The General Data Protection Regulation, referred to simply as the “GDPR”, is Regulation (EU) 2016/679 of the European Parliament and of the Council dated 27 April 2016. It concerns the protection of natural persons regarding the processing of personal data and on the free movement of this data.
The GDPR covers the processing of ‘personal data’ that relates to ‘data subjects’ by or on behalf of a ‘data controller’. ‘Personal data’ is defined as any information that relates to an identified or identifiable natural person (the ‘data subject’). An identifiable natural person is anyone that can be identified, either directly or indirectly, by reference to anything that can ultimately identify them. This includes a name, an identification number, location data, an online identifier or to data that relates to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.
The ‘data controller’ bears the responsibility to prove that it is properly following the guidelines and regulations regarding the acquisition and management of personal data. These Regulations include the following principles regarding the handling of personal data:
- Lawfulness, fairness and transparency: Personal data must be processed lawfully, fairly and in a transparent manner.
- Purpose limitation: Personal data must be collected for specific, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes.
- Data minimisation: Personal data must be adequate, relevant and limited to what is necessary in relation to the purposes for which it is processed.
- Accuracy: Personal data must be accurate and, where necessary, kept up to date. Personal data that is known to be inaccurate is to be erased or rectified without delay.
- Storage limitation: Personal data must not be kept in a form which permits identification of data subjects for longer than is necessary.
- Integrity and confidentiality: Personal data must be processed in an appropriately secure manner including protection against unauthorized or unlawful processing and against accidental loss, destruction or damage, by the use of appropriate technical or organizational measures.
- Accountability: The data controller is responsible for, and has to be able to demonstrate compliance with, the principles stated above.
In addition to the principles listed above, data controllers must also meet at least one the following criteria:
- Obtain consent: The data subject must give clear consent to the processing of his or her personal data for one or more specific purposes.
- Performance of a contract: Data processing is necessary for the performance of a contract with or on behalf of the data subject. For associations, membership and the delivery of services can be considered a contract. “Necessary” is a key element here however. Regulators and the courts are likely to interpret this narrowly and convenience is not the same as a necessity!
- Compliance with a legal obligation: Data processing is necessary for compliance with a legal obligation to which the data controller is subject.
- Vital interests: Data processing is necessary in order to protect the vital interests of the data subject or of another natural person.
- Public interest: Data processing is necessary for the performance of a task carried out in the public interest or in the exercise of an official authority vested in the controller. To meet this requirement it is likely to be in the interest of the public in the relevant Member State – US public interest will not be sufficient.
Legitimate interests: processing is necessary for the purposes of the legitimate interests pursued by the data controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child.