General Data Protection

The Regulation: GDPR 2016/679/EU

The GDPR 2016/679/EU (General Data Protection Regulation) was adopted on April 14, 2016. In order to process personal data, data controllers and processors must comply with this regulation. The GDPR harmonizes the protection of fundamental rights and freedoms of natural persons with regards to the processing of their data and to ensure the free flow of personal data between Member States.

The GDPR is designed to protect natural persons from unlawful processing of their personal data. The requirements in the Regulation have to be met with regards to any processing of personal data in the context of the activities of an establishment of a controller or processor in the European Union, regardless of whether the processing itself takes place in the Union. If the controller or the processor is not established in the EU, the processing of personal data of data subjects who are in the EU for the purpose of offering goods or services or monitoring behaviour falls under the scope of the GDPR.

Personal data means any information that relates to an identified or identifiable natural person. An identifiable natural person is one who can, directly or indirectly, be identified with the help of identifiers (e.g. name, identification number, location data, physical, genetic or mental characteristics). The GDPR encourages the use of pseudonymisation for the stronger protection of personal data. Anonymous information cannot be attributed to a specific natural person and, therefore, falls outside of the scope of the GDPR.

Examples of personal data include:

  • Name and surname;
  • Home address;
  • An email address, which contains the name of the data subject;
  • Location data;
  • Data held by hospitals or doctors, such as medical history and genetic data
  • Information about education or employment, such as salary data, tax information and diploma.
  • IP address of a single user

Processing covers any manual or automated operation which is performed on personal data. It includes collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.

For processing to be considered as legal, it must be done under one of the lawful bases of Article 6 (1) of the Regulation: consent (paragraph (a)); performance of a contract (paragraph (b)); compliance with a legal obligation (paragraph (c)); protection vital interests (paragraph (d)); public interest (paragraph (e)); or legitimate interests (paragraph (f)).

In case of a breach of the GDPR, the penalties can be as high as 4% of the annual global turnover of the company or EUR 20 Million, whichever is greater. The fines are dependent on the obligations which were infringed.