Eu Data Protection Law: Who Does It Affect?

what does eu data protection law apply to

The EU's General Data Protection Regulation (GDPR) is a privacy and security law that outlines requirements for organisations worldwide that target or collect data related to people in the EU. The regulation, which came into effect on 25 May 2018, is designed to strengthen individuals' fundamental rights in the digital age and enhance their control and rights over their personal information. It applies to all companies processing the personal data of individuals in the EU, regardless of the company's location, and imposes harsh fines on those who violate its privacy and security standards.

Characteristics Values
Territorial scope Applies to all companies processing the personal data of data subjects residing in the EU/EEA, regardless of the company's location
Penalties for violation Organisations and companies found in breach of GDPR will be fined according to the scope and type of their infringement
Consent Organisations and companies will no longer be allowed to use long and illegible terms and conditions and complex forms to request consent from customers
Breach notifications Organisations and companies must notify supervisory authorities and their customers in the event of a data breach that is likely to place at risk the rights and freedoms of individuals
Access rights Data subjects will be able to obtain confirmation from companies as to whether or not their personal data is being processed, where, and for what purpose
Deletion rights The ‘right to be forgotten’ allows the data subject to have the company erase his or her personal data
Data portability The data subject will now be able to receive and transmit in a common and machine-readable format any previously obtained personal data (that concerns him) to another company
Privacy by design and by default Privacy by design is a common informal approach — It means that each new service or business process that makes use of personal data must take the protection of such data into consideration
Data Protection Officers The Data Protection Officer (DPO) will be an important GDPR cornerstone. In addition to supporting an organization’s compliance with the GDPR, the DPO will have the essential role of acting as an intermediary between the organization and supervisory authorities, data subjects, etc

lawshun

Data protection rights of EU citizens

The EU's General Data Protection Regulation (GDPR) came into force on 24 May 2016 and applies to all member states since 25 May 2018. The GDPR is a comprehensive privacy legislation that applies across sectors and to companies of all sizes. It is directly applicable with the force of law on its own without the need for transposition. The GDPR aims to regulate the processing of personal data of individuals, referred to as "EU citizens", residing in the European Economic Area (EEA). The GDPR is designed to have a wider scope and includes other major changes that take into account the current cybersecurity landscape.

The GDPR applies to all companies processing the personal data of individuals residing in the EU/EEA, regardless of the company's location. This means that the GDPR applies to the processing of personal data by controllers (companies) and processors (entities that process data for companies) in the EU/EEA, whether or not the processing itself takes place in the EU/EEA. Non-EU/EEA-based businesses processing the data of EU citizens will also have to appoint a representative in the EU/EEA.

The GDPR provides EU citizens with the following rights:

  • Access rights: Data subjects can obtain confirmation from companies as to whether or not their personal data is being processed, where, and for what purpose. The company must also provide a copy of the customer's personal data at their request, free of charge.
  • Deletion rights: The 'right to be forgotten' allows the data subject to have the company erase his or her personal data. This right to data erasure is not absolute and can be claimed under certain conditions: withdrawal of consent; the data is no longer relevant to the original purposes of processing. This right is subject to public interest or national security concerns.
  • Data portability: The data subject can receive and transmit in a common and machine-readable format any previously obtained personal data (that concerns them) to another company.
  • Right to object and automated decisions: Article 21 of the GDPR allows an individual to object to processing personal information for marketing or non-service-related purposes. This means the data controller must allow an individual the right to stop or prevent the controller from processing their personal data.
  • Right to rectification: The right of rectification allows individuals to rectify inaccurate personal data concerning them.
  • Right to restrict processing: Individuals have the right to restrict the processing of their personal data in certain circumstances.
  • Right to be informed: Individuals have the right to be informed about the collection and use of their personal data.
  • Right to compensation: Article 82 of the GDPR stipulates that any person who has suffered material or non-material damage as a result of an infringement of this Regulation shall have the right to receive compensation from the controller or processor for the damage suffered.

The GDPR also includes provisions for "privacy by design and by default", meaning that each new service or business process that makes use of personal data must take the protection of such data into consideration. The strictest privacy settings automatically apply once a customer acquires a new product or service, and no manual change to the privacy settings should be required on the part of the user.

To ensure compliance with the GDPR, companies must implement measures that meet the principles of data protection by design and by default. Article 25 requires data protection measures to be designed into the development of business processes for products and services. Such measures include pseudonymising personal data, by the controller, as soon as possible. It is the responsibility and liability of the data controller to implement effective measures and be able to demonstrate the compliance of processing activities even if the processing is carried out by a data processor on behalf of the controller.

lawshun

Data protection law enforcement

The EU's General Data Protection Regulation (GDPR) is a privacy and security law that outlines the requirements organisations must follow when handling the personal data of individuals in the EU. The GDPR came into effect on 25 May 2018 and imposes obligations on organisations globally, as long as they target or collect data from individuals in the EU. The regulation outlines seven data protection principles that must be adhered to when processing data, including lawfulness, fairness, transparency, purpose limitation, data minimisation, accuracy, storage limitation, integrity and confidentiality, and accountability.

In addition to the GDPR, the EU has also implemented the Law Enforcement Directive (LED), which specifically addresses the processing of personal data for law enforcement purposes. The LED is a directive, which means it requires transposition into domestic law to take effect. The directive protects citizens' fundamental right to data protection when their personal data is used by criminal law enforcement authorities and applies to any public or private body considered a 'competent authority' that carries out processing for law enforcement purposes.

To ensure compliance with the GDPR and LED, the European Data Protection Board (EDPB) was established as an independent body to ensure the consistent application of data protection rules across the EU. The EDPB provides general guidance on key concepts, advises the European Commission on data protection issues, and resolves disputes between national supervisory authorities.

National data protection authorities have also been set up in EU countries to protect personal data in accordance with the EU Charter of Fundamental Rights. These authorities work with the EDPB to enforce the GDPR in cross-border cases, following specified procedural rules outlined in the GDPR procedural regulation.

To maintain transfers of personal data from the EU to the UK for law enforcement purposes, the UK government has confirmed transitional adequacy provisions. However, there are specific amendments to the transfer provisions to reflect the UK's status as a non-EU member state. Overall, the EU's data protection laws aim to strengthen individuals' fundamental rights in the digital age and ensure consistent protection across the EU.

lawshun

Data protection for criminal justice

The EU's General Data Protection Regulation (GDPR) is a privacy and security law that outlines the protection of personal data and the free movement of such data. The regulation applies to organisations anywhere in the world, as long as they target or collect data related to people in the EU.

The Data Protection Law Enforcement Directive (LED), adopted in May 2016, is a part of the EU data protection reform, along with the GDPR. The LED ensures the protection of personal data of individuals involved in criminal proceedings, be it as witnesses, victims, or suspects. It establishes a comprehensive framework to ensure a high level of data protection, while taking into account the specific nature of the police and criminal justice field.

The LED requires that data collected by law enforcement authorities are:

  • Processed lawfully and fairly
  • Collected for specified, explicit, and legitimate purposes, and processed only in a manner compatible with these purposes
  • Adequate, relevant, and not excessive in relation to the purpose for which they are processed
  • Accurate and updated where necessary
  • Kept in a form that allows identification of the individual for no longer than necessary for the purpose of the processing
  • Appropriately secured, including protection against unauthorised or unlawful processing, using appropriate technical or organisational measures

Member States must establish time limits for erasing personal data or for a regular review of the need to store such data.

The LED also requires law enforcement authorities to make a clear distinction between the data of different categories of persons, including:

  • Those for whom there are serious grounds to believe they have committed or are about to commit a criminal offence
  • Those who have been convicted of a criminal offence
  • Victims of criminal offences or those whom it is reasonably believed could be victims of criminal offences
  • Those who are parties to a criminal offence, including potential witnesses

Individuals have the right to obtain confirmation from competent authorities as to whether their personal data are being processed and to access such data and information relating to its processing. They also have the right to request access to and correction or deletion of their personal data, as well as the right to restrict the processing of their personal data.

lawshun

Data protection for natural persons

The General Data Protection Regulation (GDPR) is a comprehensive privacy law that applies to all companies operating in the EU, regardless of their size. It also applies to non-EU companies that target or collect data related to people in the EU.

The GDPR outlines seven data protection and accountability principles that must be followed when processing data:

  • Lawfulness, fairness, and transparency: Processing must be lawful, fair, and transparent to the data subject.
  • Purpose limitation: Data must be processed for the legitimate purposes specified explicitly to the data subject when collected.
  • Data minimization: Only the necessary amount of data for the specified purposes should be collected and processed.
  • Accuracy: Personal data must be accurate and up to date.
  • Storage limitation: Personally identifying data may only be stored for as long as necessary for the specified purpose.
  • Integrity and confidentiality: Processing must be done securely to ensure appropriate integrity, confidentiality, and security of personal data.
  • Accountability: The data controller is responsible for demonstrating compliance with all of these principles.

The GDPR grants individuals several rights to protect their personal data, including:

  • The right to be informed: Individuals have the right to know how their data is being processed and why.
  • The right of access: Individuals can access their personal data and information about how it is being processed.
  • The right to rectification: Individuals can request the rectification of inaccurate personal data.
  • The right to erasure: Individuals can request the deletion of their personal data if there is no legitimate reason for its continued processing.
  • The right to restrict processing: Individuals can request that the processing of their personal data be restricted in certain circumstances.
  • The right to data portability: Individuals can easily transmit their personal data between service providers.
  • Rights related to automated decision-making and profiling: This includes the right to not be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning the individual or similarly significantly affects them.

To ensure compliance with the GDPR, organisations must implement appropriate technical and organisational measures. This includes designating a data protection officer, maintaining detailed documentation of the data collected, and providing staff training.

lawshun

Data protection for EU institutions and bodies

The EU's General Data Protection Regulation (GDPR) outlines the data protection obligations of EU institutions, bodies, and agencies when processing personal data and developing new policies. Regulation (EU) 2018/1725 sets forth the rules applicable to the processing of personal data by European Union institutions, bodies, offices, and agencies. It is aligned with the General Data Protection Regulation and the Data Protection Law Enforcement Directive.

Regulation (EU) 2018/1725 upholds an individual's fundamental rights and freedoms, especially the right to protection of personal data and the right to privacy. It lays down rules on how EU institutions, bodies, offices, and agencies should treat the personal data they hold on individuals. Personal data must be processed in a lawful, fair, and transparent way, and collected for specific, explicit, and legitimate purposes. It must be stored in a way that ensures the identification of the individuals concerned is possible for no longer than necessary. Additionally, personal data may only be transferred outside the EU under strict conditions.

The regulation also defines the obligations of the European Data Protection Supervisor (EDPS), an independent supervisory authority of EU institutions and bodies when they process personal data. The EDPS is responsible for monitoring the application of data protection rules within European institutions and investigating complaints. The European Commission has appointed a Data Protection Officer who is responsible for monitoring and applying data protection rules in the European Commission. They work independently to ensure the internal application of data protection rules in cooperation with the EDPS.

Regulation (EU) 2018/1725 entered into application on December 11, 2018, repealing Regulation (EC) No 45/2001, which previously outlined the rules on personal data processing by EU institutions, bodies, offices, and agencies.

Frequently asked questions

If your business handles the personal data of EU citizens, then yes, the law applies to you. This includes businesses outside of the EU.

Personal data is any information that can be used to identify an individual, directly or indirectly. This includes names, email addresses, tax ID numbers, online identifiers, location information, ethnicity, gender, biometric data, and political opinions.

It is your business's responsibility to find out. Review all your records and separate those that contain personal information.

The EU takes a tiered approach to fines, with two levels depending on the type and scope of the infringement. The first penalty tier is set at up to €10 million or 2% of the company's global annual turnover, whichever is higher. The second tier is set at up to €20 million or 4% of the company's global annual turnover, whichever is higher.

Written by
Reviewed by
Share this post
Print
Did this article help you?

Leave a comment