EU GDPR (1): European General Data Protection Regulation explained in brief

Picture of Christian Kettling

Christian Kettling

November 14, 2017

Is your company ready and well positioned for the multitude of requirements and changes? What do terms such as marketplace principle, privacy by design, personal data, reservation of consent, right to be forgotten, child consent, 20 million euro sanction mean? This three-part series of articles deals with the big questions raised by the European General Data Protection Regulation (EU GDPR): the new components, special features and some terms are briefly explained here. The first part provides a concrete overview of the EU GDPR and the data that is affected by it, its purpose and scope.

EU GDPR data, scope of application, European Union, European General Data Protection Regulation explained in brief
Scope of application European Union (Image: © Christian Kettling)

The European General Data Protection Regulation (EU GDPR) will apply in six months' time

After a transitional period of two years, the EU GDPR will apply from May 25, 2018. The EU GDPR has valid in all European countries and beyond.

The European Commission a uniform legal basis for Europe in the Regulation with 99 Articles and 173 Recitals which supersedes national regulations and is directly applicable.

EU GDPR Validity of market place principle

The legal validity concerns all 27 EU member states according to the Establishment principle as well as all services that are offered here. This means that it no longer matters whether the servers are located in Luxembourg, Ireland or Silicon Valley; the place from or for which the goods (services) are offered is decisive; therefore, the Market place principleProviders must comply with the EU GDPR and be equipped in accordance with the GDPR.

EU GDPR data, European Union, market place principle, European General Data Protection Regulation explained in brief
EU GDPR: The marketplace principle applies to data. (Image: © Christian Kettling)

Each personal datewhich is based in Europe on Websitessocial media or Search engines processed, as well as all personal data that is processed in all further IT applications and Services processed in the EU or made available for the European market are bound by the EU GDPR.

Personal data

According to the principle of data protection, the processing of personal data was and is prohibited. In detail, this is a Prohibition with reservation of permission. But what is personal data? What exactly is meant by reservation of permission?

Article 4 No. 1 states that: Personal datawhich "... relate to an identified or identifiable natural person..." - i.e. data that allows conclusions to be drawn about a specific natural person would allow - are personal data. The reservation of permission is in turn linked to the intended purpose.

Intended use

For each Processing of personal data is a Purposeg; i.e. the reason why this date is used and why - despite the requirement of the Data economy - is absolutely necessary for processing. This date may then only be used for this purpose.

In Article 5 "Principles for the Processing of personal data", these principles are listed in a comprehensible manner:

  1. Legality
  2. Processing in good faith
  3. Transparency.

The principles of processing apply to data to which the following criteria apply:

  • defined, clear and legitimate purposes, the original purpose ("Earmarking")
  • limited to the necessary extent ("Data minimization")
  • contain factually correct data - incorrect data must be deleted or corrected immediately ("Correctness")
  • is only used for as long as it is required for the purposes ("Memory limitation").
EU GDPR data, European Union, Dobby, Harry Potter Museum, European General Data Protection Regulation explained in brief
Facial recognition: A very sensitive topic in the wake of the EU GDPR, data and its collection and storage. (Image: © Christian Kettling, own photo in the Harry Potter Museum London)

The data protection default setting - also Privacy by design of any application, website or service must be designed in such a way that the highest level of protection is complied with: This means that no personal data is used. The user can then object to each individual processing of their personal data with a defined purpose proactive agree or these Reject.

Even after a Consent to process the data, the subsequent refusal (Opt-out) should be just as easy as the previously given consent.

EU GDPR data in the specific use

In some EU GDPR articles there are Specificationclauses (the so-called opening clause), which allow national legislators to define certain parts of the article. This means that national legislators can interpret this specifically for the country. In this respect, the new regulations are very strict, especially at first glance - everything else is a matter for the individual states.

But what opening clauses are there that are relevant here? This and other questions will be addressed in the next article in this series: EU GDPR (2): What consent now means.

(Cover picture: © Christian Kettling)

About the author

Picture of Christian Kettling

Christian Kettling

Christian Kettling has been a TCI partner and expert in data protection and IT since 2009. His current thematic focus is the EU GDPR. He gives training courses, lectures and advises companies on this topic.

Share this article on social media

More blog articles

More from our blog

Harrlachweg 2

68163 Mannheim


Do you have an request? With pleasure!

© 2024 TCI - All rights reserved.