Personal data of EU citizens also protected in third countries

Share on facebook
Share on twitter
Share on email

The new, harmonised EU basic data protection regulation came into force on 24 May 2016 and is to be applied from 24 May 2018 without any further transitional period. For us, this is a reason to examine the basic data protection regulation in more detail in a series of articles.

What is covered by data protection?

In principle, it can be stated that the regulation concerns all information relating to an identified or identifiable natural person. The extent to which this data is personal, encrypted or sensitive is irrelevant in this first consideration. All data that does not relate to natural persons is therefore not considered for data protection purposes. Other regulations, such as copyright law, of course still apply.

This means, for example, that meteorological data such as temperature, precipitation, etc. do not have to be taken into account for data protection purposes. Furthermore, legal persons do not enjoy the same protection as natural persons. However, not all legal persons are equal in this respect. If a legal entity is closely linked to a particular partner – for example, if the partner’s name is in the company name and does not employ any other employees – there is suddenly a direct link between the information on the company and the natural person of the partner. Already this clear rule as to what is to be taken into account and what is not partially softened and also data on legal persons are covered by the law.

Central to this consideration is accordingly whether data can be assigned to a natural person. This assignment of data to a person can be possible via a direct link in the data model (identification) or via detours (identifiability). The potential that data could be assigned to a specific person is therefore sufficient. Whether the possibilities are used in practice is irrelevant.

EU citizens are also protected in third countries

A central innovation of the EU data protection basic regulation is that the data of persons residing in the EU – regardless of their nationality – are also protected in third countries. For companies in Switzerland, for example, the EU Data Protection Basic Regulation will apply to the data of EU persons from 24 May 2018 in addition to Swiss data protection legislation. The market place principle (similar to the VAT principle) is the primary criterion for determining which data protection legislation is applicable. For example, if a company offers products to customers in a web shop and therefore keeps the contact data of EU persons in the CRM, it is sufficient that these companies are also subject to EU law and can be prosecuted with the high fines imposed by the EU. Not covered by the European DSGVO in Switzerland are services that are provided locally, such as hairdressing salons, dentists, etc.

The who is who of the basic data protection regulation: the parties involved

The basic data protection regulation essentially distinguishes between five roles:

Supervisory authority An independent, governmental body that monitors the implementation and ensures compliance with the basic data protection regulation. In Germany, for example, these are the state data protection officers. A significant simplification of the previous law is that within the entire EU, in the sense of a one-stop shop, only one supervisory authority per company is now responsible, even if business is conducted in several EU states.
Person concerned An identified or identifiable person to whom processed information relates.
Responsible person The natural or legal person, authority, etc., responsible for implementing data protection in the context of the processing operations carried out.
Contractor The natural or legal person, authority, etc. which processes personal data on behalf of the controller.
Recipient The natural or legal person, authority, etc., to whom personal data are disclosed, whether it be a third party or an entity within the controller’s business.

The word processing in this context means “any operation performed with or without the aid of automated processes”. relating to personal data” (Article 4(2)). In particular, this includes the input of data, any use and disclosure. The mere fact of having access to data constitutes processing.

Persons responsible and processors

Two roles are distinguished for the controlled companies: responsible persons and order processors. The person in charge is responsible for all measures relating to data protection. If he calls in third parties, he must give them clear and appropriate contractual conditions and instructions regarding data protection. The processor is then obliged to comply with these requirements. Some simplifications apply to pure processors.

However, it is not always obvious whether a company “merely” assumes the role of a processor. After all, the decisive factor in determining who is responsible is, first and foremost, who decides on the purposes and means of processing personal data. While the processor still has a certain degree of discretion with regard to the specific technical means, this does not exist with regard to the purpose of the processing. The situation can arise relatively quickly that the processor himself becomes the (co-)controller and has to comply with the same requirements. Accordingly, the regulation also provides for joint responsibility as a variant.

Our series of articles on the topic