General Data Protection Regulation: The Key Basics
In this Article
Dr Sarah Farrugia specialises in the GDPR and offers a clearer picture of the Regulation in this article. Many of us are often overwhelmed by the terminology surrounding the subject, but Dr Farrugia shares some clarifications as well as some little-known facts about the subject.
Data is the currency of today’s digital economy
Everyone has the right to the protection of their personal data; this is a fundamental right which is enshrined in the Charter of Fundamental Rights. With rapid technological developments comes high risks to the protection of data and consequently awareness of data subject’s right to the protection of their personal data.
Since the advent of the internet and its growth for personal use in the early 21st century, societies around the globe (particularly western nations) have looked towards the web for a number of tools and services. Fast-forward to 2022 and almost every job requires the internet, it is hard to find people without one or multiple social media accounts, we all have multiple email accounts (some we don’t even remember the password to) and get most of our entertainment and communication lines from the internet. And now, this phenomenon is not restricted to the west, since societies in Asia, the Middle East and Africa have not only caught on, but started innovating more, giving the prestigious start-ups in silicon valley a run for their money. Plainly speaking if the internet had to be cut off tomorrow it would wreak havoc throughout the global economy.
To the point, we are literally littering the internet space with our data and information, either via the information we write ourselves or what browsers and internet providers mine from our IP address (site cookies).
Natural persons (living human beings, with rights and duties automatically given to them by the nation in which they are born) make their personal data more available as time passes and whilst this facilitates the free-flow of information, it creates a socio-digital problem, in which users (people) are sensing that their privacy is not only invaded, but that is is being capitalised upon by big firms, who sell bulk data analytics in order to have better-targeted advertisements. This has resulted in more awareness with regards to individual’s rights as a data-subject and this simultaneously creates burdens and risks to personal data which the General Data protection Regulation aims to safeguard the data subject from.
What is the General Data Protection Regulation (GDPR)?
In simple terms, the GDPR is a rulebook concerning solely the protection of personal data. The main intention behind the General Data Protection Regulation (GDPR) is to regulate data collection. Most importantly, it creates further safeguards for the data subject – you and I, as to how, when and why our data is being used.
GDPR across Europe
The GDPR regulates the same conditions for how data should be processed and the legal limits and obligations as to when this may be processed. Disjointed laws governing data protection have been replaced to create a single coherent framework.Such a framework is applied across all EU Member States.
This level of coherency from one Member State to the other ensures a high level of protection of personal data, creates legal certainty, and eases obstacles which one may face when transferring data within the Union. The GDPR does however, permit leeway for EU member states to adapt specific provisions to implement the GDPR with ease. This is only done in hopes to improve the protection of fundamental rights of individuals whilst simultaneously reflecting every Member State’s constitutional and administrative structures.
Who does the GDPR apply to?
The GDPR applies to natural persons and does not concern the processing of personal data of any undertaking classified as a legal person. In other words, personal data is considered as any data which is identified to individuals, not companies. Consequently, this excludes the possibility of legal persons being subject to the GDPR and enforces natural persons , whatever their nationality, subject to the GDPR and benefit from any and all of the rights it bestows onto them.
It is also interesting to note that personal data of a deceased individual shall not fall within the remit of this regulation. However, Member States may cater for the processing of personal data of the deceased. On a different note, not all activities of a natural person are safeguarded under the GDPR. In fact, as indicated clearly in the Regulation, the processing of personal data by a natural person concerning activities which are purely personal or related to any household activity, do not fall under the remit of the Regulation. Thus, if the activities of the natural person are not of a professional or a commercial nature this Regulation does not apply.
Therefore, in synthesis, any identifiable natural person, who is in the Union, and whose activities are not related to a household activity, shall be subject to this Regulation.
The GDPR – Key Definitions
We are aware that certain keywords used by the Regulation and GDPR Professionals may sound intimidating or over-complicated, therefore the below acts as a simple guideline to help you understand better basic terms and terminology used by day-to-day practitioners of GDPR, like us.
- Personal Data: This term is tossed around quite often however what does it really mean? Personal data is data that refers to an identifiable natural living person. Examples: name, surname, identification number, and location data. (This is not an exhaustive list)
- Data Subject: This refers to the identifiable natural person whose personal data is being used. This term is often used in forms, privacy notices or privacy policies, etc.
- Processing: This means any activity carried out on personal data, such as the simple action of making use of personal information. This includes, but is not limited to, analysing data, disclosing data, making data available and even destroying data. It’s important to note that processing may be active or inactive. Active processing includes the above-mentioned forms whereas inactive processing includes by way of example the storage of data on your personal computer. Therefore, even if you are not actively making use of data, you may still be processing data and therefore all legal principles concerning personal data still apply.
- Special Categories of Personal Data: This is another category of personal data and just like personal data, special categories of personal data pertain to any identifiable living person. However, this category of personal data concerns specific data related to more sensitive identifiable features of the data subject.
- Controller: The controller may be either a natural person or a legal entity, public authority, agency, sole trader or a body who/which has the capacity to determine the purposes and means of processing of personal data. The controller, either on its own or jointly (along with another controller), may determine the processes as to how and why data is processed and which data should be processed.
- Processor: The processor may be either a natural person or a legal entity, public authority, agency, sole trader or any body who/which carries out the processing activities on behalf of the controller. Therefore, an independent party outsourced to provide processing services, may be defined as the Processor.