EUROPEAN UNION

GENERAL DATA PROTECTION REGULATION 

(GDPR) (EU) 2016/679

SUMMARY:

The General Data Protection Regulation (the “GDPR”) is a privacy law passed by the European Union on internet privacy, personal data collection, and data protection for all citizens of the European Union (the “EU”) and European Economic Area (the “EEA”). However, the GDPR has power outside of the EU since it applies to all data processing of EU citizens by any corporation regardless if they are based in the EU or abroad.

The GDPR distinguishes data handlers as either data controllers or data processsors. A data controller “determines the purposes and means of the processing of the personal data”, while a data processor “processes the personal data on behalf of the controller” (Art. 4 GDPR). For example, if ABC, Inc. sells software products to EU consumers and contracts with XYZ, Inc. to send promotional emails and track consumer engagement activity, then ABC, Inc. is a data controller and XYZ, Inc. is a data processor.

MAJOR NEW RULES UNDER THE GDPR:

1. Consent. The overarching theme in regard to consent under the GDPR is the general restriction on long, illegible terms and conditions provided to consumers. The terms and condition must be easily understood and be easily accessible to any consumer that may be affected by such terms and conditions. Further, one of the more notable effects of the GDPR is the ability to withdraw consent. Consumers should be provided clear details concerning the company’s use of their information, and consent to which should be, essentially, just as easy to withdraw as it is to give (Art. 7 GDPR).

2. Breach Notifications. In the event of a data breach, and more specifically a data breach that carries the potential risk of exposure of consumer information or other effects to the rights and freedoms of EU citizens, companies must submit a breach notification within 72 hours of first becoming aware of the breach (Art. 33 GDPR).
   

3. Right to Access. Under the GDPR, all EU consumers have the “Right to Access”, meaning data controllers must provide copies of records/statements detailing the use of a consumer’s personal data free of charge upon request. The underlying takeaway of this rule is that companies are now required to implement and enforce policies for data control and identification of data source and use (Art. 15 GDPR).

4. Right to be Forgotten. Under the GDPR, all EU consumers also have the “Right to be Forgotten.” Often referred to as “Data Erasure”, the GDPR requires data controllers to immediately discountine use of and remove all personal data related to a requesting consumer from company systems, and take further action to ensure all data processors who may control such data to do the same (Art. 17 GDPR).

5. Data Portability. Another consumer right under the GDPR is the right to receive upon request all data provided to data collectors. Consumers also may request that all such data be trasmitted to another data controller of their choice at any time (Art. 20 GDPR).

6. Privacy by Design. The “Privacy by Design” mandate under the GDPR requires that any new system operating utlized by data controllers and processors must be designed with certain data protection measures from the time of launch, rather than such protection measures being subsequently added (Art. 25 GDPR).

7. Storage Limitation Principle. The GDPR effectively limits the amount of time personal data can be held and/or stored by data handlers. Essentially, storage of personal data may not be kept for any longer than necessary to achieve the purpose and reason for the data’s intial collection and, once the goal for which the data was collected is reached, the data should be disposed of in accordance with GDPR-compliant procedures (Art. 5 GDPR).

8. Penalties. Violations of the GDPR carry signifacant penalities. After an investigation reveals evidence of any GDPR violation, the viololater could face a maximum fine equal to 4% of the company’s annual global turnover or  €20 million ($23 million), whichever is greater (Art. 83 GDPR).