RSS twitter Login
Home Contact Login

The General Data Protection Regulation (GDPR)

Share this page!
twitter google-plus linkedin share

[This article was initially published in the ELRC+3 Newsletter on March 28, 2019]

The General Data Protection Regulation (GDPR) is an EU regulation (2016/679) of 27 April 2016. It entered into force on 25 May 2018 and replaced the Data Protection Directive of 1995 (95/46/EC).

Unlike a directive (which requires transposition into national law), a regulation applies directly and uniformly across all the EU Member States. The shift from a directive to a regulation in the domain of data protection is therefore a very significant step towards unification of national laws, and the establishment of a single European market – in practice, however, numerous articles of the GDPR require national transposition (including some of those relevant to scientific research), so the legal framework remains fragmented.

Contrary to popular belief, the GDPR is far from being revolutionary. Most of the definitions and principles that governed the processing of personal data under the 1995 Directive remain the same. However, the administrative fines are now significantly higher: up to 20 000 000 EUR or 4% of global annual turnover (whichever is higher). The efforts to comply with the GDPR have therefore intensified, and so have the audits carried out by Data Protection Authorities (in France, Google was recently fined 50 000 000 EUR only for some features of their Android operating system).

“Personal data” is defined very broadly as “any information relating to an identified or identifiable natural person (data subject)”. The notion covers directly identifying information (name, address, personal e-mail, phone number), but also elements that in combination with others may identify the person that they relate to (a mother of five of Moroccan descent who lives in Paris, works as a nurse and has a collection of 1960’s Jaguars). The ‘public’ and the ‘private’ spheres of life are equally protected. However, information related to legal persons (e.g. companies) as well as the deceased is not concerned (although some Member States may have specific protection for personal data of the deceased).

The process of “breaking the link” between the information and the person it refers to is called anonymization. Anonymized data are no longer personal data and can be processed without restrictions. However, the standard for anonymization is high: it should be irreversible, and the person should be impossible to identify by anyone and ‘by any means reasonably likely to be used’. Anonymization is now a research discipline in its own right: some well-described anonymization techniques include noise addition, k-anonymity and t-closeness.

“Processing” is also defined broadly as “any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means”. This includes collection, storage, consultation, transfer, but also deletion.

The person (natural or legal) that determines the purposes and means of processing is referred to as “data controller”. The person that merely processes data on behalf of the controller is called “data processor” (it is important to note that processors are not, contrary to popular belief, completely exempted from liability for processing).

In order to comply with the GDPR, processing has to respect the following principles:

  • lawfulness (see below), fairness and transparency;

  • purpose limitation (data can only be processed for a specified, explicit and legitimate purpose, and not further processed for an incompatible purpose);

  • data minimization (data processed have to be adequate, relevant and limited to what is necessary);

  • accuracy (data have to be accurate and when necessary kept up to date);

  • storage limitation (data cannot be stored for longer than necessary to achieve the purpose of processing);

  • integrity and confidentiality (data have to be stored in a secure environment and protected against unauthorized access or accidental destruction);

  • accountability (the data controller has to be able to demonstrate compliance).

In order to be lawful, processing has to be based on one of the grounds enumerated in article 6 of the GDPR. This is the case when, e.g. :

  • the data subject has given his informed consent to the processing (consent can be withdrawn at any time, but not retroactively); or

  • processing is necessary for the performance of a contract to which the data subject is party; or

  • there is a legal obligation to process the data; or

  • there is a legitimate interest in the processing which overrides the interests of the data subject in the protection of his data.

Apart from the abovementioned principles, data controllers may have to comply with other obligations, such as:

  • keeping a register of data processing operations;

  • implementing “data protection by design and by default”;

  • when necessary (i.e. when the processing may result in a high risk for the rights and freedoms of the data subject), carrying out a Data Protection Impact Assessment prior to the processing.

The data subject has certain rights regarding his data, e.g.:

  • information (some information such as the identity of the controller and the purpose of the processing has to be provided to the data subject by the data controller, even if the data were not collected directly from the data subject; on the Internet, this is typically done via a ‘privacy policy’);

  • access and rectification;

  • erasure (“right to be forgotten”);

  • right to data portability;

  • right not to be subject to automated decision-making.

This strict framework is assorted with various exceptions, including for research purposes. First of all, research is exempted from the purpose limitation principle, as it is always regarded as a ‘compatible purpose’. Furthermore, the storage limitation principle is tempered, and rights of data subjects may also be limited. All those benefits are available under one condition: appropriate safeguards for the rights and freedoms of data subjects have to be implemented. These may include pseudonymization, increased transparency, carrying out of a Data Protection Impact Assessment etc. The details are left for national legislators to decide, so it is important to know the national provisions in this respect.