and associated third parties. This applies to any kind of information stored on the user's system, even if it does not contain any personal information. Data processing includes any operation or set of operations performed on personal data, whether automated or not. The regulation introduces seven principles to be followed when processing personal data. The privacy statement must identify the data controller, which determines how the data will be used.

Contracts

The GDPR mandates written contracts between controllers and processors, including specific minimum terms to ensure processing meets all GDPR requirements, including personal data security. Contracts must define processing subject matter, purpose, data type, controller obligations, and rights. They must also include security measures, sub-processor use, data subjects' rights, end-of-contract provisions, and audit and inspection reports.

Data Protection Officer (DPO)

The GDPR mandates organizations with core activities requiring large-scale data monitoring to appoint a data protection officer (DPO), either an employee or contractor. DPOs advise on GDPR, monitor compliance, and train staff, reporting to management, operating independently, and having sufficient resources.

GDPR PRINCIPLES

According to Article 5.1-2 of GDPR Act you must follow seven protection and accountability principles if you process data

Fair, lawful, and transparent processing – You need to communicate what the individual data is used and processed.
Purpose limitation principle - Personal data may only be collected for specified, explicit and legitimate purposes. States are responsible for implementing safeguards if data is processed than for what was collected.
Data minimization - Personal data must be adequate, relevant and not excessive with the purposes for which those data are collected and/or further processed.
Accuracy - personal data collected must be accurate and up to date. Inaccurate data must be identified at the early stage to ensure it is erased or rectified without delay.
Data retention periods - Personal data must be store for as long as necessary for the specified purpose. In some cases may be stored for more extended periods as the data will be processed solely for archiving purposes in the public interest, scientific, historical, or statistical purposes, according to Art.89(1), subject to the implementation of appropriate safeguards.
Data security - Data must be implemented with appropriate security with a view of both technical and organizational measures. Ensure no unauthorized access or unlawful processing, accidental loss, destruction or damage is caused.
Accountability - The Controller must demonstrate that its processing activities are compliant with the Data Protection Principles.

GDPR - DATA PROTECTION AUTHORITIES

Responsibilities of DPAs - It is necessary to implement the regulation and protect the rights and freedoms of the individuals. So, each Member State is required to appoint one or more DPAs.
Jurisdiction - Each DPA can only exercise its powers on the territory of its Member State. Under the "One-Stop-Shop", the DPA's regulatory actions may affect processing in the other Member States.
The "One-Stop-Shop "- Identifying a lead DPA is only relevant where a Controller or Processor established in the EU carries out cross-border processing of personal data. If a Controller has companies in the multiple Member States, its "main establishment" will be its lead DPA. The lead DPA holds power to regulate that Controller across all Member States.
Independence - Each DPA must act with complete independence in carrying out its functions.
Powers of DPAs - DPAs are empowered to oversee the GDPR, investigate breaches of the GDPR and bring legal proceedings where necessary.
Activity reports - Each DPA must draw up an annual report on its activities. The information must be made available to the public.
EU-level DPA coordination - The EDPB is formed by deputies of DPAs from each MemberState. Along with providing advice, it also actively participate in enforcing the Data ProtectionLaw of the European Union. Whichever Member State has more than one DPA (e.g., Bundeslandof Germany has a DPA), only a single representative to the EDPB is appointed by the MemberState.
DPA cooperation - DPAs are required to cooperate and provide each other with mutual assistance. They also have the formal legal authority to carry out joint operations. Consistency mechanism - Where an organization engages in cross-border data processing that affects data subjects in the multiple Member States, a DPA that wishes to act must consult with the other affected DPAs to ensure consistency in applying the GDPR.

GDPR - ALL ABOUT LAW

ISSUES RELATED TO NATIONAL LAW

Out-of-scope areas of law - Any data processing activities that fall outside the scope of EU law are not subject to the GDPR.
Processing of personal data and freedom to express and inform- Member States must regulate the right to the protection of personal data in the framework of the GDPR with the right to freedom of expression and information, including the processing of personal data for editorial, academic, artistic purpose.
Personal data contained in official documents - Personal data contained in official documents may be processed to regulate public access to official documents with the right to protect personal data.
Processing - national ID numbers - Member States are free to determine the conditions under which national identification numbers can be dealt with, subject to appropriate guarantees for rights and freedoms of data subjects according to the GDPR.
Processing in the employment context – Member States may create new laws or conclude collective agreements to protect personal data in the context of national employment law. These must include appropriate protection. Any rules adopted in this area by Member States must inform the commission.
Personal data processing for scientific, historical, or statistical purposes - Subject to appropriate safeguards, and if there is no risk of a data breach, Member States may restrict the rights to access, rectify and restrict the processing of the data subject and object to the handling of their personal data for scientific, historical or statistical purposes.
Obligations of professional secrecy - Member States may create their own rules concerning Controllers or Processors subject to professional secrecy obligations and must inform the commission.
Personal data processing in the context of churches and religious establishments- Where, in a Member State, churches and religious associations or communities lay down rules relating to the processing of personal data, those rules may be applied if they are brought into line with the provisions of the GDPR. Churches and religious associations that impose such laws are subject to the oversight of the relevant DPA.

Concept and Provisions of GDPR

The General Data Protection Regulation is a law that sets guidelines for the collection and processing of personal information from individuals.
The law was approved in 2016 but didn't go into effect until May 2018.
The GDPR provides consumers with more control over how their personal data is handled and disseminated by companies.
Companies must inform consumers about what they do with consumer data and every time it is breached.
GDPR rules apply to any websites regardless of where they are based.
Requiring the consent of subjects for data processing.

Anonymizing collected data to protect privacy.

Providing data breach notifications.
Safely handling the transfer of data across borders.
Requiring certain companies to appoint a data protection officer to oversee GDPR compliance.

How to comply GDPR as a small business

1 Know the data you hold

2 Secure your website

3 Update privacy policy

4 Get consent for emails

5 Add a cookie banner

6 Check forms on your website

7 Review data processors or third-party services

8 Review international data transfer

9 Provide data rights provision

10 Analyze and mitigate data breach

Risk and penalties pertaining to GDPR

Personal data processing can pose risks to individuals' rights and freedoms. These risks can result in physical, material, or non-material harm. They include discrimination, identity theft, fraud, financial loss, damage to reputation, loss of confidentiality, unauthorized access to data, and other economic or social disadvantages. Processing personal data revealing sensitive information like race, religion, political opinions, or health can also lead to risks. Additionally, evaluating personal aspects such as work performance, economic situation, health, and personal preferences can create or use personal profiles.

For especially severe violations, listed in Art. 83(5) GDPR, the fine framework can be up to 20 million euros, or in the case of an undertaking, up to 4 % of their total global turnover of the preceding fiscal year, whichever is higher. But even the catalogue of less severe violations in Art. 83(4) GDPR sets forth fines of up to 10 million euros, or, in the case of an undertaking, up to 2% of its entire global turnover of the preceding fiscal year, whichever is higher.

Drafting Privacy Policy as per GDPR

Privacy statement

The protection of your personal data is of great importance to Fellon Limited (“Company”) and its affiliates in the European Economic Area (the “EEA”) (together, the “Company Group”). This privacy policy (the “Privacy Policy”) therefore intends to inform you about how the Company Group entities, acting as data controller, collect and process your personal data that you submit or disclose to us. We also act as a data controller when we process your personal data received or obtained through third parties. We process this personal data in accordance with the applicable EU and Member State regulations on data protection, in particular, the General Data Protection Regulation No 2020/382 (the “GDPR”).We encourage you to read this Privacy Policy carefully. If you do not wish your personal data to be used by us as set out in this Privacy Policy, please do not provide us with your personal data. Please note that in such a case, we may not be able to provide you with our services, you may not have access to and/or be able to use some features of the Website, and your customer experience may be impacted.

How do we use your personal data?

We will always process your personal data based on one of the legal basis provided for in the GDPR (Articles 6 and 7). In addition, we will always process your sensitive personal data, for example, concerning your trade union membership, religious views, or health condition, in accordance with the special rules provided for in the GDPR (Articles 9 and 10). We may collect and process your personal data for the purposes detailed below, which are required so that we can pursue our legitimate interests and provide you with adequate services and products:

a. To ensure that content from our site is presented in the most effective manner for you;
b. To notify you about changes to our service(s);
c. To manage your customer account;
d. To offer you products and services;

e. To inform you about our policies and terms;

What type of personal data do we use?

For the purposes specified under this Privacy Policy, we may collect the following categories of personal data:
a. Name and surname,
b. Title,
c. Home Address,
d. Identification number (e.g., customer number),
e. Location data,
f. Email address (personal/professional),
g. Telephone number (personal/professional),
h. Employer,
i. Credit card/bank account information,
j. Recorded customer phone calls,
k. Record of employee performance assessment,
l. Recruitment information (e.g., CV, certificates, marital status, date of birth, reference letters).
We can obtain such personal data either directly from you when you decide to communicate such data to us (i.e., when you fill in forms displayed on the Website) or indirectly where such personal data is provided to us by your electronic communication terminal equipment or your Internet browser. We ensure that the personal data processed is adequate, relevant and limited to what is necessary for relation to the purposes for which they are processed.

How do we share your personal data?

We may share your personal data with Company Group entities and with third parties in accordance with the GDPR. Where we share your data with a data processor, we will put the appropriate legal framework in place in order to cover such transfer and processing (Articles 26,28 and 29 GDPR). Furthermore, where we share your data with any entity outside the EEA, we will put appropriate legal frameworks in place, notably controller-to-controller and controller-to-processor Standard Contract Clauses approved by the European Commission, in order to cover such transfers (Articles 44 of GDPR).

Our records of data processes

We handle records of all processing of personal data in accordance with the obligations established by the GDPR (Article 30), both where we might act as a controller or as a processor. In these records, we reflect all the information necessary in order to comply with the GDPR and cooperate with the supervisory authorities as required (Article 31 GDPR).

Security measures

We process your personal data in a manner that ensures its appropriate security, including protection against unauthorized or unlawful processing, accidental loss, destruction or damage. We use appropriate technical or organizational measures to achieve this level of protection (Article 25(1) and 32 GDPR). We will retain your personal information for as long as it is necessary to fulfil the purposes outlined in this Privacy Policy unless a longer retention period is required or permitted by law.

Notification of data breach to the competent supervisory authorities
In case of breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, personal data transmitted, stored or otherwise processed, we have the mechanisms and policies in place in order to identify it and assess it promptly. Depending on the outcome of our assessment, we will make the requisite notifications to the supervisory authorities and communications to the affected data subjects, which might include you (Articles 33 and 34 GDPR)
Processing likely to result in a high risk to your rights and freedoms

We have mechanisms and policies in place in order to identify data processing activities that may result in a high risk to your rights and freedoms (Article 35 GDPR). If any such data processing activity is identified, we will assess it internally and either stop it or ensure that the processing is compliant with the GDPR or that appropriate technical and organizational safeguards are in place in order to proceed with it. In case of doubt, we will contact the competent Data Protection Supervisory Authority in order to obtain their advice and recommendations (Article 36 GDPR).

Links to other sites

We may propose hypertext links from the website on which this policy is stated to third-party websites or internet sources. We do not control and cannot be held liable for third parties’ privacy practices and content. Please read carefully their privacy policies to find out how they collect and process your personal data.

Updates to Privacy Policy

We may revise or update this Privacy Policy from time to time. Any changes to this Privacy Policy will become effective upon posting of the revised Privacy Policy. If we make changes which we believe are significant, we will inform you through the Website to the extent possible and seek your consent where applicable.

Conclusion

The General Data Protection Regulation (GDPR) is the strongest privacy and security law in the world, regulating the way companies process and use personal data collected from consumers online. It was approved by the European Union in April 2016 and went into effect on May 25, 2018. The GDPR provides individuals with the right to be informed about their data collection and use, access their data withheld by an organization, rectify inaccurate data, erase personal data without delay upon a data subject's request, and request restriction or suppression of their data. However, each right has limitations, such as the right to be forgotten or to be restricted if the request is unfounded or excessive.

REFERENCES:

[1] General Data Protection Regulation (GDPR) https://gdpr-info.eu/

[2] 21-06-09_case-law-digest_en.

[3] Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation) (Text with EEA relevance), [2016] OJ L 119/1

[4] Article 99 GDPR.

[5] Data protection https://commission.europa.eu/law/law-topic/data-protection_en

[6] https://www.investopedia.com/terms/g/general-data-protection-regulation-gdpr.asp

[7] https://www.happiestminds.com/wp-content/uploads/2021/09/Complete-Guide-to-General-Data-Protection-Regulation-GDPR-1.

[8] AN EPSU BRIEFING https://www.epsu.org/sites/default/files/article/files/GDPR_FINAL_EPSU.

[9] Mistale-Taylor, Cedric-Ryngaert https://www.researchgate.net/publication/338406505_The_GDPR_as_Global_Data_Protection_Regulation

[10] Article 1(2) and (3) GDPR. Lynskey [4], Ch. 3