Author: Prof. Manuel Freire-Garabal y Nunez
Abstract: In the European regulation, the Data Protection is one of the most important keys in relation to protecting individuals and, in consequence, the institutions that they represent, or they will work with. The Data Protection and Management it is ruled by the Regulation (EU) 2016/679 of the European Parliament and of the Council of April 27, 2016, on the protection of natural persons with regard to the processing of personal data and the free movement of these data “General Data Protection Regulation"(GDPR). The Legislation establishes the Regulatory Development for the different European Countries.
Keywords: Data Protection, European Law, management.
The Data Protection and Management it is ruled by the Regulation (EU) 2016/679 of the European Parliament and of the Council of April 27, 2016, on the protection of natural persons with regard to the processing of personal data and the free movement of these data “General Data Protection Regulation "(GDPR). This law is applied since May 25, 2018.
The Legislation establishes the Regulatory Development for the different European Countries.
The General Regulation defines that "personal data is information that relates to an identified or identifiable individual. If you cannot directly identify an individual from that information, then you need to consider whether the individual is still identifiable. You should take into account the information you are processing together with all the means reasonably likely to be used by either you or any other person to identify that individual."
Because the full Regulation is hard to define in a simple comment to help students and general readers, in this article are going to be studied the key elements that all the professionals have to know in order to manage correctly data in the field.
The GDPR has eleven chapters concerning general provisions, general principles, rights of the data subject, duties of data controllers, transfers of personal data, supervisory authorities, cooperation among member states, remedies, liability and penalties for breach of rights, as well as final provisions.
The General Provisions of the Legal Regulation are mainly defined in the following articles.
Recital 18: the processing of data by a person for a "purely personal or household activity and thus with no connection to a professional or commercial activity." As to the guideline, this doesn't indicate regarding the preparation of individual information in homeland security or law implementation of the European Union. In any case, industry bunches worried about confronting a potential clash of laws that have addressed whether1.
Article 2: There are exemptions (2.2.a) for information prepared in a work setting or in national security that despite everything may be dependent upon singular nation guidelines (“the period for which the personal data will be stored, or if that is not possible, the criteria used to determine that period”). These exemptions are additionally in the article 88 European Regulation2.
Article 4: The definitions of different terms such as "personal data", "data subject", "controller", "data processing", or "processor". All of these terms are essential to understand the law in context.
Regarding the data management, have to be defined two roles: controllers who are those organizations that collect data from European residents, and Processors who are the organizations that process data on behalf of a data controller like cloud service providers.
Regarding the application, the general terms describe that the data subject has to be based in the European Union, nevertheless, under certain circumstances, the regulation also can be applied to organizations based outside the European Union, in the case that the organization collects or process personal data located inside the EU3.
Articles 46 to 55: The management will be finished by every part state will build up a free administrative authority in the development. Those Experts in every part state will co-work with different nations, giving common help and sorting out joint tasks.
In the case of various nationalities, the company will have a solitary Authority by and large organized by An European Data Protection Board in light of the workplace area4.
Article 48: The article expresses that any judgment of a court or council and any choice of a managerial authority of a third nation requiring a controller or processor to move or reveal individual information may not be perceived or enforceable in any way except if dependent on a worldwide understanding, as a shared legitimate help arrangement in power between the mentioning no European nation and the European Union or a part state5.
Article 6: Individual data may not be prepared except if there is, at any rate, one legitimate premise to do as such. The exception will be in the case that the data subject has given educated agree to data handling for minimum one purpose6. There are different possibilities to consider:
In real interests of data controlling or outsiders, with the exception that the interests would be abrogated through interests of the data subject or individual privileges based on the Contract of Basic Rights, particularly on account of kids;
In the case that the data subject would be agreed with the preparation of an own data;
In the case of consent in data controlling lawful commitments;
In the case of ensuring the crucial interests of data subjects as well as other possible interested individuals;
In the case of needing to fulfill legal binding commitments that are related to the data subject, as well as in case of erranding in line with data subjects who belong onto an agreement;
In the case of playing out of erranding about authentic authority.
Recital 32: According to the recital, the consent has to be a particular, unreservedly given, obviously worded, and unambiguous assertion given by the data subject; an online structure that has assent choices organized as a quit choice naturally is an infringement of the Regulation, as the assent isn't unambiguously avowed by the client. Likewise, numerous kinds of preparation may not be packaged together into a solitary assertion brief, as this isn't explicit to each utilization of data, and the individual consents are not uninhibitedly given7.
Recital 171: On the off chance that the agreement to handle was at that point gave under the Data Protection Directive, a data controller doesn't need to re-get assent if the preparation is reported and gotten in consistence with the Regulation prerequisites8.
Article 7.1: Whenever educated assent is utilized as the legal reason for handling, assent probably been unequivocal for data gathered and each reason data is utilized for9.
Article 7.3: Data subject has to be permitted to pull back this assent whenever, and the way toward doing so should not be more enthusiastically than it was to pick in. According to that the article defines that “the data subject shall have the right to withdraw his or her consent at any time.
On the basis, “the withdrawal of consent shall not affect the lawfulness of processing based on consent before its withdrawal”.
Also, “prior to giving consent, the data subject shall be informed thereof. 4It shall be as easy to withdraw as to give consent”.
Article 7.4: A data controller has not to deny assistance to clients who decay agree to handle that isn't carefully vital so as to utilize the administration. According to that, “when assessing whether consent is freely given, utmost account shall be taken of whether, inter alia, the performance of a contract, including the provision of a service, is conditional on consent to the processing of personal data that is not necessary for the performance of that contract”.
Article 8.1: Consent for youngsters, characterized by the regulation defines some age terms. On the basis, the literal text says that “where point (a) of Article 6.110 applies, in relation to the offer of information society services directly to a child, the processing of the personal data of a child shall be lawful where the child is at least 16 years old. 2Where the child is below the age of 16 years, such processing shall be lawful only if and to the extent that consent is given or authorized by the holder of parental responsibility over the child. Member States may provide by law for a lower age for those purposes provided that such lower age is not below 13 years”.
Article 8.2: The consent has to be verifiable. According to that the article says that “the controller shall make reasonable efforts to verify in such cases that consent is given or authorized by the holder of parental responsibility over the child, taking into consideration available technology”.
DATA MANAGEMENT RIGHTS
ACCESS AND INFORMATION
Article 15.1: Access is the right of individuals to be informed of their own personal data and learn how their data is processed. Regarding that the different sub-articles define that:
Article 15.1.A: The data controller has to inform the data subject about the details of the processing, as well as the main purposes of the data processing.
Article 15.1.B: The data controller has to provide under request, an overview of the categories of data that are being processed.
Article 15.1.C: The data controller has to inform the individuals with which entities is shared the data.
Article 15.1.G: The data controller has to inform how the data was acquired.
Article 15.3: The data controller has to provide under request a copy of the actual data. According to that, the article says that “The controller shall provide a copy of the personal data undergoing processing. For any further copies requested by the data subject, the controller may charge a reasonable fee based on administrative costs. Where the data subject makes the request by electronic means, and unless otherwise requested by the data subject, the information shall be provided in a commonly used electronic form”. In reference to article 15.4, “the right to obtain a copy referred to in paragraph 3 shall not adversely affect the rights and freedoms of others”.
Article 20: There is defined the right to data portability. An interesting fact that is affecting our communications nowadays with the breaches of security with emails and phone companies, for instance.
The article establishes that “the data subject shall have the right to receive the personal data concerning him or her, which he or she has provided to a controller, in a structured, commonly used and machine-readable format and have the right to transmit those data to another controller without hindrance from the controller to which the personal data have been provided, where: the processing is based on consent pursuant to point (a) of Article 6(1) or point (a) of Article 9(2) or on a contract pursuant to point (b) of Article 6(1); the processing is carried out by automated means. In exercising his or her right to data portability pursuant to paragraph 1, the data subject shall have the right to have the personal data transmitted directly from one controller to another, where technically feasible. The exercise of the right referred to in paragraph 1 of this Article shall be without prejudice to Article 17. That right shall not apply to process necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller. The right referred to in paragraph 1 shall not adversely affect the rights and freedoms of others”11.
RECTIFICATION AND ERASURE
Article 6: Subtleties the rebelliousness with legality. On the article 6.1.f is clarified how the genuine interests of the controller are abrogated by the interests or essential rights and opportunities of the information subject, which require the security of individual information through the agencies. According to that “processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child”12.
Article 17.1: The data has the privilege to demand the eradication of individual information identified with them on any of various grounds inside 30 days.
According to that, the article defines that “the data subject shall have the right to obtain from the controller the erasure of personal data concerning him or her without undue delay and the controller shall have the obligation to erase personal data without undue delay where one of the following grounds applies: the personal data are no longer necessary in relation to the purposes for which they were collected or otherwise processed; the data subject withdraws consent on which the processing is based according to point (a) of Article 6(1), or point (a) of Article 9(2), and where there is no other legal ground for the processing; the data subject objects to the processing pursuant to Article 21(1) and there are no overriding legitimate grounds for the processing or the data subject objects to the processing pursuant to Article 21(2); the personal data have been unlawfully processed; the personal data have to be erased for compliance with a legal obligation in Union or Member State law to which the controller is subject; the personal data have been collected in relation to the offer of information society services referred to in Article 8(1)”.
On the article 17.2, the legislator established that “where the controller has made the personal data public and is obliged pursuant to paragraph 1 to erase the personal data, the controller, taking account of available technology and the cost of implementation, shall take reasonable steps, including technical measures, to inform controllers which are processing the personal data that the data subject has requested the erasure by such controllers of any links to, or copy or replication of, those personal data”.
Regarding that, the following paragraph (article 7.3) defines that “Paragraphs 1 and 2 shall not apply to the extent that processing is necessary: for exercising the right of freedom of expression and information; for compliance with a legal obligation which requires processing by Union or Member State law to which the controller is subject or for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller; for reasons of public interest in the area of public health in accordance with points (h) and (i) of Article 9(2) as well as Article 9(3); for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes in accordance with Article 89(1) in so far as the right referred to in paragraph 1 is likely to render impossible or seriously impair the achievement of the objectives of that processing; or for the establishment, exercise or defense of legal claims”13.
RIGHT TO OBJECT
Article 21: The Regulation permits a person to protest preparing individual data for showcasing, deals, or non-administration related purposes. This implies the information controller must permit an individual the option to stop or keep a controller from handling their own information.
According to that the article defines that “The data subject shall have the right to object, on grounds relating to his or her particular situation, at any time to processing of personal data concerning him or her which is based on point (e) or (f) of Article 6(1), including profiling based on those provisions. The controller shall no longer process the personal data unless the controller demonstrates compelling legitimate grounds for the processing which override the interests, rights and freedoms of the data subject or for the establishment, exercise or defense of legal claims”.
The Regulation is likewise certain that the information controller must educate people regarding their entitlement to protest from the principal correspondence the controller has with them. This ought to be clear and separate from some other data the controller is giving and give them their choices for how best to question the handling of their information.
On the basis, the following paragraphs define many key elements to analyze.
The article 21.2 establishes that “where personal data are processed for direct marketing purposes, the data subject shall have the right to object at any time to processing of personal data concerning him or her for such marketing, which includes profiling to the extent that it is related to such direct marketing”. In paragraph 3, regarding the data management defines that “where the data subject objects to processing for direct marketing purposes, the personal data shall no longer be processed for such purposes”.
Then, at the latest at the time of the first communication with the data subject, “the right referred to in paragraphs 1 and 2 shall be explicitly brought to the attention of the data subject and shall be presented clearly and separately from any other information”14.
Article 35: The information insurance sway evaluations must be led when explicit dangers happen to the rights and opportunities of information subjects. Hazard appraisal and alleviation are required and earlier endorsement of the information security specialists is required for high dangers.
On that basis, the paragraph 1 defines that “where a type of processing, in particular, using new technologies, and taking into account the nature, scope, context and purposes of the processing, is likely to result in a high risk to the rights and freedoms of natural persons, the controller shall, prior to the processing, carry out an assessment of the impact of the envisaged processing operations on the protection of personal data. A single assessment may address a set of similar processing operations that present similar high risks”.
As a complement, paragraph 2 establishes that “the controller shall seek the advice of the data protection officer, where designated when carrying out a data protection impact assessment”15.
Article 25: Data protection requires measures in order to design the development of the business activities needed in the field.
Protection settings and controllers have to develop measures in order to execute operations in a safe way, guaranteeing the protection of the individual confidential data during the save and the process16.
According to that, there are a different kind of protection mechanisms:
Pseudonymization: is a necessary procedure for putting away information that changes individual information so that the subsequent information can't be credited to a particular information subject without the utilization of extra data. The most useful technique is encryption. This requisite is established on Recital 78.
Recital 78 defines that “the protection of the rights and freedoms of natural persons with regard to the processing of personal data require that appropriate technical and organizational measures be taken to ensure that the requirements of this Regulation are met. In order to be able to demonstrate compliance with this Regulation, the controller should adopt internal policies and implement measures that meet in particular the principles of data protection by design and data protection by default. Such measures could consist, inter alia, of minimizing the processing of personal data, pseudonymizing personal data as soon as possible, transparency with regard to the functions and processing of personal data, enabling the data subject to monitor the data processing, enabling the controller to create and improve security features. When developing, designing, selecting and using applications, services and products that are based on the processing of personal data or process personal data to fulfill their task, producers of the products, services and applications should be encouraged to take into account the right to data protection when developing and designing such products, services and applications and, with due regard to the state of the art, to make sure that controllers and processors are able to fulfill their data protection obligations. The principles of data protection by design and by default should also be taken into consideration in the context of public tenders”.
Responsibility of the controller: Implementing security measures to prevent the damage and according to that establishing some responsibilities. This is defined on Recital 74.
Recital 74 defines that “the responsibility and liability of the controller for any processing of personal data carried out by the controller or on the controller’s behalf should be established. In particular, the controller should be obliged to implement appropriate and effective measures and be able to demonstrate the compliance of processing activities with this Regulation, including the effectiveness of the measures. Those measures should take into account the nature, scope, context and purposes of the processing and the risk to the rights and freedoms of natural persons”.
Records of activities: The records have to be kept in aim to safeguard the key elements of the process, safeguard the categories involved and envisaged time limits. In every moment, the records have to be in availability to check possible security breaches or bad usage. This is defined in article 3017.
Data protection officer: Data the executives requires the arrangement of a data protection officer. For the situation that the handling is completed by an open power with the exception of courts or autonomous legal specialists when acting in their legal limit.
The officer is like a consistence officer and is likewise expected to be capable of overseeing IT forms, data security and other basic business coherence issues related to the holding and handling of individual and touchy data. The range of abilities required stretches past understanding lawful consistency with data protection laws and regulations, the DPO must keep up a living data stock of all data gathered and put away in the interest of the European Union. As indicated by the Data Protection Officer, there is a European Guideline with certain suggestions.
An assigned officer can be a present individual from the staff of a controller or processor, or the job can be re-appropriated to an outer individual or organization through an assistance contract. Regardless, the preparing body must ensure that there is no irreconcilable circumstance in different jobs or interests that an officer may hold. The contact subtleties for the officer must be distributed by the preparing union and enrolled in the administrative position.
Article 918 and 10 set up that if handling activities in order to observe and detail possible security breaches. The techniques have to be developed with the aim of helping the controller in the data management and procedure.
On that basis, the article 10 defines that “processing of personal data relating to criminal convictions and offenses or related security measures based on Article 6(1) shall be carried out only under the control of official authority or when the processing is authorized by Union or Member State law providing for appropriate safeguards for the rights and freedoms of data subjects. 2Any comprehensive register of criminal convictions shall be kept only under the control of official authority”.
Article 27: Organizations based outside the European Union should likewise delegate a European based individual as an agent and purpose of contact for their Regulation commitments. This is an unmistakable job from an officer, despite the fact that there is a cover in obligations that propose that this job can likewise be held by the assigned officer.
According to that, the article defines that “the representative shall be established in one of the Member States where the data subjects, whose personal data are processed in relation to the offering of goods or services to them, or whose behavior is monitored, are… The representative shall be mandated by the controller or processor to be addressed in addition to or instead of the controller or the processor by, in particular, supervisory authorities and data subjects, on all issues related to processing, for the purposes of ensuring compliance with this Regulation… The designation of a representative by the controller or processor shall be without prejudice to legal actions that could be initiated against the controller or the processor themselves”19.
Article 33: states the data controller is under a lawful commitment to advise the administrative authority immediately except if the break is probably not going to bring about a hazard to the rights and opportunities of the people. Moreover, the data processor should tell the controller immediately subsequent to getting mindful of an individual data penetrate20.
Article 34: There is a limit of 72 hours in the wake of getting mindful of the data penetrate to make the report. People must be advised if a high danger of an antagonistic effect is resolved. Nonetheless, the notification to data subjects isn't required if the data controller has actualized suitable specialized and authoritative protection gauges that render the individual data incoherent to any individual who isn't approved to get to it.
According to that, the paragraph 1 and 2 define that “when the personal data breach is likely to result in a high risk to the rights and freedoms of natural persons, the controller shall communicate the personal data breach to the data subject without undue delay… The communication to the data subject referred to in paragraph 1 of this Article shall describe in clear and plain language the nature of the personal data breach and contain at least the information and measures referred to in points (b), (c) and (d) of Article 33.3”.
As an exception, the communication to the data subject referred to in paragraph 1 shall not be required if any of the following conditions are met: “the controller has implemented appropriate technical and organizational protection measures, and those measures were applied to the personal data affected by the personal data breach, in particular, those that render the personal data unintelligible to any person who is not authorized to access it, such as encryption; the controller has taken subsequent measures which ensure that the high risk to the rights and freedoms of data subjects referred to in paragraph 1 is no longer likely to materialize; it would involve a disproportionate effort. In such a case, there shall instead be a public communication or similar measure whereby the data subjects are informed in an equally effective manner21.”
SANCTIONS AND PUNISHMENTS:
Article 8322: The main sanctions are:
An economical punishment up to €10 million (or equivalent up to 2% of the yearly overall turnover of the first budgetary year) in the event of an endeavor. Also to consider that whichever is more prominent if there has been an encroachment of the arrangements of Article 83.4;
An admonition recorded as a hard copy in instances of first and non-deliberate resistance;
Normal intermittent data protection reviews.
Article 83.423: The main sanctions are applied to:
An economical punishment up to €20 million (or the equivalent up to the 4% of the yearly overall turnover of the previous monetary year) if there should arise an occurrence of a venture, whichever is more prominent if there has been an encroachment of the arrangements of the Articles 83.5 and 83.6;
The commitments of the controller and the processor in accordance with Articles 8, 11, 25 to 39, and 42 and 43;
The commitments of the accreditation body as per Articles 42 and 43, the commitments of the observing body as per Article 41.4.
Article 83.524 and 83.625: The main sanctions are applied to:
Any commitments in accordance with part state law embraced under Chapter IX;
Resistance with a request or transitory or complete confinement on preparing or the suspension of data streams by the administrative position according to Article 58.226 or inability to give access infringing upon Article 58.127;
The essential standards for preparing, including conditions for assent, in accordance with Articles 5, 6, 7, and 9;
The data subjects' privileges as per Articles 12 to 222;
The exchanges of individual data to a beneficiary in a third nation or a worldwide association in accordance with Articles 44 to 49;
EXCEPTIONS TO THE DATA REGULATION
There are cases that are not secured by the GDPR such as legal block attempt, national security, military, police, or equity.
In the case of deceased people, they are dependent upon national enactment, if there is a committed law on manager representative connections, preparing of individual information by a characteristic individual over the span of an absolutely close to a home or family unit movement, or a substance or all the more correctly an endeavor must be occupied with monetary action to be secured by the Regulation.
In the case of monetary movement, it is characterized extensively under the European Union Competition Law.
APPLICATION OF THE DATA REGULATION TO THIRD COUNTRIES
Article 45: The Regulation denies the exchange of the individual data of European Union data subjects to nations outside of the European Union. The exception is in the case that proper shields are forced, or if the third nation or nations data protection regulations are officially viewed as satisfactory by the European Commission28.
The regulation of the data protection in the European Legal System through the Regulation (EU) 2016/679 of the European Parliament and of the Council of April 27, 2016, on the protection of natural persons with regard to the processing of personal data and the free movement of these data “General Data Protection Regulation " is effective in the industry application. Nowadays, data is introduced as one of the most important resources organizations have. The administration of the data, its right perusing and use, produces significant points of interest for business and activities choices.
Having a diagnostic preferred position is basic. Furthermore, organizations go looking for it. Study results uncover what the primary concern is: 58% of driving investigation organizations saw an immediate relationship between's data examination activities and a "noteworthy improvement" in their serious positions. Truth be told, 60% of these associations revealed income development of over 7%, while in excess of a fourth of the explanatory first class announced income development of over 15%. Despite what might be expected, 18% of the organizations called "adherents" enrolled salary increments underneath 5%.
Regulation (EU) 2016/679 of the European Parliament and of the Council of April 27, 2016, on the protection of natural persons with regard to the processing of personal data and the free movement of these data “General Data Protection Regulation".
Directive (EU) 2016/680 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data by competent authorities for the purposes of the prevention, investigation, detection or prosecution of criminal offenses or the execution of criminal penalties, and on the free movement of such data, and repealing Council Framework Decision 2008/977/JHA.
"Age of consent in the GDPR: updated mapping". Available on https://iapp.org/resources/article/age-of-consent-in-the-gdpr-updated-mapping/. Reviewed on 27th May 2020.
European Commission, “Guidelines on the right to data portability”, 2017.
"European Parliament legislative resolution of 12 March 2014 on the proposal for a regulation of the European Parliament and of the Council on the protection of individuals with regard to the processing of personal data and on the free movement of such data (General Data Protection Regulation)".