EU General Data Protection Regulation
Chapter 1 General Provisions
- Article 1
Subject-matter and objectives
This Regulation contains rules on processing personal data and the free movement of personal data to protect the fundamental rights and freedoms of natural persons and their right to protection of personal data
- Article 2
This Regulation applies to the processing of personal data which form part of a filing system.
- Article 3
This Regulation applies to controllers and processors in the Union and controllers or processors not in the Union if they process personal data of data subjects who live in the Union.
- Article 4
This Article contains 26 essential definitions.
Chapter 2 Principles
This chapter outlines the rules for processing and protecting personal data.
- Article 5
Principles relating to processing of personal data
Personal data shall be processed lawfully, fairly, and in a transparent manner; collected for specified, explicit, and legitimate purposes; be adequate, relevant, and limited to what is necessary; etc.
- Article 6
Lawfulness of processing
There are six reasons that make processing lawful if at least one is true (e.g. data subject has given consent, processing is necessary for the performance of a contract, etc).
- Article 7
Conditions for Consent
When processing is based on consent, whoever controls the personal data must prove consent to the processing, and the data subject can withdraw consent at any time.
- Article 8
Conditions applicable to child’s consent in relation to information societal services
Information society services can process personal data of a child if the child is over 16. If the child is under 16, the legal guardian must consent.
- Article 9
Processing special categories of personal data
Processing personal data revealing race, political opinions, religion, philosophy, trade union membership, genetic data, health, sex life, and sexual orientation is prohibited unless the subject gives explicit consent, it’s necessary to carry out the obligations of the controller, it’s necessary to protect the vital interests of the data subject, etc.
- Article 10
Processing personal data related to criminal convictions and offenses
Processing personal data related to criminal convictions can only be carried out by an official authority or when Union or Member State law authorizes the processing.
- Article 11
Processing which does not require identification
The controller does not need to get or process additional information to identify the data subject if the purpose for which the controller processes data does not require the identification of a data subject.
Chapter 3 Rights of The Data Subjects
This chapter discusses the rights of the data subject, including the right to be forgotten, right to rectification, and right to restriction of processing.
Section 1 Transparency and modalities
- Article 12
Transparent information, communications, and modalities for the exercise of the rights of the data subject
When necessary, the controller must provide information in a concise, transparent, intelligible and easily accessible form, using clear and plain language, and the controller needs to provide information on action taken on request by and to the data subject within one month. Page Break
Section 2 Information and access to personal data
- Article 13
Information to be provided where personal data are collected from the data subject
When personal data is collected from the data subject, certain information needs to be provided to the data subject.
- Article 14
Information to provide to the data subject when personal data has not been obtained from data subject
When personal data is not obtained from the data subject, the controller has to provide the data subject with certain information.
- Article 15
Right of access by the data subject
The data subject has a right to know whether their personal data is being processed, what data is being processed, etc.
Section 3 Rectification and Erasure
- Article 16
Right to rectification
The data subject can require the controller to rectify any inaccurate information immediately.
- Article 17
Right to be forgotten
In some cases, the data subject has the right to make the controller erase all personal data, with some exceptions.
- Article 18
Right to restriction of processing
In some cases, the data subject can restrict the controller from processing.
- Article 19
Notification obligation regarding rectification or erasure of personal data or restriction of processing
The controller has to notify recipients of personal data if that data is rectified or erased.
- Article 20
Right to data portability
The data subject can request to receive their personal data and give it to another controller or have the current controller give it directly to another controller.
Section 4 Right to Object and Automated Individual decision-making
- Article 21
Right to Object
Data subjects have the right to object to data processing on the grounds of his or her personal situation.
- Article 22
Automated individual decision-making, including profiling
Data subjects have the right not to be subjected to automated individual decision-making, including profiling.
Section 5 Restrictions
- Article 23
Union or Member State law can restrict the rights in Articles 12 through 22 through a legislative measure.
Chapter 4 Controller and Processor
This chapter covers the general obligations and necessary security measures of data controllers and processors, as well as data protection impact assessments, the role of the data protection officer, codes of conduct, and certifications.
Section 1 General Obligations
- Article 24
Responsibility of the Controller
The controller has to ensure that processing is in accordance with this Regulation.
- Article 25
Data protection by design and by default
Controllers must implement data protection principles in an effective manner and integrate necessary safeguards to protect rights of data subjects.
- Article 26
When there are two or more controllers, they have to determine their respective responsibilities for compliance.
- Article 27
Representatives of controllers or processors not established in the Union
When the controller and processor are not in the Union, in most cases they have to establish a representative in the Union.
- Article 28
When processing is carried out on behalf of a controller, the controller can only use a processor that provides sufficient guarantees to implement appropriate technical and organizational measures that will meet GDPR requirements.
- Article 29
Processing under the authority of the controller or processor
Processors can only process data when instructed by the controller.
- Article 30
Records of Processing Activities
Each controller or their representatives needs to maintain a record of processing activities and all categories of processing activities.
- Article 31
Cooperation with the supervisory authority
The controller and processor have to cooperate with supervisory authorities.
Section 2 Security of personal data
- Article 32
Security of processing
The controller and processor must ensure a level of security appropriate to the risk.
- Article 33
Notification of a personal data breach to the supervisory authority
In the case of a breach, the controller has to notify the supervisory authority within 72 hours, unless the breach is unlikely to result in risk to people. And the processor needs to notify the controller immediately.
- Article 34
Communication of a personal data breach to the data subject
When a breach is likely to cause risk to people, the controller has to notify data subjects immediately.
Section 3 Data protection impact assessment and prior consultation
- Article 35
Data protection impact assessment
When a type of processing, especially with new technologies, is likely to result in a high risk for people, an assessment of the impact of the processing needs to be done.Page Break
- Article 36:
The controller needs to consult the supervisory authority when an impact assessment suggests there will be high risk if further action is not taken. The supervisory authority must provide advice within eight weeks of receiving the request for consultation.
Section 4 Data protection officer
- Article 37
Designation of the data protection officer
The controller and processor must designate a data protection officer (DPO) if processing is carried out by a public authority, processing operations require the systematic monitoring of data subjects, or core activities of the controller or processor consist of processing personal data relating to criminal convictions or on a large scale of special categories of data pursuant to Article 9.
- Article 38
Position of the data protection officer
The DPO must be involved in all issues which relate to the protection of personal data. The controller and processor must provide all necessary support for the DPO to do their tasks and not provide instruction regarding those tasks.
- Article 39
Tasks of the data protection officer
The DPO must inform and advise the controller and processor and their employees of their obligations, monitor compliance, provide advice, cooperate with the supervisory authority, and act as the contact point for the supervisory authority.
Section 5 Codes of conduct and certification
- Article 40
Codes of conduct
Member States, the supervisory authorities, the Board, and the Commission shall encourage the drawing up of codes of conduct intended to contribute to the proper application of the GDPR.
- Article 41
Monitoring of approved codes of conduct
A body with adequate expertise in the subject-matter and is accredited to do so by the supervisory authority can monitor compliance with a code of conduct. Page Break
- Article 42
Member States, the supervisory authorities, the Board, and the Commission shall encourage the establishment of data protection certification mechanisms to demonstrate compliance.
- Article 43
Certification bodies accredited by Member States can issue and renew certifications.
Chapter 5 Transfers of Personal Data to Third Countries or International Organisations
This chapter provides the rules for transferring personal data that is undergoing or will undergo processing outside of the Union.
- Article 44
General principle for transfers
Controllers and processors can only transfer personal data if they comply with the conditions in this chapter.
- Article 45
Transfers on the basis of an adequacy decision
A transfer of personal data to a third country or international organization can occur if the Commission has decided the country or organization can ensure an adequate level of protection.
- Article 46
Transfers subject to appropriate safeguards
If the Commission has decided it can’t ensure an adequate level of protection, a controller or processor can transfer personal data to a third country or organization if it has provided appropriate safeguards.
- Article 47
Binding Corporate rules
The supervisory authority will approve binding corporate rules in accordance with the consistency mechanism in Article 63.
- Article 48
Transfers or disclosures not authorized by Union law
Any decision by a court or administrative authority in a third country to transfer or disclose personal data is only enforceable if the decision is based on an international agreement.
- Article 49
Derogations for specific situations
If there is no adequacy decision (Article 45) or appropriate safeguards, a transfer of personal data to a third country or organization can only happen if one of seven certain conditions are met.
- Article 50
International cooperation for the protection of personal data
The Commission and supervisory authority have to do their best to further cooperation with third countries and international organizations.
Chapter 6 Independent Supervisory Authority
This chapter requires that each Member State have a competent supervisory authority with certain tasks and powers.
Section 1 Independent status
- Article 51
Each Member state has to supply at least one independent public authority to enforce this regulation.
- Article 52
Each supervisory authority has to act with complete independence, and its members have to remain free from external influence.
- Article 53
General conditions for the members of the supervisory authority
Member states need to appoint members of the supervisory authority in a transparent way, and each member must be qualified.
- Article 54
Rules on the establishment of the supervisory authority
Each Member State needs to provide, in law, the establishment of each supervisory authority, qualifications for members, rules for appointment, etc.
Section 2 Competence, tasks, and powers
- Article 55
Each supervisory authority must be competent to perform the tasks in this Regulation.
- Article 56
Competence of the lead supervisory authority
The supervisory authority of a controller or processor that is doing cross-border processing will be the lead supervisory authority.
- Article 57
In its territory, each supervisory authority will monitor and enforce this Regulation, promote public awareness, advise the national government, provide information to data subjects, etc.
- Article 58
Each supervisory will have investigative, corrective, authorization, and advisory powers.
- Article 59
Each supervisory authority must write an annual report on its activities.
Chapter 7 Co-operation and Consistency
This chapter outlines how supervisory authorities will cooperate with each other and ways they can remain consistent when applying this Regulation and defines the European Data Protection Board and its purpose.
Section 1 Cooperation
- Article 60
Cooperation between the lead supervisory authority and the other supervisory authorities concerned
The lead supervisory authority will cooperate with other supervisory authorities to attain information, mutual assistance, communicate relevant information, etc.
- Article 61
Supervisory authorities must provide each other with relevant information and mutual assistance in order to implement and apply this regulation.
- Article 62
Joint operations of supervisory authorities
Where appropriate, supervisory
authorities will conduct joint operations.
Section 2 Consistency
- Article 63
For consistent application of this Regulation, supervisory authorities will cooperate with each other and the Commission through the consistency mechanism in this section.
- Article 64
Opinion of the Board
If a supervisory authority adopts any new measures, the Board will issue an opinion on it.
- Article 65
Dispute resolution by the Board
The Board has the power to resolve disputes between supervisory authorities.
- Article 66
If there is an urgent need to act to protect data subjects, a supervisory authority may adopt provisional measures for legal effects that do not exceed three months.
- Article 67
Exchange of information
The Commission may adopt implementing acts in order to specify the arrangements for the exchange of information between supervisory authorities.
Section 3 European data protection board
- Article 68:
European Data Protection Board
The Board is composed of the head of one supervisory authority from each Member state.
- Article 69
The Board must act independently when performing its tasks or exercising its powers.
- Article 70
Tasks of the Board
The Board needs to monitor and
ensure correct application of this Regulation, advise the Commission, issue
guidelines, recommendations, and best practices, etc.
- Article 71
The Board will write an annual public report on the protection of natural persons with regard to processing.
- Article 72
The Board will consider decisions by a majority vote and adopt decisions by a two-thirds majority.
- Article 73
The Board elects a chair and two deputy chairs by a majority vote. Terms are five years and are renewable once.
- Article 74
Tasks of the chair
The Chair is responsible for setting up Board meetings, notifying supervisory authorities of Board decisions, and makes sure Board tasks are performed on time.
- Article 75
The European Data Protection Supervisor will appoint a secretariat that exclusively performs tasks under the instruction of the Chair of the Board, mainly to provide analytical, administrative, and logistical support to the Board.
- Article 76
Board discussions are confidential.
Chapter 8 Remedies, Liability, and Penalties
This chapter covers the rights of data subjects to judicial remedies and the penalties for controllers and processors.
- Article 77
Right to lodge a complaint with a supervisory authority
Every data subject has the right
to lodge a complaint with a supervisory authority.
- Article 78
Right to an effective judicial remedy against a supervisory authority
Each natural or legal person has the right to a judicial remedy against a decision of a supervisory authority.
- Article 79
Right to an effective judicial remedy against a controller or processor
Each data subject has the right to a judicial remedy if the person considers his or her rights have been infringed on as a result of non-compliance processing.
- Article 80
Representation of data subjects
Data subjects have the right to have an organization lodge a complaint on his or her behalf.
- Article 81
Suspension of proceedings
Any court in a Member State that realizes proceedings for the same subject that is already occurring in another Member State can suspend its proceedings.
- Article 82
Right to compensation and liability
Any person who has suffered damage from infringement of this Regulation has the right to receive compensation from the controller or processor or both.
- Article 83
General conditions for imposing administrative fines
Each supervisory authority shall ensure that fines are effective, proportionate, and dissuasive. For infringements of Articles 8, 11, 25 to 39, 41, 42, and 43 fines can be up to $10,000,000 or two percent global annual turnover. For infringements of Articles 5, 6, 7, 9, 12, 22, 44 to 49, and 58 fines can be up to $20,000,000 or four percent of global annual turnover.
- Article 84:
Member States can make additional penalties for infringements.Chapter 9 Provisions Relating to Specific Processing Situations
This chapter covers some exceptions to the Regulation and enables Member States to create their own specific rules.
- Article 85
Processing and freedom of expression and information
Member States have to reconcile the protection of personal data and the right to freedom of expression and information (for journalistic, artistic, academic, and literary purposes).
- Article 86
Processing and public access to official documents
Personal data in official documents for tasks carried out in the public interest may be disclosed for public access in accordance with Union or Member State.
- Article 87
Processing of the national identification number
Member States can determine the conditions for processing national identification numbers or any other identifier.
- Article 88
Processing in the context of employment
Member States can provide more specific rules for processing employees’ personal data.
- Article 89:
Safeguards and derogations relating to processing for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes
Processing for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes is subject to appropriate safeguards (data minimization and pseudonymization).
- Article 90
Obligations of secrecy
Member States can adopt specific rules for the powers of the supervisory authorities regarding controllers’ and processors’ obligation to secrecy.
- Article 91
Existing data protection rules of churches and religious associations
Churches and religious associations or communities that lay down their own rules for processing in order to protect natural persons can continue to use those rules as long as they are in line with this Regulation.
Chapter 10 Delegated Acts and Implementing Acts
- Article 92
Exercise of the delegation
The Commission has the power to adopt delegated acts. Delegation of power can be revoked at any time by the European Parliament or the Council.
- Article 93
The Commission will be assisted by a committee.
Chapter 11 Final Provisions
This chapter explains the relationship with this Regulation to past Directives and Agreements on the same subject matter, requires the Commission to submit a report every four years, and enables the commission to submit legislative proposals.
- Article 94
Repeal of directive 95/46/EC
1995 Directive 95/46/EC is repealed (The old personal data processing law).
- Article 95
Relationship with Directive 2002/58/EC
This Regulation does not add obligations for natural or legal persons that are already set out in Directive 2002/58/EC (has to do with the processing of personal data and the protection of privacy in the electronic communications sector).
- Article 96
Relationship with previously concluded Agreements
International agreements involving the transfer of data to third countries or organizations that were setup before 24 May 2016 will stay in effect.
- Article 97
Every four years the Commission will submit a report on this Regulation to the European Parliament and to the Council.
- Article 98
Review of other Union legal acts on data protection
The Commission can submit
legislative proposals to amend other Union legal acts on the protection of
- Article 99
Entry into force and application
The Regulation applies from 25 May 2018.
1 What’s Data Privacy Law in Your Country?
When creating the content for your website, legal notices like your Terms of Service, Cookie Notifications, and Privacy Policies are often an afterthought.
Blog posts might be a lot more fun to write, but neglecting to give your readers the right information can get you in legal trouble.
In reality, many of the countries with modern data privacy laws have rules in place for handling any kind of information that can identify an individual or be used to do so.
Even if you just collect names and email addresses for your newsletter, display a few Google Ads on your site, or use browser cookies to get traffic analytics, you’re required by law in many jurisdictions to inform your audience of certain facts and policies of your website.
2 Privacy Laws by Country
Argentina’s Personal Data Protection Act of 2000 applies to any individual person or legal entity within the territory of Argentina that deals with personal data. Personal data includes any kind of information that relates to individuals, except for basic information such as name, occupation, date of birth, and address.
According to Argentina’s laws concerning privacy, it’s only legal to handle or process personal data if the subject has given prior informed consent. Informed consent means you must tell them the purpose for gathering the data, consequences of refusing to provide the data or providing inaccurate information, and their right to access, correct, and delete the data. Also, any individual can request deletion of their data at any time.
Privacy Policies, according to Australian law, need to detail why and how you collect personal information, the consequences for not providing personal information, how individuals can access and correct their own information, and how individuals can complain about a breach of the principles.
One of the roles of the Office of the Australian Information Commissioner (OAIC) is to investigate any privacy complaints about the handling of your personal information. Anyone can make a complaint to the office for free at any time, and the office will investigate as soon as possible.
Brazil passed the Brazilian Internet Act in 2014 which deals with policies on the collection, maintenance, treatment and use of personal data on the Internet.
Any Brazilian individual and legal entity must obtain someone’s prior consent before collecting their personal data online, in any way. Consent can’t be given by those under 16 years old, and from 16 to 18 years old they must have assistance from their legal guardian to give consent. So, before collecting any information, be sure to ask whether the user is over 18 years of age.
Canada’s Personal Information Protection and Electronic Data Act (PIPEDA) governs how you can collect, store, and use information about users online in the course of commercial activity. According to the act, you must make information regarding your privacy policies publicly available to customers.
According to Chile’s Act on the Protection of Personal Data, passed in 1998, personal data can only be collected when authorized by the user. You also need to inform users of any sharing of information with third parties (such as if you have an email newsletter provider like MailChimp or AWeber that you share emails with).
However, you don’t need to get authorization for basic information like a person’s name or date of birth, or if you’re only using the data internally to provide services or for statistical or pricing purposes.
Colombia’s Regulatory Decree 1377 states that you must inform users of the purpose their data will be used for, and you can’t use the data for any other purpose without obtaining consent.
Privacy Policies must include a description of the purpose and methods for processing data, the users’ rights over their data and the procedures for exercising those rights, and identification of who is responsible for handling the data.
Act No. 101/2000 Coll., on the Protection of Personal Data governs how personal data is collected by anyone in the Czech Republic.
If you collect any kind of information relating to an identifiable person, you need to inform them of the purpose for collecting the data and the way it’s collected, and obtain their consent.
Denmark passed the Act on Processing of Personal Data in 2000. The Danish Data Protection Agency supervises and enforces the privacy laws. If they discover violations of the law, they can issue a ban or enforcement notice, or even report the violation to the police.
According to the law, personal data can only be collected if the user gives explicit consent. Also, a company can’t disclose personal information to third parties for the purpose of marketing without consent.
The General Data Protection Regulation (GDPR) became enforceable in 2018 and is to date the most robust privacy protection law in the world. It has since inspired other laws around the world to up their requirements and has inspired the creation of new laws.
The Personal Data Act governs the processing of personal data gathered in Finland, where privacy is considered a basic right. Anyone who gathers personal data in Finland must have a clearly defined purpose for gathering the data, and may not use it for any other purpose.
Personal data can only be gathered after obtaining unambiguous consent from the user.
The controller (the person or corporation collecting the data) of the collected data also needs to create a description of the data file, including their name and address and the purpose for collecting the data. This description needs to be made available to anyone.
There are also special restrictions that apply if you’re collecting data for the purpose of direct marketing or other personalized mailing related to marketing. Your database must be limited to basic information and contact information (no sensitive data can be collected).
The Data Protection Act (DPA) of 1978 (revised in 2004) is the main law protecting data privacy in France. The Postal and Electronics Communications Code also touches on the collection of personal data when it’s used for sending electronic messages.
The DPA applies to the collection of any information that can be used to identify a person, which is very broad in scope. The rules apply to anyone collecting data who is located in France or who carries out its activities in an establishment in France (such as if your hosting server or other service provider related to collecting or processing data is located in France). This is why the French Data Protection Authority was able to fine Google for violating their privacy laws.
Before automatically processing any kind of personal data, you must obtain the consent of the subject, and inform them of a number of things, including the purpose of the processing, the identity and address of the data controller, the time period the data will be kept, who can access the data, how the data is secured, etc.
In Germany, the Federal Data Protection Act of 2001 states that any collection of any kind of personal data (including computer IP addresses) is prohibited unless you get the express consent of the subject. You also have to get the data directly from the subject (it’s illegal to buy email lists from third parties, for example).
According to the act’s Principle of Transparency section, the subject must be informed of the collection of the data and its purpose. Once the data is collected for a specific purpose, you can’t use it for any other purpose without getting additional consent.
These laws apply to any collection of data on German soil, and Federal Data Protection Agency and 16 separate state data protection agencies enforce them.
The Processing of Personal Data laws in Greece protect the rights of individuals’ privacy in regard to electronic communications.
The processing of personal data is only allowed in Greece if you obtain consent after notifying the user of the type of data and the purpose and extent of processing. Consent can be given by electronic means if you ensure that the user is completely aware of the consequences of giving consent. Also, they can withdraw consent at any time.
Hong Kong’s Personal Data Ordinance states that users must be informed of the purpose of any personal data collection, and the classes of persons the data may be transferred to (such as if you use any third-party services for processing data, like a email newsletter service).
The openness principle of the ordinance states that your personal data policies and practices must be made publicly available, including what kind of data you collect and how it’s used.
If you’re in violation of the Personal Data Ordinance, you could face fines up to HK$50,000 and up to 2 years in prison, and you could be sued by your users as well.
In Hungary, the privacy of personal data is protected by Act LXIII of 1992 on the Protection of Personal Data and the Publicity of Data of Public Interests. Its main purpose is to ensure that individuals have control over their own data.
According to the act, you must obtain a person’s consent in order to handle their personal data. You can only collect data with an express purpose, and you must inform the user that handing over their personal data is voluntary.
If you violate the act, then your users may sue you, and you may be liable to pay for any damage you cause by mishandling their data.
Iceland has been called the ‘Switzerland of data‘ for its strict privacy laws. The Data Protection Act of 2000 states that data must be obtained for specific purposes, and only after the subject has given unambiguous and informed consent.
In order to give consent, they must be made aware of the type of data collected, the purpose of the collection, how the data processing is conducted, how their data is protected, and that they can withdraw their consent at any time.
Not obeying the act could result in fines or even a prison term up to 3 years.
In Ireland, the privacy of personal data is regulated by the Data Protection Act 1988, including a 2003 amendment. There’s also the ePrivacy Regulations 2011 (S.I. 336 of 2011), which deals with electronic communication.
A Privacy Statement, on the other hand, is a public document on a website that clearly and concisely declares how the organization applies the principles to how they collect personal data (including the use of browser cookies) through their website.
It’s a legal requirement for any organization in Ireland to have a public Privacy Statement on its website.
If your website collects any kind of personal information or tracks users with cookies, and you don’t have a privacy statement, you could be investigated by the Data Protection Commissioner and fined up to â‚¬100,000.
Certain sensitive data, including passwords or financial information, can’t be collected or processed without the prior consent of the user.
Italy’s Data Protection Code states has strict rules for any kind of electronic marketing. According to the code, you must obtain a user’s consent before tracking them or using data for advertising or marketing communications. You must provide the users with specific information before collecting or processing their data, including the purpose and methods for processing the data and their individual rights under the law.
The Italian Data Protection Authority protects the rights of individuals regarding the privacy of their personal data. They can impose fines, such as the million-euro fine they threatened Google with for violating Italian privacy regulations.
In Japan, the Personal Information Protection Act protects the rights of individuals in regard to their personal data. The definition of personal data in the act is very broad, and even applies to information that could be found in a public directory.
The act states that you must describe as specifically as possible the purpose of the personal data you’re collecting. Also, in order to share the personal data with any third party (such as an email newsletter service) you must obtain prior consent.
The Personal Data Protection Law of Latvia applies to the processing of all kinds of personal data. It states that you may only process personal data after obtaining the consent of the user. When you collect personal data, you must inform them of specific information, including the purpose for collecting their data, any third parties that might have access to their data, and their individual rights to protect their own data under the law.
Lithuania’s Law on Legal Protection of Personal Data states that in order to collect and process any kind of personal information that can identify an individual, you must obtain clear consent from the individual first. The law says that consent can only be defined as consent if the individual agrees for their data to be used for a specific purpose known to them, so you need to let users know exactly why you’re collecting their data, and how you’re going to use it, in order for their consent to be legally valid.
In Luxembourg, Law of 2 August 2002 on the Protection of Persons with Regard to the Processing of Personal Data states that users must give informed consent before their data can be collected and processed. The user must be informed of your identity, your purpose for collecting their data, any third parties with access to their data, and their specific rights regarding their data.
Anyone in violation of the law could face prison time between 8 days to 1 year and/or a fine of anywhere from 251 to 125,000 euros.
Malaysia’s Personal Data Protection Act 2010 protects any personal data collected in Malaysia from being misused. According to the act, you must obtain the consent of users before collecting their personal data or sharing it with any third parties. In order for their consent to be valid, you must give them written notice of the purpose for the data collection, their rights to request or correct their data, what class of third parties will have access to their data, and whether or not they’re required to share their data and the consequences if they don’t.
In Malta, the right to privacy is considered a fundamental human right, and is protected in part by the Data Protection Act of 2001. The act states that personal data can only be collected and processed for specific, explicitly stated and legitimate purposes, and that the user must give their informed and unambiguous consent before it’s collected. For their consent to be valid, you must inform them of your identity and residence, the purpose of the data collection, any other recipients of the data, whether their participation is required or voluntary, and all about their applicable rights to access, correct, or erase the data.
Morocco’s Data Protection Act defines personal data as any information of any nature that can identify an individual person. In order to collect or process any personal data, it needs to be for a specific purpose, and you must obtain the express consent of the user before you collect it, unless the data was already made public by that individual.
For their consent to be valid, you need to inform the person of your identity, the purpose of the data collection, and their rights regarding their own data.
The National Commission for the Protection of Personal Data, established in 2010, conducts investigation and inquiries related to privacy laws. Breaking the law can be punishable by fines or even imprisonment.
In the Netherlands, the Dutch Personal Data Protection Act states that you must obtain the unambiguous consent of the user before collecting or processing any information that personally identifies them.
According to New Zealand’s Privacy Act of 1993, you must collect any non-public personal information directly from the individual, and make sure they’re aware of your name and address, the purpose for the data collection, any recipients of that data, whether the collection is required by law or optional, and their rights regarding their own data.
Any user may make a complaint and possibly trigger an investigation into whether you’re following the law when collecting their personal data.
Norway’s Personal Data Act states that personal data can only be collected after obtaining the consent of the user. Before asking for consent, you need to inform them of your name and address, the purpose of the data collection, whether the data will be disclosed to third parties and their identities, the fact that their participation is voluntary, and their rights under the law.
The Philippines is known for having “one of the toughest data privacy legislations in the region.” In the Philippines, anyone who collects personal data needs to get specific and informed consent from the user first. You must declare the purpose of the data processing before you begin to collect it (or as soon as reasonably possible after).
Under the Republic Act No. 10173, individuals have the right to know your identity, what personal data you’re collecting and for what purpose, how it’s being processed, who it’s being disclosed to, and all their rights regarding their own data.
In Romania, the law states that you must inform users of their rights when collecting any kind of personal data, including their name. You also need to obtain their “express and unequivocal consent” beforehand.
Poland’s Act of the Protection of Personal Data, passed in 1997, states that the processing of data is only permitted if the data subject has given their consent. You’re also obliged to provide your name and address, the purpose of the data collection, any other recipients of the data, the subject’s rights, and whether participation is required or voluntary.
According to Portugal’s Act on the Protection of Personal Data, the processing of data needs to be carried out in a transparent manner, respecting the privacy of your users. Personal data can only be collected for specific and legitimate purposes, and only after obtaining the unambiguous consent of the user. You must also provide the user with specific information including your identity, the purpose of the data processing, any other recipients of the data, etc.
In Singapore, personal data is protected under the Personal Data Protection Act. According to the act, you may only collect personal data only with the consent of the individual, and the individual must be informed of the purpose for the data collection.
Slovenia’s Personal Data Protection Act states that you must obtain the informed consent of an individual before collecting or processing their personal data. In order for their consent to be valid, you need to inform them of your identity and the purpose of the data collection. You also need to inform them of any other information necessary to ensure that their data is being processed in a lawful and fair manner.
South Africa’s Electronic Communications and Transactions Act applies to any personal data collected through electronic transactions, such as through a website. The act sets out nine principles that you must agree to in order to collect any personal data, and also requires that you disclose in writing to the subject the specific purpose of the data collection, and obtain their express consent before collecting their data.
In South Korea, the Act on Promotion of Information and Communications Network Utilization and Data Protection states that any information and communications service provider needs to obtain the consent of the user before collecting personal information. In order for the consent to be valid, you must provide the user with specific information including your name and contact information, the purpose of the data collection, and the user’s rights concerning their own data.
The Framework Act on Telecommunications provides the definition of “information and communications service providers” as “services that mediate a third party’s communication through the telecommunications facilities and equipment or to provide the telecommunications facilities and equipment for the third party’s telecommunications.”
In Spain, the protection of personal data is regarded as a constitutional right. In order to collect any personal data, you need to provide the user with “fair processing information” including your identity and address, the purpose of the data processing, their rights under the law, whether participation is voluntary or mandatory, and any consequences for not providing their personal data.
Switzerland’s Federal Act on Data Protection states that any personal data collection or processing must be done in good faith, and that it needs to be evident to the user, especially the purpose of the data collection. In other words, you must inform the user that you’re collecting their personal data, and why. Personal data is defined as “all information relating to an identified or identifiable person.”
In Sweden, the Personal Data Act protects the privacy of personally identifying information, which it loosely defines as any data that, directly or indirectly, is refers to a live person. It states that users are entitled to information concerning processing of their personal data, and that they must give consent before you can collect their data. Consent must be informed, voluntary, specific, and unambiguous.
Anyone who violates the act may be liable to pay fines or even sentenced to criminal penalties.
The Computer-Processed Personal Data Protection Law in Taiwan relates to specific kinds of personal data, including an individual’s name, date of birth, “social activities,” and any other data that can identify that individual. Data collection needs to be in good faith and in consideration of individuals’ rights. Any organization that collects personal data must publish a document that includes specific information including their name and address, the purpose and methods for the data collection, and any other recipients of the data.
In the United States, data privacy isn’t as highly legislated on a federal level as most of the other countries on this list. Like with many issues, the federal government leaves a lot of the details up to each state. Laws also differ depending on the industry, which results in a confusing mess of rules and regulations for US website owners to navigate.
The FTC (Federal Trade Commission) regulates business privacy laws. They don’t require privacy policies per se, but they do prohibit deceptive practices.
CalOPPA actually applies not just to websites based in California, but to any website that collects personal data from consumers who reside in California. With that in mind, website owners based in the United States are encouraged to err on the side of caution so they don’t run into legal trouble inadvertently.
- The type of personal data collected
- Any third parties you share the data with
- How users can review and change their data that you’ve collected
- How you’ll respond to Do Not Track requests
A few additional laws to be aware of in the US include the California Consumer Privacy Act (CCPA) and the Washington Privacy Act (WPA).
In the UK, the mission of the Information Commissioner’s Office is to “uphold information rights in the public interest.”
The Data Protection Act requires fair processing of personal data, which means that you must be transparent about why you’re collecting personal data and how you’re going to use it. The law also states that if you use browser cookies, you need to clearly explain what they do and why you’re using them, and gain the informed consent of your users.
Of the many new measures imposed by the General Data Protection Regulation (GDPR), the requirements surrounding Data Protection Impact Assessments often cause the most confusion. Many business owners have no idea what the document is for or when it is required.
In this article, we’ll wade through the terminology to explain the complexities of Data Protection Impact Assessments so you can do your own successful assessment and document it in the best way possible.
Data Protection Impact Assessments (DPIAs) are used to investigate, recognise, and mitigate potential risks to data before launching a new business endeavour or project.
By performing a DPIA before a new project, you can hope to:
- Better understand the data protection risks that will be faced during the project
- Calculate methods to decrease or eliminate those risks
- Decide if the benefits of the project outweigh data protection risks
- Prepare an informed statement that will disclose the risks to any individuals who will be affected
- Document data protection measures to demonstrate GDPR compliance to supervisory authorities
- Identify opportunities to incorporate “Data Production by Design” principles into the project
According to Article 35 of the GDPR:
“Where a type of [data] processing… is likely to result in a high risk to the rights and freedoms of natural persons, the controller shall, prior to the processing, carry out an assessment of the impact of the envisaged processing operations on the protection of personal data.”
In other words, if the project presents a high risk to personal data protection and privacy, then a DPIA will be necessary.
But how does one determine what presents a “high risk”? The GDPR and the Article 29 Working Party provide some examples of projects that would definitely call for a DPIA:
- An extensive evaluation of consumer information in which decisions are made based upon automatic processing and profiling.
A technology that uses a person’s financial history to automatically determine whether or not that person is eligible for a mortgage.
- Processing special categories of data (sexual orientation, race, religion, etc.) or criminal offense history.
A job board website that collects racial information or criminal history from consumers who wish to apply to online jobs.
- A systematic monitoring of a public area on a large scale.
Using a camera placed on a public road to record and monitor driver behaviour.
- Evaluation or scoring of individuals, including profiling and predicting.
An internet technology that monitors user behaviour and uses that information to build marketing profiles.
- Automated decision-making with legal or otherwise significant effect on the lives of individuals.
A computer program that uses the behavioural history of convicts to automatically determine if they will be granted parole.
- Consumer data processed on a large scale. Although the term “large scale” is not defined, an example might be an online social network with millions of users.
- Datasets that have been matched or combined.
Direct marketing endeavours that involve purchasing consumer mailing lists.
- Data concerning vulnerable data subjects that may be unable to provide valid consent.
Processing the data of children or mentally ill individuals.
- Innovative technological or organisational solutions.
Software that provides user access based on fingerprints or face recognition.
- When the data processing “prevents data subjects from exercising a right or using a service or a contract.”
A credit card company using a person’s credit history as a basis for denying service.
As you can see, there are a lot of different scenarios that would call for a DPIA, and this is far from an exhaustive list. There are many more situations in which a new data processing project could put data protection at risk. A good rule of thumb is, if in doubt, perform a DPIA. When it comes to data security and GDPR compliance, it’s always wise to err on the side of too much rather than too little data protection.
In some situations, you can definitely rule out the necessity of a DPIA. These include:
- Any new project that definitely does not entail a high risk to the rights and freedoms of consumers.
- If you have already performed a DPIA for a previous project that is very similar, you can use the existing DPIA to demonstrate adequate data protection and compliance.
- When the data processing project has an established legal basis in the EU.
- If the data processing activity is on a supervisory authority’s list of permitted projects that do not require a DPIA.
A DPIA should be performed after the details of a new data processing project have been established and planned out, but before the project is actually launched. The GDPR lays out some specific instructions as to what a DPIA should include:
- A detailed description of the project as well as the purpose of the project
- An assessment of the necessity of the data processing involved and on what scale
- An assessment of all possible risks to data protection and consumer privacy
- An explanation as to how those risks will be mitigated and how the project will adhere to GDPR policies
While this may look like a relatively short list, there is a lot of research and effort involved in fulfilling these requirements. Below we’ve laid out steps you can take to create a comprehensive Data Protection Impact Assessment.
Start by describing how data will be handled throughout the project. Detail is key here, so be as thorough as possible in examining your data processing activities from start to finish.
Here are some questions to ask as you compile this section:
- How will the data be collected?
- How will the data be used?
- Where and how will it be stored?
- What is the source of the data?
- Will it be shared with any third party and if so, why?
- Which high-risk data categories or activities will be involved?
This DPIA performed by Simprints Technology begins by answering some the questions above in detail:
It follows this up with several flowcharts to illustrate data flows, which makes it easy to visualize and really understand what happens with data.
This section of your DPIA may be rather simple if you only work with limited data collected in limited ways, but you can see how this section could get very complicated and lengthy.
Next, outline the scope of data processing. Here you will need to delve deeply into the data itself, describing the types of data that will be collected, the quantity of data, and so on. This section will differ according the company and project involved, but may cover the following points:
- What categories of data will be collected?
- Will it involve special or sensitive categories of data?
- What quantity of data will be collected and how many consumers will be affected?
- Is the data processing localized to a specific area?
- How long will the data be retained?
Although the Privacy by Design Foundation does not go into all of these details at the outset of its DPIA, it provides a generalized scope here:
Note how the section is broken down into subsections to address things like the nature, the purpose, the scope and the context of the processing.
Describe what the project is expected to achieve through data processing. What are the benefits for the data controller and how will consumers be affected?
UK Home Office Biometrics conducted a comprehensive DPIA to analyse new technologies to be used by the police force. This is how it describes the various purposes of the project:
You can see how these can simply be short but descriptive paragraphs discussing the projects. The text itself notes that they are “brief descriptions of the projects.”
Here is where you start asking some of the more difficult questions. Think about the consumers who will be affected and how this data processing may affect them. This is also a good time to consider the context of the data processing project itself and its position in the industry.
Here are some questions to ask and answer during this phase:
- What is your legal basis for collecting user data? Do you have appropriate consent measures in place?
- Is your consumer base vulnerable in any way, such as in the case of children or mentally ill individuals?
- Has this type of processing been performed before? Are there similar technologies already in place?
- Have any security flaws been identified in similar projects?
The UK Ministry of Justice employs a question and answer format for DPIAs, asking similar questions to those above in order to establish context:
Later on, in the same document, the privacy context of the new technology is also established:
Where appropriate and possible, data controllers are required to consult with consumers on their views about the new project. It may also be necessary to consult with your Data Protection Officer, data processors, or information security experts to understand the full implications and risks of the project.
If such consultations are appropriate and possible, you will need to document them in this section.
When proposing a new privacy bill to be passed into law, the Australian Department of the Treasury performed a massive 161-page DPIA to investigate all of the data protection implications that would be involved. This is a small part of the chapter discussing consultation:
Any major data processing project will need to address GDPR compliance from the outset. After all, that’s one reason you are conducting a DPIA in the first place. In this section, you will analyse whether or not data processing activities are compliant with the GDPR and other international privacy laws.
This is also a good place to describe what measures the business will be taking to ensure compliance at each phase of the project. Some topics that will need to be approached include:
- What are the legal bases for the data processing? Will these bases remain valid throughout the duration of the project?
- Is data processing necessary to achieve the overall purpose?
- Is there any way to reduce or minimize the use of consumer data throughout the project?
- How will consumer rights be upheld?
- How will the data controller confirm that third-party processors also comply with privacy laws?
- How will international data transfers be legally performed?
Simprints Technology solves this by going through the major tenets of the GDPR and briefly addressing each one:
Later on in the document, data transfers and consumer rights are addressed, thereby touching on all relevant GDPR policies.
This section is considered the most important issue to explore in any DPIA. It is where data protection and privacy are analysed from all angles. Potential threats to privacy and data security must be considered and listed.
Although it is impossible to predict every potential risk scenario in a generalized article like this one, here are some points to review during risk assessment:
- Are proper controls and safeguards in place to prevent or reduce unsafe data processing practices due to internal employee errors?
- Is there a possibility that the project might evolve and change the way data is being processed beyond the scope of current legal bases?
- Has security software been properly updated and audited against potential data theft or hackers?
- If special categories of sensitive data or vulnerable individuals are subject to data processing, is the project following GDPR-mandated stipulations to protect that data?
- Could the merging of anonymized data sets lead to individuals being inadvertently identified?
- Have data retention policies been outlined, and how will data be disposed of when it no longer serves its purpose?
- Is the information being stored in a location with adequate data security?
Of course, the potential risks to data protection will be conditional to the type of project and data processing that’s involved. If you feel that your development team has not or cannot sufficiently identify potential threats to data protection, it may be necessary to consult the services of an information security expert or an attorney that specializes in privacy law.
The next step is to formulate solutions and mitigation strategies to reduce or eliminate the risks identified in the assessment phase. All of the previously identified risks to data protection must be addressed in this section, as well as viable mitigation techniques for each.
Many data controllers choose to combine risk assessment and mitigation strategies into one comprehensive table that is easy to read and understand. Home Office Biometrics uses this method:
Conducting this process properly will be beneficial in the long run, especially if a privacy dispute or data incident does occur. This documentation will serve as proof that your business took every measure possible to reduce or eliminate data protection risks before the project ever launched.
The final step in the DPIA process is to confirm that the evaluations, findings, and strategies laid out in the DPIA have been approved by the appropriate parties. The person or persons responsible for approving the document will differ according to the company and projects involved. In some cases, it may be a Data Protection Officer, while other organizations may assign approval to a management team.
The UK Ministry of Justice requires approval and sign off by the project manager and the information asset owner:
Some DPIAs also attach a list of outcomes that resulted from the strategies suggested in the DPIA, as well as a plan of action regarding future reviews and data protection audits. These elements are not obligatory, however.
We hope that this article sheds some light on the murky, sometimes confusing process of conducting a Data Protection Impact Assessment. Following the steps above will ideally result in safer data processing practices and a GDPR-compliant approach to new projects, along with the documentation of your efforts.