Tuesday, October 24, 2017

GDPR step-by-step - Part 1 - Material Scope, Geographical Scope and Lawfulness of Processing

This is the first post in my new series about the GDPR (General Data Protection Regulation), in which in I will highlight relevant aspects of this new regulation, specially for businesses.

The GDPR shall apply from May 2018, so it is very important that businesses are fully prepared to the new rules. This series is an attempt to help business owners to be aware of the new rules and the specific challenges that they might present in different information systems. These posts have educational purposes, they do not substitute a consultation with a lawyer. 
I hope that the content can be useful to you. All highlights and comments in yellow are mine. To read the GDPR, click here.

In this Part 1, you will find:


1- The GDPR's material scope;
2- The GDPR's geographical scope;
3- Lawfulness of processing.

[Part 2]

*

1- To what type of data processing is it applicable? - material scope - article 2:

The GDPR is applicable to "the processing of personal data wholly or partly by automated means and to the processing other than by automated means of personal data which form part of a filing system or are intended to form part of a filing system." (article 2)

both automated means and not automated means

It is NOT applicable to "the processing of personal data:

(a) in the course of an activity which falls outside the scope of Union law;
(b) by the Member States when carrying out activities which fall within the scope of Chapter 2 of Title V of the TEU;
(c) by a natural person in the course of a purely personal or household activity;
(d) by competent authorities for the purposes of the prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties, including the safeguarding against and the prevention of threats to public security."


2- To which territories it applies? - geographical scope - article 3:

1. This Regulation applies to the processing of personal data in the context of the activities of an establishment of a controller or a processor in the Union, regardless of whether the processing takes place in the Union or not.

if the controller is in the European Union - GDPR applies


2. This Regulation applies to the processing of personal data of data subjects who are in the Union by a controller or processor not established in the Union, where the processing activities are related to: 


(a) the offering of goods or services, irrespective of whether a payment of the data subject is required, to such data subjects in the Union; or


(b) the monitoring of their behaviour as far as their behaviour takes place within the Union.


both situations in which the controller is not in the European Union, nevertheless the GDPR is applied


3. This Regulation applies to the processing of personal data by a controller not established in the Union, but in a place where Member State law applies by virtue of public international law.



3- Lawfulness of processing - article 6:

all data processing, in order to be legal, has to correspond to one of the items below

1. Processing shall be lawful only if and to the extent that at least one of the following applies:

(a) the data subject has given consent to the processing of his or her personal data for one or more specific purposes;

(b) processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract;

(c) processing is necessary for compliance with a legal obligation to which the controller is subject; 

(d) processing is necessary in order to protect the vital interests of the data subject or of another natural person;

(e) processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller;

(f) processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child.

Point (f) of the first subparagraph shall not apply to processing carried out by public authorities in the performance of their tasks.

item "a" will be a frequent justification for business, therefore we need to know what is consent according to the GDPR. Article 4(11) explains:

"‘consent’ of the data subject means any freely given, specific, informed and unambiguous indication of the data subject's wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her"

indication of the data subject has to be:
- freely given
- specific
- informed
- unambiguous

it has to be delivered by
- a statement or
- a clear affirmative action

*
That's all for today. Do you have comments about this post? Feel free to post them below.

Best,


Luiza Jarovsky
Lawyer and PhD Fellow Researching Data Privacy
GDPR, data protection
privacy