New Proposal from the EU Commission for a Cyber Resilience Act
European Commission presented a proposal for a Regulation on cybersecurity requirements for products. Read more!
In order to process personal data, controllers and processors of data must comply with the GDPR, which is designed to protect natural persons from unlawful processing of their personal data.
The GDPR encourages the use of pseudonymisation for the stronger protection of personal data. Anonymous information cannot be attributed to a specific natural person and, therefore, falls outside of the scope of the GDPR.
The GDPR 2016/679/EU (General Data Protection Regulation) was adopted on April 14, 2016. In order to process personal data, data controllers and processors must comply with this regulation. The GDPR harmonizes the protection of fundamental rights and freedoms of natural persons with regards to the processing of their data and to ensure the free flow of personal data between Member States.
The GDPR is designed to protect natural persons from unlawful processing of their personal data. The requirements in the Regulation have to be met with regards to any processing of personal data in the context of the activities of an establishment of a controller or processor in the European Union, regardless of whether the processing itself takes place in the Union. If the controller or the processor is not established in the EU, the processing of personal data of data subjects who are in the EU for the purpose of offering goods or services or monitoring behaviour falls under the scope of the GDPR.
Personal data means any information that relates to an identified or identifiable natural person. An identifiable natural person is one who can, directly or indirectly, be identified with the help of identifiers (e.g. name, identification number, location data, physical, genetic or mental characteristics). The GDPR encourages the use of pseudonymisation for the stronger protection of personal data. Anonymous information cannot be attributed to a specific natural person and, therefore, falls outside of the scope of the GDPR.
Examples of personal data include:
Processing covers any manual or automated operation which is performed on personal data. It includes collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.
For processing to be considered as legal, it must be done under one of the lawful bases of Article 6 (1) of the Regulation: consent (paragraph (a)); performance of a contract (paragraph (b)); compliance with a legal obligation (paragraph (c)); protection vital interests (paragraph (d)); public interest (paragraph (e)); or legitimate interests (paragraph (f)).
In case of a breach of the GDPR, the penalties can be as high as 4% of the annual global turnover of the company or EUR 20 Million, whichever is greater. The fines are dependent on the obligations which were infringed.
The GDPR’s material scope covers the processing of all personal data, which relates to an identified or identifiable person. The territorial scope covers all processing, which was done in the context of the activities of an EU established controller or processor, irrespective of whether the processing itself was done in the Union. When the controller or the processor are located outside of the EU but offers goods or services to, or monitors the behaviour of data subject in the Union, the GDPR is applicable. In summary, a company must comply with the GDPR if it processes personal data and:
With regards to size, a company should comply with the GDPR if it:
With regards to sector, a company should comply with the GDPR:
In order to be able to lawfully process personal data, the controller or processor have to do the following: