Blog

EU General Data Protection Regulation

Chapter 1 General Provisions

  • Article 1 

Subject-matter and objectives 

This Regulation contains rules on processing personal data and the free movement of personal data to protect the fundamental rights and freedoms of natural persons and their right to protection of personal data 

  • Article 2 

Material Scope  

This Regulation applies to the processing of personal data which form part of a filing system. 

  • Article 3 

Territorial Scope  

This Regulation applies to controllers and processors in the Union and controllers or processors not in the Union if they process personal data of data subjects who live in the Union. 

  • Article 4 

Definitions  

This Article contains 26 essential definitions. 

Chapter 2  Principles

This chapter outlines the rules for processing and protecting personal data. 

  • Article 5 

Principles relating to processing of personal data  

Personal data shall be processed lawfully, fairly, and in a transparent manner; collected for specified, explicit, and legitimate purposes; be adequate, relevant, and limited to what is necessary; etc. 

  • Article 6 

Lawfulness of processing 

There are six reasons that make processing lawful if at least one is true (e.g. data subject has given consent, processing is necessary for the performance of a contract, etc). 

  • Article 7 

Conditions for Consent  

When processing is based on consent, whoever controls the personal data must prove consent to the processing, and the data subject can withdraw consent at any time. 

  • Article 8 

Conditions applicable to child’s consent in relation to information societal services 

Information society services can process personal data of a child if the child is over 16. If the child is under 16, the legal guardian must consent. 

  • Article 9 

Processing special categories of personal data  

Processing personal data revealing race, political opinions, religion, philosophy, trade union membership, genetic data, health, sex life, and sexual orientation is prohibited unless the subject gives explicit consent, it’s necessary to carry out the obligations of the controller, it’s necessary to protect the vital interests of the data subject, etc. 

  • Article 10 

Processing personal data related to criminal convictions and offenses  

Processing personal data related to criminal convictions can only be carried out by an official authority or when Union or Member State law authorizes the processing. 

  • Article 11 

Processing which does not require identification  

The controller does not need to get or process additional information to identify the data subject if the purpose for which the controller processes data does not require the identification of a data subject. 

Chapter 3 Rights of The Data Subjects

This chapter discusses the rights of the data subject, including the right to be forgotten, right to rectification, and right to restriction of processing. 

Section 1 Transparency and modalities 

  • Article 12 

Transparent information, communications, and modalities for the exercise of the rights of the data subject  

When necessary, the controller must provide information in a concise, transparent, intelligible and easily accessible form, using clear and plain language, and the controller needs to provide information on action taken on request by and to the data subject within one month. Page Break 

Section 2 Information and access to personal data 

  • Article 13 

Information to be provided where personal data are collected from the data subject  

When personal data is collected from the data subject, certain information needs to be provided to the data subject. 

  • Article 14 

Information to provide to the data subject when personal data has not been obtained from data subject  

When personal data is not obtained from the data subject, the controller has to provide the data subject with certain information. 

  • Article 15 

Right of access by the data subject  

The data subject has a right to know whether their personal data is being processed, what data is being processed, etc. 

Section 3 Rectification and Erasure 

  • Article 16 

Right to rectification 

The data subject can require the controller to rectify any inaccurate information immediately. 

  • Article 17 

Right to be forgotten 

In some cases, the data subject has the right to make the controller erase all personal data, with some exceptions. 

  • Article 18 

Right to restriction of processing 

In some cases, the data subject can restrict the controller from processing. 

  • Article 19 

Notification obligation regarding rectification or erasure of personal data or restriction of processing 

The controller has to notify recipients of personal data if that data is rectified or erased. 

  • Article 20 

Right to data portability  

The data subject can request to receive their personal data and give it to another controller or have the current controller give it directly to another controller. 

Section 4 Right to Object and Automated Individual decision-making 

  • Article 21 

Right to Object  

Data subjects have the right to object to data processing on the grounds of his or her personal situation. 

  • Article 22

Automated individual decision-making, including profiling

Data subjects have the right not to be subjected to automated individual decision-making, including profiling.

Section 5 Restrictions

  • Article 23

Restrictions 

Union or Member State law can restrict the rights in Articles 12 through 22 through a legislative measure.

Chapter 4 Controller and Processor

This chapter covers the general obligations and necessary security measures of data controllers and processors, as well as data protection impact assessments, the role of the data protection officer, codes of conduct, and certifications. 

Section 1 General Obligations 

  • Article 24 

Responsibility of the Controller 

The controller has to ensure that processing is in accordance with this Regulation. 

  • Article 25 

Data protection by design and by default 

Controllers must implement data protection principles in an effective manner and integrate necessary safeguards to protect rights of data subjects. 

  • Article 26 

Joint Controllers 

When there are two or more controllers, they have to determine their respective responsibilities for compliance. 

  • Article 27 

Representatives of controllers or processors not established in the Union  

When the controller and processor are not in the Union, in most cases they have to establish a representative in the Union.  

  • Article 28 

Processor  

When processing is carried out on behalf of a controller, the controller can only use a processor that provides sufficient guarantees to implement appropriate technical and organizational measures that will meet GDPR requirements. 

  • Article 29 

Processing under the authority of the controller or processor 

Processors can only process data when instructed by the controller. 

  • Article 30 

Records of Processing Activities 

Each controller or their representatives needs to maintain a record of processing activities and all categories of processing activities. 

  • Article 31 

Cooperation with the supervisory authority  

The controller and processor have to cooperate with supervisory authorities. 

 Section 2 Security of personal data 

  • Article 32 

Security of processing  

The controller and processor must ensure a level of security appropriate to the risk. 

  • Article 33 

Notification of a personal data breach to the supervisory authority 

In the case of a breach, the controller has to notify the supervisory authority within 72 hours, unless the breach is unlikely to result in risk to people. And the processor needs to notify the controller immediately. 

  • Article 34 

Communication of a personal data breach to the data subject 

When a breach is likely to cause risk to people, the controller has to notify data subjects immediately. 

Section 3 Data protection impact assessment and prior consultation 

  • Article 35 

Data protection impact assessment 

When a type of processing, especially with new technologies, is likely to result in a high risk for people, an assessment of the impact of the processing needs to be done.Page Break 

  • Article 36:  

Prior consultation  

The controller needs to consult the supervisory authority when an impact assessment suggests there will be high risk if further action is not taken. The supervisory authority must provide advice within eight weeks of receiving the request for consultation. 

Section 4 Data protection officer 

  • Article 37 

Designation of the data protection officer 

The controller and processor must designate a data protection officer (DPO) if processing is carried out by a public authority, processing operations require the systematic monitoring of data subjects, or core activities of the controller or processor consist of processing personal data relating to criminal convictions or on a large scale of special categories of data pursuant to Article 9. 

  • Article 38 

Position of the data protection officer  

The DPO must be involved in all issues which relate to the protection of personal data. The controller and processor must provide all necessary support for the DPO to do their tasks and not provide instruction regarding those tasks. 

  • Article 39 

Tasks of the data protection officer 

The DPO must inform and advise the controller and processor and their employees of their obligations, monitor compliance, provide advice, cooperate with the supervisory authority, and act as the contact point for the supervisory authority. 

Section 5 Codes of conduct and certification 

  • Article 40 

Codes of conduct  

Member States, the supervisory authorities, the Board, and the Commission shall encourage the drawing up of codes of conduct intended to contribute to the proper application of the GDPR. 

  • Article 41 

Monitoring of approved codes of conduct  

A body with adequate expertise in the subject-matter and is accredited to do so by the supervisory authority can monitor compliance with a code of conduct. Page Break 

  • Article 42 

Certification  

Member States, the supervisory authorities, the Board, and the Commission shall encourage the establishment of data protection certification mechanisms to demonstrate compliance. 

  • Article 43 

Certification bodies  

 Certification bodies accredited by Member States can issue and renew certifications. 

Chapter 5 Transfers of Personal Data to Third Countries or International Organisations 

This chapter provides the rules for transferring personal data that is undergoing or will undergo processing outside of the Union.

  • Article 44

General principle for transfers 

Controllers and processors can only transfer personal data if they comply with the conditions in this chapter.

  • Article 45

Transfers on the basis of an adequacy decision

A transfer of personal data to a third country or international organization can occur if the Commission has decided the country or organization can ensure an adequate level of protection.

  • Article 46

Transfers subject to appropriate safeguards 

If the Commission has decided it can’t ensure an adequate level of protection, a controller or processor can transfer personal data to a third country or organization if it has provided appropriate safeguards.

  • Article 47

Binding Corporate rules

The supervisory authority will approve binding corporate rules in accordance with the consistency mechanism in Article 63.

  • Article 48

Transfers or disclosures not authorized by Union law

Any decision by a court or administrative authority in a third country to transfer or disclose personal data is only enforceable if the decision is based on an international agreement.

  • Article 49

Derogations for specific situations

If there is no adequacy decision (Article 45) or appropriate safeguards, a transfer of personal data to a third country or organization can only happen if one of seven certain conditions are met.

  • Article 50

International cooperation for the protection of personal data 

The Commission and supervisory authority have to do their best to further cooperation with third countries and international organizations.

Chapter 6 Independent Supervisory Authority

This chapter requires that each Member State have a competent supervisory authority with certain tasks and powers.

Section 1 Independent status

  • Article 51

Supervisory authority 

Each Member state has to supply at least one independent public authority to enforce this regulation.

  • Article 52

Independence 

Each supervisory authority has to act with complete independence, and its members have to remain free from external influence.

  • Article 53

General conditions for the members of the supervisory authority

Member states need to appoint members of the supervisory authority in a transparent way, and each member must be qualified.

  • Article 54

Rules on the establishment of the supervisory authority

Each Member State needs to provide, in law, the establishment of each supervisory authority, qualifications for members, rules for appointment, etc.

Section 2 Competence, tasks, and powers

  • Article 55

Competence 

Each supervisory authority must be competent to perform the tasks in this Regulation.

  • Article 56

Competence of the lead supervisory authority

The supervisory authority of a controller or processor that is doing cross-border processing will be the lead supervisory authority.

  • Article 57

Tasks

In its territory, each supervisory authority will monitor and enforce this Regulation, promote public awareness, advise the national government, provide information to data subjects, etc.

  • Article 58

Powers

Each supervisory will have investigative, corrective, authorization, and advisory powers.

  • Article 59

Activity Report

Each supervisory authority must write an annual report on its activities.

Chapter 7 Co-operation and Consistency 

This chapter outlines how supervisory authorities will cooperate with each other and ways they can remain consistent when applying this Regulation and defines the European Data Protection Board and its purpose.

Section 1 Cooperation

  • Article 60

 Cooperation between the lead supervisory authority and the other supervisory authorities concerned 

The lead supervisory authority will cooperate with other supervisory authorities to attain information, mutual assistance, communicate relevant information, etc.

  • Article 61

Mutual assistance

Supervisory authorities must provide each other with relevant information and mutual assistance in order to implement and apply this regulation.

  • Article 62

Joint operations of supervisory authorities 

Where appropriate, supervisory authorities will conduct joint operations.

Section 2 Consistency

  • Article 63

Consistency mechanism 

For consistent application of this Regulation, supervisory authorities will cooperate with each other and the Commission through the consistency mechanism in this section.

  • Article 64

Opinion of the Board 

If a supervisory authority adopts any new measures, the Board will issue an opinion on it.

  • Article 65

Dispute resolution by the Board 

The Board has the power to resolve disputes between supervisory authorities.

  • Article 66

Urgency Procedure 

If there is an urgent need to act to protect data subjects, a supervisory authority may adopt provisional measures for legal effects that do not exceed three months.

  • Article 67

Exchange of information 

The Commission may adopt implementing acts in order to specify the arrangements for the exchange of information between supervisory authorities.

Section 3 European data protection board

  • Article 68:

European Data Protection Board 

The Board is composed of the head of one supervisory authority from each Member state.

  • Article 69

Independence 

The Board must act independently when performing its tasks or exercising its powers.

  • Article 70

Tasks of the Board

The Board needs to monitor and ensure correct application of this Regulation, advise the Commission, issue guidelines, recommendations, and best practices, etc.

  • Article 71

Reports

The Board will write an annual public report on the protection of natural persons with regard to processing.

  • Article 72

Procedure 

The Board will consider decisions by a majority vote and adopt decisions by a two-thirds majority.

  • Article 73

Chair 

The Board elects a chair and two deputy chairs by a majority vote. Terms are five years and are renewable once.

  • Article 74

Tasks of the chair 

The Chair is responsible for setting up Board meetings, notifying supervisory authorities of Board decisions, and makes sure Board tasks are performed on time.

  • Article 75

Secretariat 

The European Data Protection Supervisor will appoint a secretariat that exclusively performs tasks under the instruction of the Chair of the Board, mainly to provide analytical, administrative, and logistical support to the Board.

  • Article 76

Confidentiality

Board discussions are confidential.

Chapter 8 Remedies, Liability, and Penalties 

This chapter covers the rights of data subjects to judicial remedies and the penalties for controllers and processors.

  • Article 77

Right to lodge a complaint with a supervisory authority 

Every data subject has the right to lodge a complaint with a supervisory authority.

  • Article 78

Right to an effective judicial remedy against a supervisory authority 

Each natural or legal person has the right to a judicial remedy against a decision of a supervisory authority.

  • Article 79

Right to an effective judicial remedy against a controller or processor

Each data subject has the right to a judicial remedy if the person considers his or her rights have been infringed on as a result of non-compliance processing.

  • Article 80 

Representation of data subjects 

Data subjects have the right to have an organization lodge a complaint on his or her behalf.

  • Article 81

Suspension of proceedings 

Any court in a Member State that realizes proceedings for the same subject that is already occurring in another Member State can suspend its proceedings.

  • Article 82

Right to compensation and liability

Any person who has suffered damage from infringement of this Regulation has the right to receive compensation from the controller or processor or both.

  • Article 83

General conditions for imposing administrative fines 

Each supervisory authority shall ensure that fines are effective, proportionate, and dissuasive. For infringements of Articles 8, 11, 25 to 39, 41, 42, and 43 fines can be up to $10,000,000 or two percent global annual turnover. For infringements of Articles 5, 6, 7, 9, 12, 22, 44 to 49, and 58 fines can be up to $20,000,000 or four percent of global annual turnover.

  • Article 84:

Penalties 

Member States can make additional penalties for infringements.Chapter 9 Provisions Relating to Specific Processing Situations

This chapter covers some exceptions to the Regulation and enables Member States to create their own specific rules.

  • Article 85

Processing and freedom of expression and information 

Member States have to reconcile the protection of personal data and the right to freedom of expression and information (for journalistic, artistic, academic, and literary purposes).

  • Article 86

Processing and public access to official documents 

Personal data in official documents for tasks carried out in the public interest may be disclosed for public access in accordance with Union or Member State.

  • Article 87

Processing of the national identification number 

Member States can determine the conditions for processing national identification numbers or any other identifier.

  • Article 88

Processing in the context of employment 

Member States can provide more specific rules for processing employees’ personal data.

  • Article 89:

Safeguards and derogations relating to processing for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes

Processing for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes is subject to appropriate safeguards (data minimization and pseudonymization).

  • Article 90

Obligations of secrecy 

Member States can adopt specific rules for the powers of the supervisory authorities regarding controllers’ and processors’ obligation to secrecy.

  • Article 91

Existing data protection rules of churches and religious associations 

Churches and religious associations or communities that lay down their own rules for processing in order to protect natural persons can continue to use those rules as long as they are in line with this Regulation.

Chapter 10 Delegated Acts and Implementing Acts

  • Article 92

Exercise of the delegation 

The Commission has the power to adopt delegated acts. Delegation of power can be revoked at any time by the European Parliament or the Council.

  • Article 93

Committee procedure 

The Commission will be assisted by a committee.

Chapter 11 Final Provisions

This chapter explains the relationship with this Regulation to past Directives and Agreements on the same subject matter, requires the Commission to submit a report every four years, and enables the commission to submit legislative proposals.

  •  Article 94

Repeal of directive 95/46/EC 

1995 Directive 95/46/EC is repealed (The old personal data processing law).

  • Article 95

Relationship with Directive 2002/58/EC 

This Regulation does not add obligations for natural or legal persons that are already set out in Directive 2002/58/EC (has to do with the processing of personal data and the protection of privacy in the electronic communications sector).

  • Article 96

Relationship with previously concluded Agreements 

International agreements involving the transfer of data to third countries or organizations that were setup before 24 May 2016 will stay in effect.

  • Article 97

Commission reports 

 Every four years the Commission will submit a report on this Regulation to the European Parliament and to the Council.

  • Article 98

Review of other Union legal acts on data protection

The Commission can submit legislative proposals to amend other Union legal acts on the protection of personal data.

  • Article 99

Entry into force and application 

The Regulation applies from 25 May 2018.

1      What’s Data Privacy Law in Your Country?

When creating the content for your website, legal notices like your Terms of Service, Cookie Notifications, and Privacy Policies are often an afterthought.

Blog posts might be a lot more fun to write, but neglecting to give your readers the right information can get you in legal trouble.

You might think only the giants like Google and Facebook really need a Privacy Policy, or websites that handle data like credit card numbers or social security numbers.

In reality, many of the countries with modern data privacy laws have rules in place for handling any kind of information that can identify an individual or be used to do so.

Even if you just collect names and email addresses for your newsletter, display a few Google Ads on your site, or use browser cookies to get traffic analytics, you’re required by law in many jurisdictions to inform your audience of certain facts and policies of your website.

If you don’t, or if you just use a generic Privacy Policy template that doesn’t accurately reflect your policies, you could be threatened with legal action from your website visitors or your government, and end up paying huge fines or legal fees – or even face jail time.

Why take the risk? Save yourself the time, trouble, and expense of legal consequences, and get up to speed on your country’s privacy policy laws right here.

2      Privacy Laws by Country

Laws regarding privacy policy requirements for websites are generally included in information privacy or data protection laws for a country. These laws govern how information on private individuals can be used. A relatively recent legal development, privacy laws have now been enacted in over 80 countries around the world.

Argentina

Argentina’s Personal Data Protection Act of 2000 applies to any individual person or legal entity within the territory of Argentina that deals with personal data. Personal data includes any kind of information that relates to individuals, except for basic information such as name, occupation, date of birth, and address.

“Personal data” can, however, include the use of browser cookies. If you track your visitors using an analytics service, or if you use an ad network that uses cookies, then these policies will apply to you.

There is some legal disagreement about whether IP addresses count as personal data, with experts on both sides of the issue. To be on the safe side, you likely want to obtain consent if you collect any information regarding an individual’s IP address, or use cookies in any way.

According to Argentina’s laws concerning privacy, it’s only legal to handle or process personal data if the subject has given prior informed consent. Informed consent means you must tell them the purpose for gathering the data, consequences of refusing to provide the data or providing inaccurate information, and their right to access, correct, and delete the data. Also, any individual can request deletion of their data at any time.

Australia

Australia’s Privacy Principles (APP) is a collection of 13 principles guiding the handling of personal information. According to these principles, you must manage personal information in an open and transparent way, which means having a clear and up-to-date Privacy Policy about how you manage personal information.

Privacy Policies, according to Australian law, need to detail why and how you collect personal information, the consequences for not providing personal information, how individuals can access and correct their own information, and how individuals can complain about a breach of the principles.

One of the roles of the Office of the Australian Information Commissioner (OAIC) is to investigate any privacy complaints about the handling of your personal information. Anyone can make a complaint to the office for free at any time, and the office will investigate as soon as possible.

In order to avoid complaints about your handling of personal information, it’s important to have a clear and accurate Privacy Policy that includes all the requirements laid out by the APP.

Brazil

Brazil passed the Brazilian Internet Act in 2014 which deals with policies on the collection, maintenance, treatment and use of personal data on the Internet.

Any Brazilian individual and legal entity must obtain someone’s prior consent before collecting their personal data online, in any way. Consent can’t be given by those under 16 years old, and from 16 to 18 years old they must have assistance from their legal guardian to give consent. So, before collecting any information, be sure to ask whether the user is over 18 years of age.

It also states that your terms and conditions about how you collect, store, and use personal data need to be easily identifiable by your users, which means having an accurate and easy to understand privacy policy.

Canada

Canada’s Personal Information Protection and Electronic Data Act (PIPEDA) governs how you can collect, store, and use information about users online in the course of commercial activity. According to the act, you must make information regarding your privacy policies publicly available to customers.

Your Privacy Policy should be easy to find and to understand, and be as specific as possible about how you collect, handle, and use information.

For more information, check out the Privacy Toolkit and Fact Sheet from the Office of the Privacy Commissioner of Canada.

Chile

According to Chile’s Act on the Protection of Personal Data, passed in 1998, personal data can only be collected when authorized by the user. You also need to inform users of any sharing of information with third parties (such as if you have an email newsletter provider like MailChimp or AWeber that you share emails with).

However, you don’t need to get authorization for basic information like a person’s name or date of birth, or if you’re only using the data internally to provide services or for statistical or pricing purposes.

Colombia

Colombia’s Regulatory Decree 1377 states that you must inform users of the purpose their data will be used for, and you can’t use the data for any other purpose without obtaining consent.

Privacy Policies must include a description of the purpose and methods for processing data, the users’ rights over their data and the procedures for exercising those rights, and identification of who is responsible for handling the data.

Czech Republic

Act No. 101/2000 Coll., on the Protection of Personal Data governs how personal data is collected by anyone in the Czech Republic.

If you collect any kind of information relating to an identifiable person, you need to inform them of the purpose for collecting the data and the way it’s collected, and obtain their consent.

Denmark

Denmark passed the Act on Processing of Personal Data in 2000. The Danish Data Protection Agency supervises and enforces the privacy laws. If they discover violations of the law, they can issue a ban or enforcement notice, or even report the violation to the police.

According to the law, personal data can only be collected if the user gives explicit consent. Also, a company can’t disclose personal information to third parties for the purpose of marketing without consent.

Estonia

The Personal Data Protection Act of 2003 in Estonia states the personal data needs to be collected in an honest and legal way. You must obtain consent from users, and inform them of the purpose of collecting their data, and only use it in that way. A Privacy Policy is the key way to inform users.

European Union

The General Data Protection Regulation (GDPR) became enforceable in 2018 and is to date the most robust privacy protection law in the world. It has since inspired other laws around the world to up their requirements and has inspired the creation of new laws.

The GDPR protects people in the EU from unlawful data collection or processing and works to increase consent requirements, provide enhanced user rights and require a Privacy Policy that’s written in an easy-to-understand way.

Finland

The Personal Data Act governs the processing of personal data gathered in Finland, where privacy is considered a basic right. Anyone who gathers personal data in Finland must have a clearly defined purpose for gathering the data, and may not use it for any other purpose.

Personal data can only be gathered after obtaining unambiguous consent from the user.

The controller (the person or corporation collecting the data) of the collected data also needs to create a description of the data file, including their name and address and the purpose for collecting the data. This description needs to be made available to anyone.

There are also special restrictions that apply if you’re collecting data for the purpose of direct marketing or other personalized mailing related to marketing. Your database must be limited to basic information and contact information (no sensitive data can be collected).

France

The Data Protection Act (DPA) of 1978 (revised in 2004) is the main law protecting data privacy in France. The Postal and Electronics Communications Code also touches on the collection of personal data when it’s used for sending electronic messages.

The DPA applies to the collection of any information that can be used to identify a person, which is very broad in scope. The rules apply to anyone collecting data who is located in France or who carries out its activities in an establishment in France (such as if your hosting server or other service provider related to collecting or processing data is located in France). This is why the French Data Protection Authority was able to fine Google for violating their privacy laws.

Before automatically processing any kind of personal data, you must obtain the consent of the subject, and inform them of a number of things, including the purpose of the processing, the identity and address of the data controller, the time period the data will be kept, who can access the data, how the data is secured, etc.

Germany

In Germany, the Federal Data Protection Act of 2001 states that any collection of any kind of personal data (including computer IP addresses) is prohibited unless you get the express consent of the subject. You also have to get the data directly from the subject (it’s illegal to buy email lists from third parties, for example).

According to the act’s Principle of Transparency section, the subject must be informed of the collection of the data and its purpose. Once the data is collected for a specific purpose, you can’t use it for any other purpose without getting additional consent.

These laws apply to any collection of data on German soil, and Federal Data Protection Agency and 16 separate state data protection agencies enforce them.

Greece

The Processing of Personal Data laws in Greece protect the rights of individuals’ privacy in regard to electronic communications.

The processing of personal data is only allowed in Greece if you obtain consent after notifying the user of the type of data and the purpose and extent of processing. Consent can be given by electronic means if you ensure that the user is completely aware of the consequences of giving consent. Also, they can withdraw consent at any time.

Hong Kong

Hong Kong’s Personal Data Ordinance states that users must be informed of the purpose of any personal data collection, and the classes of persons the data may be transferred to (such as if you use any third-party services for processing data, like a email newsletter service).

The openness principle of the ordinance states that your personal data policies and practices must be made publicly available, including what kind of data you collect and how it’s used.

If you’re in violation of the Personal Data Ordinance, you could face fines up to HK$50,000 and up to 2 years in prison, and you could be sued by your users as well.

Hungary

In Hungary, the privacy of personal data is protected by Act LXIII of 1992 on the Protection of Personal Data and the Publicity of Data of Public Interests. Its main purpose is to ensure that individuals have control over their own data.

According to the act, you must obtain a person’s consent in order to handle their personal data. You can only collect data with an express purpose, and you must inform the user that handing over their personal data is voluntary.

If you violate the act, then your users may sue you, and you may be liable to pay for any damage you cause by mishandling their data.

Iceland

Iceland has been called the ‘Switzerland of data‘ for its strict privacy laws. The Data Protection Act of 2000 states that data must be obtained for specific purposes, and only after the subject has given unambiguous and informed consent.

In order to give consent, they must be made aware of the type of data collected, the purpose of the collection, how the data processing is conducted, how their data is protected, and that they can withdraw their consent at any time.

Not obeying the act could result in fines or even a prison term up to 3 years.

Ireland

In Ireland, the privacy of personal data is regulated by the Data Protection Act 1988, including a 2003 amendment. There’s also the ePrivacy Regulations 2011 (S.I. 336 of 2011), which deals with electronic communication.

Ireland differentiates between an organization’s Privacy Policy and their public Privacy Statement. A Privacy Policy is a detailed legal document that explains how the organization applies all the 8 data protection principles of the law.

A Privacy Statement, on the other hand, is a public document on a website that clearly and concisely declares how the organization applies the principles to how they collect personal data (including the use of browser cookies) through their website.

It’s a legal requirement for any organization in Ireland to have a public Privacy Statement on its website.

If your website collects any kind of personal information or tracks users with cookies, and you don’t have a privacy statement, you could be investigated by the Data Protection Commissioner and fined up to €100,000.

India

In India, the Information Technology Act clearly states that every business must have a privacy policy published on its website, whether or not you deal with sensitive personal data. The Privacy Policy needs to describe what data you collect, the purpose of the data, any third parties it might be disclosed to, and what security practices you use to protect the data.

Certain sensitive data, including passwords or financial information, can’t be collected or processed without the prior consent of the user.

Italy

Italy’s Data Protection Code states has strict rules for any kind of electronic marketing. According to the code, you must obtain a user’s consent before tracking them or using data for advertising or marketing communications. You must provide the users with specific information before collecting or processing their data, including the purpose and methods for processing the data and their individual rights under the law.

The Italian Data Protection Authority protects the rights of individuals regarding the privacy of their personal data. They can impose fines, such as the million-euro fine they threatened Google with for violating Italian privacy regulations.

Japan

In Japan, the Personal Information Protection Act protects the rights of individuals in regard to their personal data. The definition of personal data in the act is very broad, and even applies to information that could be found in a public directory.

The act states that you must describe as specifically as possible the purpose of the personal data you’re collecting. Also, in order to share the personal data with any third party (such as an email newsletter service) you must obtain prior consent.

Latvia

The Personal Data Protection Law of Latvia applies to the processing of all kinds of personal data. It states that you may only process personal data after obtaining the consent of the user. When you collect personal data, you must inform them of specific information, including the purpose for collecting their data, any third parties that might have access to their data, and their individual rights to protect their own data under the law.

Lithuania

Lithuania’s Law on Legal Protection of Personal Data states that in order to collect and process any kind of personal information that can identify an individual, you must obtain clear consent from the individual first. The law says that consent can only be defined as consent if the individual agrees for their data to be used for a specific purpose known to them, so you need to let users know exactly why you’re collecting their data, and how you’re going to use it, in order for their consent to be legally valid.

Luxembourg

In Luxembourg, Law of 2 August 2002 on the Protection of Persons with Regard to the Processing of Personal Data states that users must give informed consent before their data can be collected and processed. The user must be informed of your identity, your purpose for collecting their data, any third parties with access to their data, and their specific rights regarding their data.

Anyone in violation of the law could face prison time between 8 days to 1 year and/or a fine of anywhere from 251 to 125,000 euros.

Malaysia

Malaysia’s Personal Data Protection Act 2010 protects any personal data collected in Malaysia from being misused. According to the act, you must obtain the consent of users before collecting their personal data or sharing it with any third parties. In order for their consent to be valid, you must give them written notice of the purpose for the data collection, their rights to request or correct their data, what class of third parties will have access to their data, and whether or not they’re required to share their data and the consequences if they don’t.

Malta

In Malta, the right to privacy is considered a fundamental human right, and is protected in part by the Data Protection Act of 2001. The act states that personal data can only be collected and processed for specific, explicitly stated and legitimate purposes, and that the user must give their informed and unambiguous consent before it’s collected. For their consent to be valid, you must inform them of your identity and residence, the purpose of the data collection, any other recipients of the data, whether their participation is required or voluntary, and all about their applicable rights to access, correct, or erase the data.

Mexico

In Mexico, the Federal Law for the Protection of Personal Data Possessed by Private Persons deals with the privacy of personal data. The law says that you can only collect personal data for the reasons stated in your Privacy Policy, and that you must obtain consent for collecting and processing any personal data that isn’t publicly available. You also have an obligation to inform users of their rights regarding the data collected.

Morocco

Morocco’s Data Protection Act defines personal data as any information of any nature that can identify an individual person. In order to collect or process any personal data, it needs to be for a specific purpose, and you must obtain the express consent of the user before you collect it, unless the data was already made public by that individual.

For their consent to be valid, you need to inform the person of your identity, the purpose of the data collection, and their rights regarding their own data.

The National Commission for the Protection of Personal Data, established in 2010, conducts investigation and inquiries related to privacy laws. Breaking the law can be punishable by fines or even imprisonment.

The Netherlands

In the Netherlands, the Dutch Personal Data Protection Act states that you must obtain the unambiguous consent of the user before collecting or processing any information that personally identifies them.

New Zealand

According to New Zealand’s Privacy Act of 1993, you must collect any non-public personal information directly from the individual, and make sure they’re aware of your name and address, the purpose for the data collection, any recipients of that data, whether the collection is required by law or optional, and their rights regarding their own data.

Any user may make a complaint and possibly trigger an investigation into whether you’re following the law when collecting their personal data.

Norway

Norway’s Personal Data Act states that personal data can only be collected after obtaining the consent of the user. Before asking for consent, you need to inform them of your name and address, the purpose of the data collection, whether the data will be disclosed to third parties and their identities, the fact that their participation is voluntary, and their rights under the law.

The Philippines

The Philippines is known for having “one of the toughest data privacy legislations in the region.” In the Philippines, anyone who collects personal data needs to get specific and informed consent from the user first. You must declare the purpose of the data processing before you begin to collect it (or as soon as reasonably possible after).

Under the Republic Act No. 10173, individuals have the right to know your identity, what personal data you’re collecting and for what purpose, how it’s being processed, who it’s being disclosed to, and all their rights regarding their own data.

Romania

In Romania, the law states that you must inform users of their rights when collecting any kind of personal data, including their name. You also need to obtain their “express and unequivocal consent” beforehand.

Poland

Poland’s Act of the Protection of Personal Data, passed in 1997, states that the processing of data is only permitted if the data subject has given their consent. You’re also obliged to provide your name and address, the purpose of the data collection, any other recipients of the data, the subject’s rights, and whether participation is required or voluntary.

Portugal

According to Portugal’s Act on the Protection of Personal Data, the processing of data needs to be carried out in a transparent manner, respecting the privacy of your users. Personal data can only be collected for specific and legitimate purposes, and only after obtaining the unambiguous consent of the user. You must also provide the user with specific information including your identity, the purpose of the data processing, any other recipients of the data, etc.

Singapore

In Singapore, personal data is protected under the Personal Data Protection Act. According to the act, you may only collect personal data only with the consent of the individual, and the individual must be informed of the purpose for the data collection.

Slovenia

Slovenia’s Personal Data Protection Act states that you must obtain the informed consent of an individual before collecting or processing their personal data. In order for their consent to be valid, you need to inform them of your identity and the purpose of the data collection. You also need to inform them of any other information necessary to ensure that their data is being processed in a lawful and fair manner.

South Africa

South Africa’s Electronic Communications and Transactions Act applies to any personal data collected through electronic transactions, such as through a website. The act sets out nine principles that you must agree to in order to collect any personal data, and also requires that you disclose in writing to the subject the specific purpose of the data collection, and obtain their express consent before collecting their data.

South Korea

In South Korea, the Act on Promotion of Information and Communications Network Utilization and Data Protection states that any information and communications service provider needs to obtain the consent of the user before collecting personal information. In order for the consent to be valid, you must provide the user with specific information including your name and contact information, the purpose of the data collection, and the user’s rights concerning their own data.

The Framework Act on Telecommunications provides the definition of “information and communications service providers” as “services that mediate a third party’s communication through the telecommunications facilities and equipment or to provide the telecommunications facilities and equipment for the third party’s telecommunications.”

Spain

In Spain, the protection of personal data is regarded as a constitutional right. In order to collect any personal data, you need to provide the user with “fair processing information” including your identity and address, the purpose of the data processing, their rights under the law, whether participation is voluntary or mandatory, and any consequences for not providing their personal data.

Switzerland

Switzerland’s Federal Act on Data Protection states that any personal data collection or processing must be done in good faith, and that it needs to be evident to the user, especially the purpose of the data collection. In other words, you must inform the user that you’re collecting their personal data, and why. Personal data is defined as “all information relating to an identified or identifiable person.”

Sweden

In Sweden, the Personal Data Act protects the privacy of personally identifying information, which it loosely defines as any data that, directly or indirectly, is refers to a live person. It states that users are entitled to information concerning processing of their personal data, and that they must give consent before you can collect their data. Consent must be informed, voluntary, specific, and unambiguous.

Anyone who violates the act may be liable to pay fines or even sentenced to criminal penalties.

Taiwan

The Computer-Processed Personal Data Protection Law in Taiwan relates to specific kinds of personal data, including an individual’s name, date of birth, “social activities,” and any other data that can identify that individual. Data collection needs to be in good faith and in consideration of individuals’ rights. Any organization that collects personal data must publish a document that includes specific information including their name and address, the purpose and methods for the data collection, and any other recipients of the data.

United States

In the United States, data privacy isn’t as highly legislated on a federal level as most of the other countries on this list. Like with many issues, the federal government leaves a lot of the details up to each state. Laws also differ depending on the industry, which results in a confusing mess of rules and regulations for US website owners to navigate.

The FTC (Federal Trade Commission) regulates business privacy laws. They don’t require privacy policies per se, but they do prohibit deceptive practices.

Some federal laws that touch on data privacy include the Health Insurance Portability and Accountability Act of 1996 (HIPPA), which deals with health-related information, and the Children’s Online Privacy Protection Rule (COPPA), which applies to websites that collect data from children under the age of 13. Some states have more stringent laws than others, such as the California Online Privacy Protection Act (CalOPPA), which is the first law in the United States that specifically requires websites to post a Privacy Policy.

CalOPPA actually applies not just to websites based in California, but to any website that collects personal data from consumers who reside in California. With that in mind, website owners based in the United States are encouraged to err on the side of caution so they don’t run into legal trouble inadvertently.

CalOPPA requires that every website that collects personal data from users post a privacy policy that includes:

  • The type of personal data collected
  • Any third parties you share the data with
  • How users can review and change their data that you’ve collected
  • How you’ll update users of changes to your Privacy Policy
  • Your Privacy Policy’s effective date
  • How you’ll respond to Do Not Track requests

If there’s any chance that you’ll be collecting personal data from anyone in California, it’s best to comply with this law by creating an accurate privacy policy.

A few additional laws to be aware of in the US include the California Consumer Privacy Act (CCPA) and the Washington Privacy Act (WPA).

United Kingdom

In the UK, the mission of the Information Commissioner’s Office is to “uphold information rights in the public interest.”

The Data Protection Act requires fair processing of personal data, which means that you must be transparent about why you’re collecting personal data and how you’re going to use it. The law also states that if you use browser cookies, you need to clearly explain what they do and why you’re using them, and gain the informed consent of your users.

3      You Need a Privacy Policy

It may seem like overkill to create a complete Privacy Policy if you’re just collecting names and email addresses for your monthly newsletter, but in the Age of Information, it’s important to respect the importance of personal data and the privacy rights of your website users. Being transparent about how you collect and protect data will not only keep you out of trouble with the law, but will also help to establish trust with your audience.

The best thing you can do to be compliant with almost any privacy law is to have a transparent, informative Privacy Policy posted on your website or mobile app and keep it easy to read and up to date.

How to Conduct a Data Protection Impact Assessment

Of the many new measures imposed by the General Data Protection Regulation (GDPR), the requirements surrounding Data Protection Impact Assessments often cause the most confusion. Many business owners have no idea what the document is for or when it is required.

In this article, we’ll wade through the terminology to explain the complexities of Data Protection Impact Assessments so you can do your own successful assessment and document it in the best way possible.

How to Conduct a Data Protection Impact Assessment. 1

1…. What is the Purpose of a Data Protection Impact  Assessment?.. 2

2…. When is a Data Protection Impact Assessment  Necessary?.. 2

3…. When is a Data Protection Impact Assessment Not  Necessary?.. 4

4…. How to Perform a Data Protection Impact  Assessment. 5

4.1…. Describe Data Flows. 5

4.2…. Data Scope. 6

4.3…. Purposes of Data Processing.. 7

4.4…. Context of the Processing and Data Subjects. 8

5.Document Proper Consultation.. 11

6.Specific Compliance Measures. 15

7. .. Identify and Evaluate Data Protection Risks. 17

8.Risk Mitigation Strategies. 17

9. .. Approval & Sign-Off. 18

1      What is the Purpose of a Data Protection Impact  Assessment?

Data Protection Impact Assessments (DPIAs) are used to investigate, recognise, and mitigate potential risks to data before launching a new business endeavour or project.

By performing a DPIA before a new project, you can hope to:

  • Better understand the data protection risks that will be faced during the project
  • Calculate methods to decrease or eliminate those risks
  • Decide if the benefits of the project outweigh data protection risks
  • Prepare an informed statement that will disclose the risks to any individuals who will be affected
  • Document data protection measures to demonstrate GDPR compliance to supervisory authorities
  • Identify opportunities to incorporate “Data Production by Design” principles into the project

2      When is a Data Protection Impact Assessment Necessary?

According to Article 35 of the GDPR:

“Where a type of [data] processing… is likely to result in a high risk to the rights and freedoms of natural persons, the controller shall, prior to the processing, carry out an assessment of the impact of the envisaged processing operations on the protection of personal data.”

In other words, if the project presents a high risk to personal data protection and privacy, then a DPIA will be necessary.

But how does one determine what presents a “high risk”? The GDPR and the Article 29 Working Party provide some examples of projects that would definitely call for a DPIA:

  • An extensive evaluation of consumer information in which decisions are made based upon automatic processing and profiling

Example:

A technology that uses a person’s financial history to automatically determine whether or not that person is eligible for a mortgage.

  • Processing special categories of data (sexual orientation, race, religion, etc.) or criminal offense history. 

Example:

A job board website that collects racial information or criminal history from consumers who wish to apply to online jobs.

  • A systematic monitoring of a public area on a large scale. 

Example:

Using a camera placed on a public road to record and monitor driver behaviour.

  • Evaluation or scoring of individuals, including profiling and predicting. 

Example:

An internet technology that monitors user behaviour and uses that information to build marketing profiles.

  • Automated decision-making with legal or otherwise significant effect on the lives of individuals. 

Example:

A computer program that uses the behavioural history of convicts to automatically determine if they will be granted parole.

  • Consumer data processed on a large scale. Although the term “large scale” is not defined, an example might be an online social network with millions of users.
  • Datasets that have been matched or combined

Example:

Direct marketing endeavours that involve purchasing consumer mailing lists.

  • Data concerning vulnerable data subjects that may be unable to provide valid consent. 

Example:

Processing the data of children or mentally ill individuals.

  • Innovative technological or organisational solutions

Example:

Software that provides user access based on fingerprints or face recognition.

  • When the data processing “prevents data subjects from exercising a right or using a service or a contract.” 

Example:

A credit card company using a person’s credit history as a basis for denying service.

As you can see, there are a lot of different scenarios that would call for a DPIA, and this is far from an exhaustive list. There are many more situations in which a new data processing project could put data protection at risk. A good rule of thumb is, if in doubt, perform a DPIA. When it comes to data security and GDPR compliance, it’s always wise to err on the side of too much rather than too little data protection.

3      When is a Data Protection Impact Assessment Not   Necessary?

In some situations, you can definitely rule out the necessity of a DPIA. These include:

  • Any new project that definitely does not entail a high risk to the rights and freedoms of consumers.
  • If you have already performed a DPIA for a previous project that is very similar, you can use the existing DPIA to demonstrate adequate data protection and compliance.
  • When the data processing project has an established legal basis in the EU.
  • If the data processing activity is on a supervisory authority’s list of permitted projects that do not require a DPIA.

4      How to Perform a Data Protection Impact Assessment

A DPIA should be performed after the details of a new data processing project have been established and planned out, but before the project is actually launched. The GDPR lays out some specific instructions as to what a DPIA should include:

  • detailed description of the project as well as the purpose of the project
  • An assessment of the necessity of the data processing involved and on what scale
  • An assessment of all possible risks to data protection and consumer privacy
  • An explanation as to how those risks will be mitigated and how the project will adhere to GDPR policies

While this may look like a relatively short list, there is a lot of research and effort involved in fulfilling these requirements. Below we’ve laid out steps you can take to create a comprehensive Data Protection Impact Assessment.

4.1     Describe Data Flows

Start by describing how data will be handled throughout the project. Detail is key here, so be as thorough as possible in examining your data processing activities from start to finish.

Here are some questions to ask as you compile this section:

  • How will the data be collected?
  • How will the data be used?
  • Where and how will it be stored?
  • What is the source of the data?
  • Will it be shared with any third party and if so, why?
  • Which high-risk data categories or activities will be involved?

This DPIA performed by Simprints Technology begins by answering some the questions above in detail:

It follows this up with several flowcharts to illustrate data flows, which makes it easy to visualize and really understand what happens with data.

This section of your DPIA may be rather simple if you only work with limited data collected in limited ways, but you can see how this section could get very complicated and lengthy.

4.2     Data Scope

Next, outline the scope of data processing. Here you will need to delve deeply into the data itself, describing the types of data that will be collected, the quantity of data, and so on. This section will differ according the company and project involved, but may cover the following points:

  • What categories of data will be collected?
  • Will it involve special or sensitive categories of data?
  • What quantity of data will be collected and how many consumers will be affected?
  • Is the data processing localized to a specific area?
  • How long will the data be retained?

Although the Privacy by Design Foundation does not go into all of these details at the outset of its DPIA, it provides a generalized scope here:

Note how the section is broken down into subsections to address things like the nature, the purpose, the scope and the context of the processing.

4.3     Purposes of Data Processing

Describe what the project is expected to achieve through data processing. What are the benefits for the data controller and how will consumers be affected?

UK Home Office Biometrics conducted a comprehensive DPIA to analyse new technologies to be used by the police force. This is how it describes the various purposes of the project:

You can see how these can simply be short but descriptive paragraphs discussing the projects. The text itself notes that they are “brief descriptions of the projects.”

4.4     Context of the Processing and Data Subjects

Here is where you start asking some of the more difficult questions. Think about the consumers who will be affected and how this data processing may affect them. This is also a good time to consider the context of the data processing project itself and its position in the industry.

Here are some questions to ask and answer during this phase:

  • What is your legal basis for collecting user data? Do you have appropriate consent measures in place?
  • Is your consumer base vulnerable in any way, such as in the case of children or mentally ill individuals?
  • Has this type of processing been performed before? Are there similar technologies already in place?
  • Have any security flaws been identified in similar projects?

The UK Ministry of Justice employs a question and answer format for DPIAs, asking similar questions to those above in order to establish context:

Later on, in the same document, the privacy context of the new technology is also established:

5.     Document Proper Consultation

Where appropriate and possible, data controllers are required to consult with consumers on their views about the new project. It may also be necessary to consult with your Data Protection Officer, data processors, or information security experts to understand the full implications and risks of the project.

If such consultations are appropriate and possible, you will need to document them in this section.

When proposing a new privacy bill to be passed into law, the Australian Department of the Treasury performed a massive 161-page DPIA to investigate all of the data protection implications that would be involved. This is a small part of the chapter discussing consultation:

6.     Specific Compliance Measures

Any major data processing project will need to address GDPR compliance from the outset. After all, that’s one reason you are conducting a DPIA in the first place. In this section, you will analyse whether or not data processing activities are compliant with the GDPR and other international privacy laws.

This is also a good place to describe what measures the business will be taking to ensure compliance at each phase of the project. Some topics that will need to be approached include:

  • What are the legal bases for the data processing? Will these bases remain valid throughout the duration of the project?
  • Is data processing necessary to achieve the overall purpose?
  • Is there any way to reduce or minimize the use of consumer data throughout the project?
  • How will consumer rights be upheld?
  • How will the data controller confirm that third-party processors also comply with privacy laws?
  • How will international data transfers be legally performed?

Simprints Technology solves this by going through the major tenets of the GDPR and briefly addressing each one:

Later on in the document, data transfers and consumer rights are addressed, thereby touching on all relevant GDPR policies.

7.     Identify and Evaluate Data Protection Risks

This section is considered the most important issue to explore in any DPIA. It is where data protection and privacy are analysed from all angles. Potential threats to privacy and data security must be considered and listed.

Although it is impossible to predict every potential risk scenario in a generalized article like this one, here are some points to review during risk assessment:

  • Are proper controls and safeguards in place to prevent or reduce unsafe data processing practices due to internal employee errors?
  • Is there a possibility that the project might evolve and change the way data is being processed beyond the scope of current legal bases?
  • Has security software been properly updated and audited against potential data theft or hackers?
  • If special categories of sensitive data or vulnerable individuals are subject to data processing, is the project following GDPR-mandated stipulations to protect that data?
  • Could the merging of anonymized data sets lead to individuals being inadvertently identified?
  • Have data retention policies been outlined, and how will data be disposed of when it no longer serves its purpose?
  • Is the information being stored in a location with adequate data security?

Of course, the potential risks to data protection will be conditional to the type of project and data processing that’s involved. If you feel that your development team has not or cannot sufficiently identify potential threats to data protection, it may be necessary to consult the services of an information security expert or an attorney that specializes in privacy law.

8.     Risk Mitigation Strategies

The next step is to formulate solutions and mitigation strategies to reduce or eliminate the risks identified in the assessment phase. All of the previously identified risks to data protection must be addressed in this section, as well as viable mitigation techniques for each.

Many data controllers choose to combine risk assessment and mitigation strategies into one comprehensive table that is easy to read and understand. Home Office Biometrics uses this method:

Conducting this process properly will be beneficial in the long run, especially if a privacy dispute or data incident does occur. This documentation will serve as proof that your business took every measure possible to reduce or eliminate data protection risks before the project ever launched.

9.     Approval & Sign-Off

The final step in the DPIA process is to confirm that the evaluations, findings, and strategies laid out in the DPIA have been approved by the appropriate parties. The person or persons responsible for approving the document will differ according to the company and projects involved. In some cases, it may be a Data Protection Officer, while other organizations may assign approval to a management team.

The UK Ministry of Justice requires approval and sign off by the project manager and the information asset owner:

Some DPIAs also attach a list of outcomes that resulted from the strategies suggested in the DPIA, as well as a plan of action regarding future reviews and data protection audits. These elements are not obligatory, however.

We hope that this article sheds some light on the murky, sometimes confusing process of conducting a Data Protection Impact Assessment. Following the steps above will ideally result in safer data processing practices and a GDPR-compliant approach to new projects, along with the documentation of your efforts.