Is your company ready and well positioned for the multitude of requirements and changes? What do terms such as marketplace principle, privacy by design, personal data, reservation of consent, right to be forgotten, child consent, 20 million euro sanction mean? This three-part series of articles deals with the big questions raised by the European General Data Protection Regulation (EU GDPR): the new components, special features and some terms are briefly explained here. The first part provides a concrete overview of the EU GDPR and the data that is affected by it, its purpose and scope.
The European General Data Protection Regulation (EU GDPR) will apply in six months' time
After a transitional period of two years, the EU GDPR will apply from May 25, 2018. The EU GDPR has valid in all European countries and beyond.
The European Commission a uniform legal basis for Europe in the Regulation with 99 Articles and 173 Recitals which supersedes national regulations and is directly applicable.
EU GDPR Validity of market place principle
The legal validity concerns all 27 EU member states according to the Establishment principle as well as all services that are offered here. This means that it no longer matters whether the servers are located in Luxembourg, Ireland or Silicon Valley; the place from or for which the goods (services) are offered is decisive; therefore, the Market place principleProviders must comply with the EU GDPR and be equipped in accordance with the GDPR.
Each personal datewhich is based in Europe on Websitessocial media or Search engines processed, as well as all personal data that is processed in all further IT applications and Services processed in the EU or made available for the European market are bound by the EU GDPR.
According to the principle of data protection, the processing of personal data was and is prohibited. In detail, this is a Prohibition with reservation of permission. But what is personal data? What exactly is meant by reservation of permission?
Article 4 No. 1 states that: Personal datawhich "... relate to an identified or identifiable natural person..." - i.e. data that allows conclusions to be drawn about a specific natural person would allow - are personal data. The reservation of permission is in turn linked to the intended purpose.
For each Processing of personal data is a Purposeg; i.e. the reason why this date is used and why - despite the requirement of the Data economy - is absolutely necessary for processing. This date may then only be used for this purpose.
In Article 5 "Principles for the Processing of personal data", these principles are listed in a comprehensible manner:
- Processing in good faith
The principles of processing apply to data to which the following criteria apply:
- defined, clear and legitimate purposes, the original purpose ("Earmarking")
- limited to the necessary extent ("Data minimization")
- contain factually correct data - incorrect data must be deleted or corrected immediately ("Correctness")
- is only used for as long as it is required for the purposes ("Memory limitation").
The data protection default setting - also Privacy by design of any application, website or service must be designed in such a way that the highest level of protection is complied with: This means that no personal data is used. The user can then object to each individual processing of their personal data with a defined purpose proactive agree or these Reject.
Even after a Consent to process the data, the subsequent refusal (Opt-out) should be just as easy as the previously given consent.
EU GDPR data in the specific use
In some EU GDPR articles there are Specificationclauses (the so-called opening clause), which allow national legislators to define certain parts of the article. This means that national legislators can interpret this specifically for the country. In this respect, the new regulations are very strict, especially at first glance - everything else is a matter for the individual states.
But what opening clauses are there that are relevant here? This and other questions will be addressed in the next article in this series: EU GDPR (2): What consent now means.
(Cover picture: © Christian Kettling)