The new, harmonised EU General Data Protection Regulation entered into force on 24 May 2016 and must be applied from 24 May 2018 without any further transitional period. For us, this is a reason to examine the basic data protection regulation in more detail in a series of articles.
What falls under data protection?
In principle, it can be said that the regulation applies to all information relating to an identified or identifiable natural person. The extent to which this data is personal, encrypted or sensitive does not play a role in this first consideration. Any data that does not relate to natural persons is therefore not taken into account for data protection purposes. Other regulations, such as copyright law naturally continue to apply.
This means, for example, that meteorological measurements such as temperature, precipitation, etc. do not have to be taken into account within the framework of data protection. Also, legal persons do not enjoy the same protection as natural persons. But not all legal persons are equal in this respect. If a legal entity is closely related to a particular shareholder – for example, if the latter’s name appears in the company name and does not employ any other employees – there is suddenly a direct link between the information about the company and the natural person of the shareholder.
Central to this consideration is whether data can be assigned to a natural person. Assignment of data to a person is possible via a direct link in the data model (identification) or via detours (identifiability). The potential of this happening is already sufficient and whether the possibilities are used in practice is irrelevant.
EU citizens are also protected in third countries
A central innovation of the EU data protection basic regulation is that the data of persons residing in the EU – regardless of their nationality – are also protected in third countries. For companies in Switzerland, for example, as of 24 May 2018 the EU’s General Data Protection Regulation will also apply – along with the Swiss data protection legislations. If, for example, a company supplies products to customers in the EU and therefore maintains contact data of EU persons in CRM, it means that they are also subject to EU law and can be prosecuted and fined by the EU.
The who is who of the basic data protection regulation: the participants
The basic data protection regulation essentially distinguishes between five roles:
|Supervisory authority||An independent, government body that monitors implementation and ensures compliance with the General Data Protection Regulation. In Germany, for example, these are the state data protection officers. Within the entire EU only one supervisory authority per company is responsible, even if they conduct business in several EU states. This is a substantial relief to the previous law.|
|Data subject||An identified or identifiable person to whom processed information relates.|
|Person responsible||The natural person or legal entity that determines the purposes and means of the processing of personal data.|
The natural or legal person, authority, etc., who processes personal data on behalf of the controller.
|Recipient||A natural or legal person, public authority, agency or another body, to which the personal data are disclosed, whether a third party or not.|
The word processing in this context means “any operation carried out with or without the aid of automated procedures … in connection with personal data” (Article 4(2)). In particular, this includes data entry, any exploitation and disclosure. Even mere inspection is considered processing.
Controllers and processors
Two roles are distinguished for the controlled companies: controllers and processors. The controller is responsible for all measures relating to data protection. If he involves third parties, he must issue them with clear and appropriate contractual conditions and instructions regarding data protection. The processor is then obliged to comply with these requirements. Some simplifications apply to pure processors.
However, it is not always obvious whether a company “merely” assumes the role of a processor. First and foremost, who decides on the purposes and means of processing personal data is decisive for determining who is responsible. While the processor still has a certain margin of discretion with regard to specific technical means, there is no such margin of discretion with regard to the purpose of processing. The situation may arise relatively quickly in which the processor himself becomes the (co-)responsible party and has to fulfil the same obligations. Accordingly, the regulation also provides for joint responsibility as a variant.
Our article series on the subject
- In the lead-in article, we drew attention to the need for action.
- In this first part of the series, we introduce the various actors and set the framework.
- In Part 2, we examined the principles of data protection based on four pillars.
- Part 3 explains the special requirements for the processing of special categories of personal data and profiling, which is regarded as particularly critical.
- In Part 4, we highlight legally privileged, desired processing methods.
- The last part of the series concludes with a framework for the pragmatic and appropriate implementation of data protection in your IT projects.
linkyard is specialized in the realization of software solutions with high security requirements and the professional accompaniment of IT procurement processes. Especially for the correct and economic implementation of data protection requirements in IT systems, an iterative interaction of IT security specialists such as linkyard and a specialized lawyer proves to be advantageous. The search for the most cost-effective and at the same time legally compliant solution often requires the elaboration and evaluation of various implementation variants and the first best solution usually still undergoes some adjustments. We are also happy to accompany your project.