The GDPR

What is the GDPR?

The GDPR The General Data Protection Regulation (GDPR), in German Datenschutz-Grundverordnung (DSGVO) is a legal framework for the protection of person-centric data within the European Union. The The regulation was finalized in 2016 and came into force in 2018 and applies to all companies that process data of EU citizens, regardless of the company’s location. (p. 221, Jarmul 2023).

The GDPR in brief

All laws and articles of the GDPR can be found online: https://gdpr-info.eu/.

The GDPR guarantees 8 fundamental rights for people residing in the EU, and for their data:

Data Right	Description
Right to be informed	People must be informed on how their data is being used, processed, collected, and so forth.
Right to access	People can access what information is held about them.
Right to rectification	People can correct information that is false or misleading.
Right to deletion/erasure	People can ensure companies delete their data.
Right to restrict processing	People can opt out or restrict how their data is being used and processed.
Right to data portability	People can take their data with them—to use themselves or to try competitor services.
Right to object	People can object to the usage of their data for particular uses (like marketing, research).
Right to opt out of automated decision making	People can opt out of automated decision making processes, such as algorithmic or machine learning systems.

What does the GDPR regulate?

• the protection of natural persons with regard to the processing of personal data and rules relating to the free movement of personal data.

• fundamental rights and freedoms of natural persons and in particular their right to the protection of personal data.

• the free movement of personal data within the Union shall be neither restricted nor prohibited for reasons connected with the protection of natural persons with regard to the processing of personal data.

The GDPR is based directly on EU law (Article 16 TFEU) and replaced the older Data Protection Directive (1995). Unlike a directive, which requires member states to implement it in their national laws, the GDPR is a ‘Regulation’, meaning it applies directly throughout the entire EU. This also means that all EU countries must not provide less data protection and privacy than laid out within the GDPR. (Hildrebrant, 136).

When does the GDPR apply?

• when personal data is being processed (art 2)

Definitions in the GDPR

Below are some definitions that the GDPR operates on. Click on the arrow to the right to expand.

NotePersonal data

is any information connected to a person who can be identified, either directly (for example, by their name or ID number) or indirectly (for example, through location, online accounts, or details about their body, health, finances, culture, or social life).

NoteProcessing

means doing anything with personal data, whether by hand or with a computer. This includes things like collecting, recording, organizing, storing, changing, looking up, using, sharing, combining, limiting, deleting, or destroying the data.

NoteController

Controller means the person, company, public authority, or organization that decides why personal data is processed and how it is processed. In some cases, the law itself decides who the controller is or sets rules for how the controller is chosen.

NoteProcessor

Processor means the person, company, or organization that processes personal data on behalf of the controller. They follow the controller’s instructions and don’t decide the purpose or the means of the processing themselves.

It is important to know that these rights apply to all EU residents, whether the are currently in the EU or not.

Principles of lawful processing

To ensure the lawful processing of personal data, organizations, particularly data controllers, must adhere to a set of fundamental principles, as outlined prominently in Article 5 of the EU General Data Protection Regulation (GDPR). These principles serve as overarching requirements that must be met in addition to having a valid legal basis for processing.

The seven core principles of lawful processing under the GDPR are:

1. Lawfulness, Fairness, and Transparency ((Hildebrandt2020?)):

• Lawfulness requires that all processing operations have a valid legal basis, as exhaustively listed in Article 6 of the GDPR (see legal basis)
• Fairness implies balancing and proportionality tests, considering the relevant interests and fundamental rights at stake.
• Transparency necessitates providing clear and accessible information to data subjects, for instance, through privacy notices, and is further detailed in Articles 13, 14, and 15 GDPR. It ensures that data subjects can predict how their data will be handled and what outcomes to expect.

2. Purpose Limitation:

• Personal data must be “collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes”. Vague or broad goals, such as “data might become useful” or “for commercial goals,” are prohibited.
• Further processing for a new purpose is permissible if it is “not incompatible” with the original purpose. Factors for determining compatibility include the link between purposes, collection context, data nature/sensitivity, potential consequences for the data subject, and the existence of safeguards like encryption or pseudonymization.
• Notably, further processing for archiving in the public interest, scientific or historical research, or statistical purposes is explicitly deemed compatible with the initial purposes, provided suitable safeguards are in place.

3. Data Minimization:

• Data collected must be “adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed”

4. Accuracy

• Personal data must be accurate, and when necessary, kept up to date.
• Controllers are legally obliged to take every reasonable step to ensure that inaccurate personal data is erased or rectified without delay, especially concerning the purposes for which it is processed.

5. Storage Limitation

• Personal data must be “kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed”.

• This also prevents keeping the data for longer than necessary for “just in case”.

6. Integrity and Confidentiality

• Personal data must be “processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures”.

• The GDPR mandates “appropriate” security, not “perfect” security. This principle connects directly to the requirement of security by design (Article 32 GDPR) and the obligation for controllers to notify supervisory authorities and data subjects in case of data breaches (Articles 33 and 34 GDPR). Pseudonymization and encryption are examples of security measures that can be implemented.

7. Accountability

• “The controller shall be responsible for, and be able to demonstrate compliance with” all the aforementioned principles.

• This principle makes the data controller the focal point of responsibility and liability under the GDPR. It requires controllers to maintain records of processing activities, and in some cases, to appoint a Data Protection Officer (DPO). The accountability principle underscores a proactive approach to compliance, moving beyond merely reactive measures.

ImportantData collection.

If you

This content is inside a collapsible tip box.

• Item 1
• Item 2

Integration with other legal frameworks

To date, an overarching international framework for anonymisation does not exist - it would also be quite hard to find a common group between varying legal frameworks.

References

Jarmul, Katharine. 2023. Practical Data Privacy. " O’Reilly Media, Inc.".