Data Protection Law Consultation
From 25 May 2018, the principal data protection legislation in the EU is Regulation (EU) 2016/679 the General Data Protection Regulation – GDPR. It followed the revocation of Directive 95/46/EC Data Protection Directive and its main objective is to lead to increase but not absolute, harmonisation of data protection law across the EU member states.
The GDPR applies to all businesses established in any of the EU member states which process personal data in the context of the establishment. Any business not established in an EU member states but is subject to EU laws by virtue to public international law is also subjected to GDPR. It also applies to any business outside of the EU if said business process the personal data of EU residents upon two conditions:
- offering of good and services to EU residents, regardless of accepting payment or not
- monitoring the behaviour of EU residents considering that such behaviour takes place in the EU
Main rules applying to the processing of personal data:
Personal data must be processed in a just, legal and transparent manner.
Legal foundation for processing
Processing of personal data is legal only if, and to the extent that, it is authorized under EU protection law. The GDPR provides the legal foundation for the processing of personal data and the below are the most relevant for businesses:
- prior given consent upon free will of the data subject
- contractual prerequisite: data is needed to be processed due to the performance of a contract to which the data subject is a party or upon the request of the data subject when entering a contract.
- Compliance with legal requirements: the controller (the authority, agency or any other legal body) is legally required to perform the data processing
- Legitimate interests: the processing is required for the purpose of lawful interests sought after by the controller, except in the cases where the interests of the controller harm the interests of the data subject in their basic rights to protection and freedoms.
- Processing of sensitive personal data: this is only authorized under certain scenarios which for businesses fall under these categories:
- direct consent given by the data subject
- in the context of employment law
- obligatory for the establishment, exercise or defence of legal claims
Personal data may only be gathered with clear and legal intent and may only be processed in a manner fitting the intent specified. In the event of a controller wishing to use the data collected for other purposes, they must comply with the legal procedure of doing so and notify the data subject of the new processing.
Collecting of personal data must always be relevant, adequate and restricted to the purposes for which the data is processed.
Personal data must always be accurate and kept up to date. Every business must ensure that incorrect personal data is either erased or rectified immediately.
Personal data must always be kept only until the processing purposes are fulfilled and the identification of data subjects was needed.
Personal data must always be processed in a way that ensures maximum safety of the data with the help of relevant technical measures, including protection against any unlawful processing and any damage or loss.
The controller is responsible for and must always be able to prove compliance with data protection regulations.