Within the European Union, the protection of natural persons in relation to the processing of personal data is a fundamental, although not absolute, right. On May 25, 2018, the provisions of the European Union’s General Data Protection Regulation (the “GDPR” or “Regulation”) ((EU) 2016/679) take effect. The GDPR repeals the Data Privacy Directive (Directive 95/46/EC) that took effect in 1995. A complete copy of the text of the GDPR from the Official Journal of the European Union can be found here: https://spelusolawoffice.com/wp-content/uploads/2020/07/CELEX3A32016R06793AEN3ATXT.pdf.

The GDPR defines personal data as:

“[P]ersonal data” means any information relating to an identified or identifiable natural person (the “data subject”); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.

The definition includes a wide variety of data that might be collected (the “controller”) in the ordinary course of business.

The GDPR sets forth six principles related to the processing of personal data. The data must be:

• processed lawfully, fairly and in a transparent manner (“lawfulness, fairness and transparency”);
• collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes (“purpose limitation”);
• adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed (“data minimization”);
• accurate and, where necessary, kept up to date and corrected if inaccurate (“accuracy”);
• kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed (“storage limitation”); and
• processed in a manner that ensures appropriate security, including protection against unauthorized or unlawful processing and against accidental loss, destruction or damage (“integrity and confidentiality”).

The controller must also provide the data subject with certain information irrespective of if the data is collected directly from the data subject or by a third party. Such information includes:

• the identity and the contact details of the controller;
• the purposes of the processing for which the personal data are intended;
• the recipients or categories of recipients of the personal data, if any;
• the period for which the personal data will be stored;
• the existence of the right to request from the controller access to and rectification or erasure of personal data or restriction of processing; and
• the data subject’s right to lodge a complaint with a supervisory authority.

Where the controller intends to further process the personal data for a purpose other than that for which the personal data was originally collected, the controller must provide the data subject, prior to such further processing, with information on the other purpose and with any relevant further information.

A data subject has the right to obtain from the controller confirmation as to whether or not personal data concerning him or her are being processed, and, where that is the case, access to the personal data. The data subject also has the right to obtain from the controller rectification of inaccurate personal data concerning him or her.

Data subjects also have a “right to be forgotten” under the Regulation. A data subject has the right to obtain from the controller the erasure of personal data concerning him or her without undue delay.

Where processing is to be carried out on behalf of a controller, the controller shall use only processors providing sufficient guarantees to implement appropriate technical and organizational measures in such a manner that processing will meet the requirements of the GDPR.

The controller has an obligation to notify data when a personal data breach is likely to result in a high risk to the rights and freedoms of natural persons. The controller must communicate the personal data breach to the data subject without undue delay.

Application of the GDPR is not limited to within the EU. Under certain circumstances, the Regulation can be applied extraterritorially. A controller located in the EU is subject to the Regulation regardless of whether data processing takes place in the EU. In certain circumstances, the GDPR applies to the processing the personal data of data subjects who are in the EU, even though the controller may not be located in the EU.

The GDPR also establishes the European Data Protection Board. The purpose of the board is to ensure the consistent application of the Regulation among the EU member states.

Finally, a person who has suffered material or non-material damage as a result of an infringement of the Regulation has the right to receive compensation from the controller for the damages suffered. The Regulation also imposes administrative fines for its violation.

Those doing business in the EU involving the collection of personal data should become familiar with the terms of the GDPR and make sure that their operations comply with the terms of the Regulation.