Data Sharing and Usage | General Data Protection Regulations (GDPR)

Cathy Bruce; Bradley Maclean; Connor Loughlean; Dana Capell; David Hobson; David Phipps; Doug Knox; Elizabeth Shantz; Farzana Crocco; Jason Muloongo; Jayne Morrish; Jessica Bowes; Jim Banting; Julie Gregory; Katrina Keefer; Les Jacobs; Margo Langford; Michelle Stringer; Shawna Reibling; Stephanie Whitney; Steve De Brabandere

129 Data Sharing and Usage | General Data Protection Regulations (GDPR)

The General Data Protection Regulations (GDPR) is European Union (EU) legislation which became effective May 25, 2018, governing the collection and use of personal data in the EU. The GDPR replaces the Data Protection Directive 95/46/EC. The GDPR codifies and unifies the data privacy laws across all the EU member countries, the UK and some EEC states, and is applicable to any resident of the European Union and, most importantly, for any company doing business with residents of the EU. Specifically, the extended jurisdiction of the GDPR states clearly that it applies to all companies processing the personal data of subjects residing in the Union.

Seven Principles

Lawfulness, fairness and transparency.
Purpose limitation.
Data minimisation.
Accuracy.
Storage limitation.
Integrity and confidentiality (security)
Accountability.

Definition

‘Personal Data’ means any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.

‘Controller’ means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data; where the purposes and means of such processing are determined by Union or Member State law, the controller or the specific criteria for its nomination may be provided for by Union or Member State law;

‘Processor’ means a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller

‘Processing’ means any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction

When does GDPR apply?

The processing of personal data in the context of the activities of an establishment of a controller or a processor in the European Union, regardless of whether the processing takes place in the EU or not.
The processing of personal data of data subjects who are in the EU by a controller or processor not established in the EU, where the processing activities are related to:
- The offering of goods or services, irrespective of whether a payment of the data subject is required, to such data subjects in the EU; or the monitoring of their behaviour as far as their behaviour takes place within the EU.
- The processing of personal data by a controller not established in the EU, but in a place where Member State law applies by virtue of public international law.

Joint Controllers

If two or more parties jointly determine the purposes and means of processing, they are considered joint controllers.

The controllers shall in a transparent manner determine their respective responsibilities for compliance with the obligations under GDPR, including in relation to the exercising of the rights of the data subject and their respective duties to provide information in accordance with the Regulations, by means of an arrangement between them unless, and in so far as, the respective responsibilities of the controllers are determined by Union or Member State law to which the controllers are subject. The essence of the arrangement must be made available to the data subject.
Regardless of the arrangement between the joint controllers, the data subject may exercise his or her rights under this Regulation in respect of and against each of the controllers.

Controller Representatives

Controllers not established in the EU but collecting personal information in the EU, must designate in writing a representative in the EU. The representative must be established in one of the Member States where the data subjects, whose personal data are processed in relation to the offering of goods or services to them, or whose behaviour is monitored, are.

The representative must be mandated by the controller or to be addressed in addition to or instead of the controller by the supervisory authorities and data subjects, on all issues related to processing, for the purposes of ensuring compliance with this Regulation. The designation of the representative does not affect any legal action being initiated against the controller themselves.

Processor Obligations

Processors must provide sufficient guarantees that they implement appropriate technical and organisational measures in such a manner that processing will meet the requirements of this Regulation and ensure the protection of the rights of the data subject.

Processor shall not engage another processor without prior specific or general written authorisation of the controller.

Processing by a processor shall be governed by a contract or other legal act under Union or Member State law, that is binding on the processor with regard to the controller and that sets out the subject-matter and duration of the processing, the nature and purpose of the processing, the type of personal data and categories of data subjects and the obligations and rights of the controller.

The processor will:

Process the personal data only on documented instructions from the controller, including with regard to transfers of personal data to a third country
Ensure that persons authorised to process the personal data have committed themselves to confidentiality
Implement appropriate security measures, assessed in terms of a variety of factors including the sensitivity of the data, the risks to individuals associated with any security breach, the state of the art, the costs of implementation and the nature of the processing
Assist the controller by taking appropriate technical and organisational measures, insofar as this is possible, for the fulfilment of the controller’s obligation to respond to requests for exercising the data subject’s rights.
At the choice of the controller, delete or return all the personal data to the controller after the end of the provision of services relating to processing, and delete existing copies.
Make available to the controller all information necessary to demonstrate compliance with the obligations of a processor in Article 28 and allow for and contribute to audits, including inspections, conducted by the controller or another auditor mandated by the controller.