General Data Protection Regulation
Undoubtedly, like me, your email inbox was inundated last week with notifications from companies regarding their updated privacy policies. Under the EU General Data Protection Regulation (GDPR), which took effect on May 25, 2018 organizations are now required to provide individuals with extensive information about the processing of their personal data. These requirements are more detailed than under the former Data Protection Directive and are geared towards transparency and fairness for the individual.
It is important for data controllers situated outside the EU to know the circumstances in which their processing activities might be governed by the strict EU regime. This is particularly relevant to two types of processing.
First, the GDPR applies to the processing of personal data in the context of the activities of an establishment of a controller or processor in the EU regardless of whether the processing takes place in the EU or not (Article 3(1), GDPR). This is likely to be extended to the EEA. This provision reflects that, in contrast to the current regime; data processors are now specifically included within the scope of the Regulation.
Second, the GDPR applies to the processing of personal data of data subjects in the EU by a controller or processor not established in the EU where the activities relate to either of the following:
As well as satisfying the notice requirements under the GDPR by communicating what personal data are processed for what purposes and what disclosures of personal data are made, a GDPR-compliant privacy policy also provides organizations with the foundation for obtaining fully-informed consent from individuals which organizations can rely on as a legal basis for the processing described in the privacy policy.
Articles 13 and 14 of the GDPR set out the content that must be included in a privacy policy. GDPR-compliant privacy policies must include the following:
The GDPR defines personal data as “any information relating to a data subject” (Article 4(1)). A data subject is the identified or identifiable person to whom the personal data relates. A person is identifiable if he or she “can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity” of that person (Article 4(1), GDPR).
The GDPR sets out a number of principles with which data controllers and processors must comply when processing personal data (Article 5). These principles form the core of the obligations of the data controller and will usually form the basis of any claim that a data controller has not complied with its statutory duties.
Article 5 includes the following data protection principles:
The GDPR confers a wide range of enforcement powers upon supervisory authorities. Data controllers that fail to present their privacy policies in an appropriate manner, or to include required information, could expose their organizations to potential enforcement action by supervisory authorities.
Supervisory authorities can issue fines for non-compliance, which should be “effective, proportionate and dissuasive”. Fines will be imposed instead of, or in addition to, other measures that may be ordered by supervisory authorities. The level of the fine imposed depends on the type of contravention. A non-compliant privacy policy subjects an organization to a fine of up to EUR 20,000,000 or 4% of global turnover, whichever is the higher.