- Who this law applies to;
- How GDPR defines personal information;
- How you can process personal information under GDPR;
- The privacy rights that this law provides;
- The penalties for failing to comply.
Who does GDPR apply to?
You need to comply with GDPR if you:
- Are located in the European Union;
- Offer goods or services, regardless of payment to European Union data subjects, regardless of where you are actually located;
- Monitor the behavior of European Union residents, regardless of where you are actually located.
Due to the fact that GDPR is not specific to the location of the data processor or controller, it is imperative that you comply with its requirements if you meet the conditions stated above.
How GDPR defines personal information
Privacy laws start applying to websites as soon as they collect personal information, which means that if you do not collect personal information as defined by the law, then you do not need to comply with that law. GDPR defines personal information as any information relating to an identified or identifiable natural person. An identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identified.
GDPR provides the following examples of identifiers:
- An identification number;
- Location data;
- Online identifier; or
- One or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that person.
How you can process personal data under GDPR
GDPR is unique in that it prohibits the processing of personal information unless a specific exception applies. This means that by default, the collection, use and disclosure of personal information of residents of the European Union is not allowed. However, the following exceptions do allow for the processing of personal data:
- The data subject has given consent to the processing of his or her personal information;
- Processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract;
- Processing is necessary for compliance with a legal obligation to which the controller is subject;
- Processing is necessary in order to protect the vital interest of the data subject or of another natural person;
- Processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller;
- Processing is necessary for the purposes of legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal information.
GDPR ensures the protection of personal information by providing residents of the European Union with the following privacy rights;
- Right of access – the data subject has the right to know whether his or her personal information is being processed and to receive additional context on what is done with that personal information;
- Right to rectification – the data subject has the right to correct the personal information that a business holds on him or her that is incorrect and to complete the personal information that is incomplete;
- Right to erasure – the data subject has the right to have his or her personal information erased;
- Right to restriction of processing – the data subject has the right to have his or her data be processed for specific purposes only;
- Right to data portability – the data subject has the right to receive all of the personal information that a business holds about them and the right to have that personal information be sent to a different business; and
- Right to object to automated decision-making, including profiling – the data subject has the right to not be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning that data subject.
- The identity and contact details of the controller and, where applicable, of the controller’s representative;
- The contact details of the Data Protection Officer, where applicable;
- The purposes of the process for which the personal information is intended;
- The legal basis for the processing;
- Where processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, the legitimate interests pursued;
- The recipients or categories of recipients of the personal information, if any;
- Where applicable, the fact that the controller intends to transfer personal information to a third country or an international organization. If such transfers are intended, you may need to make additional disclosures.
- The period for which the personal information will be stored, or if that is not possible, the criteria used for determining that period;
- The existence of the right to request from the controller access to and rectification or erasure of personal information or restriction of processing concerning the data subject or to object to processing as well as the right to data portability;
- Where processing is based on consent, the existence of the right to withdraw consent at any time, without affecting the lawfulness of processing based on consent before its withdrawal;
- The right to lodge a complaint with a supervisory authority;
- Whether the provision of personal information is a statutory or contractual requirement, or a requirement necessary for entering into a contract, as well as whether the data subject is obliged to provide the personal information and the possible consequences of failure to provide such personal information;
- The existence of automated decision-making, including profiling and, in those cases, meaningful information about the logic involved, as well as the significance and the envisaged consequences of such processing for the data subject.
The penalties for failing to comply with GDPR
Donata is the Co-founder and President of Termageddon, an auto-updating generator of website and application policies. She is a licensed attorney and Certified Information Privacy Professional. She also serves as the Vice-Chair of the American Bar Association’s ePrivacy Committee and the Chair of the Chicago Chapter of the International Association of Privacy Professionals. In her free time, Donata enjoys beekeeping, hunting for morel mushrooms, and walks with her husband and two dogs.