General Data Protection Regulation

General Data Protection Regulation

Scope

The GDPR’s material scope covers the processing of all personal data, which relates to an identified or identifiable person. The territorial scope covers all processing, which was done in the context of the activities of an EU established controller or processor, irrespective of whether the processing itself was done in the Union. When the controller or the processor are located outside of the EU but offers goods or services to, or monitors the behaviour of data subject in the Union, the GDPR is applicable.

In summary, a company must comply with the GDPR if it processes personal data and:

  • Has presence in the EU;
  • Has no presence in the EU but processes personal data of data subjects located in the EU;

With regards to size, a company should comply with the GDPR if it:

  • Has more than 250 employees; or
  • Has less than 250 employees, but the processing it does impacts the rights and freedoms of data subjects, is not occasional or includes sensitive data.

With regards to sector, a company should comply with the GDPR:

  • Regardless of sector;
  • That includes companies manufacturers or legal manufacturers from a multitude of sectors (medical devices, in-vitro diagnostics, cosmetics, machinery, toys, automotive, pressure – just to name a few).

The Regulation: GDPR 2016/679/EU

The GDPR 2016/679/EU (General Data Protection Regulation) was adopted on April 14, 2016. In order to process personal data, data controllers and processors must comply with this regulation. The GDPR harmonizes the protection of fundamental rights and freedoms of natural persons with regards to the processing of their data and to ensure the free flow of personal data between Member States.

The GDPR is designed to protect natural persons from unlawful processing of their personal data. The requirements in the Regulation have to be met with regards to any processing of personal data in the context of the activities of an establishment of a controller or processor in the European Union, regardless of whether the processing itself takes place in the Union. If the controller or the processor is not established in the EU, the processing of personal data of data subjects who are in the EU for the purpose of offering goods or services or monitoring behaviour falls under the scope of the GDPR.

Personal data means any information that relates to an identified or identifiable natural person. An identifiable natural person is one who can, directly or indirectly, be identified with the help of identifiers (e.g. name, identification number, location data, physical, genetic or mental characteristics). The GDPR encourages the use of pseudonymisation for the stronger protection of personal data. Anonymous information cannot be attributed to a specific natural person and, therefore, falls outside of the scope of the GDPR.

Examples of personal data include:

  • Name and surname;
  • Home address;
  • An email address, which contains the name of the data subject;
  • Location data;
  • Data held by hospitals or doctors, such as medical history and genetic data
  • Information about education or employment, such as salary data, tax information and diploma.
  • IP address of a single user

Processing covers any manual or automated operation which is performed on personal data. It includes collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.

For processing to be considered as legal, it must be done under one of the lawful bases of Article 6 (1) of the Regulation: consent (paragraph (a)); performance of a contract (paragraph (b)); compliance with a legal obligation (paragraph (c)); protection vital interests (paragraph (d)); public interest (paragraph (e)); or legitimate interests (paragraph (f)).

In case of a breach of the GDPR, the penalties can be as high as 4% of the annual global turnover of the company or EUR 20 Million, whichever is greater. The fines are dependent on the obligations which were infringed.


Learn more:


Looking for more information on how we can support your GDPR compliance in the EU Market? Contact us!

Get in touch