The General Data Protection Regulation is an EU law regulation on data protection and privacy in the European Union and the European Economic Area (EEA). It also regulates how to proceed when personal data are transferred outside the EU and EEA areas.
Personal data is any information relating to an identified or identifiable person, also known as the data subject. Example of personal data:
- first name and last name,
- ID /Passport number,
- cultural features,
- IP address.
That law gives a strong right for people to manage their data. It protects us, physical people, before the abuse. It imposes an obligation on companies to ensure everyone the right to: get information about his data, obtain access to personal data, correct his data, erased data - to be forgotten, object to the processing of personal data for marketing purposes, request the restriction of the processing of personal data, data portability - receive personal data in a machine-readable format and send it to another controller, request that decisions based on automated processing concerning or significantly affecting the user and based on his data are made by natural persons, not only by computers and the right to be notified - if data has been a breach (a person should be informed within 72 hours of first having become aware of the violation). How to ensure that these rights are respected for SaaS users?
On the EU GDPR webpage (https://gdpr.eu/what-is-gdpr/), we can find this phrase:
“(GDPR) is the toughest privacy and security law in the world.”
And we fully agree. It is limited and requires small businesses to be fully committed to protecting user rights. On the other hand, there is a risk that profiling and making automated decisions on our behalf may limit our freedom.
The GDPR provides broad protection of the individual’s rights while imposing several new obligations on entrepreneurs. Until now, the entities, confirming their due diligence, have applied for ISO certificates in the field of data security. The current regulations impose the obligation to ensure the processed data’s safety - on all entities dealing with personal data. One of these obligations is appointing a Personal Data Protection Inspector (DPO) in certain cases and keeping detailed documentation describing data processing.
Who the GDPR applies to?
GDPR relates to companies based in the European Union, citizens and people lived in the EU, and those who want to offer services for them. If you’re outside of the EU, but your customers are from the EEA (The EEA covers more countries than the EU itself), it refers to you as well.
GDPR applies to every company, both sole proprietorships and companies - operating in the European Union, which processes personal data. It does not matter the nationality of the persons whose data is processed, where the processing takes place, or where the servers are located.
Examples of entities covered by the GDPR:
- an entrepreneur with a headquarters outside the EU, but performing activities on its territory,
- entities that offer their services to clients outside the Union but have their offices in the Union,
- companies processing data via cloud computing - it does not matter where the servers are located,
- an entrepreneur who does not have organizational units in the EU but offers EU citizens goods and services (e.g., an online store).
The GDPR may apply to entities (controllers and processors) that do not have an organizational unit in the EU, also in the scope of the obligation to appoint a personal data protection officer, when the processing activities carried out by them are related to:
- offering goods or services to such data subjects in the EU, whether or not they are required to pay; or
- monitoring their behavior as far as this behavior occurs in the EU.
Data Protection Officer, do you need it?
When your company is established in the EU, you are obliged to appoint a DPO if:
You are a public authority or body and have appointed a DPO (except if you are a court acting in our judicial capacity).
Your main activity is processing operations requiring regular and systematic monitoring of data subject on a large scale by their nature, scope, or purposes (e.g., you’re Google ;-)).
Here it is crucial to explain “large-scale” meaning. The GDPR doesn’t define the concept of “large-scale” data processing. However, it is recommended to consider the following factors in order to determine whether large-scale processing takes place: the number of data subjects (a specific number or percentage of a particular group of the population), the scope of personal data processed, the period for which the data is processed, geographical scope of personal data processing. Thus, describing the process with this term is quite relative. The concept of “regular and systematic monitoring” of data subjects is also not defined in the GDPR. However, “monitoring of data subjects’ behavior” is mentioned in Recital 2415 and includes all online tracking and profiling forms, including for advertising purposes behavioral.
Your main activity is the large-scale processing of special categories of personal data and personal data related to criminal convictions and offenses.
Now, what does it mean “special categories of personal data”? Data of a special category can be included revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, and the processing of genetic data, biometric data allowing the identification of a natural person.
As mentioned above, if your company is not an EU resident and your clients are EU residents, you should (as the data controller) have a representative registered in the EU. According to its competence, the DPO appointment should be notified to the relevant Member State’s supervisory authority.
The DPO should:
- be aware of national and European data protection laws;
- be familiar with the practices in the field of personal data protection;
- have business and industry knowledge regarding the administrator’s activities;
- know the data processing processes,
- know the information systems and security measures used by the controller and its data protection needs;
- demonstrate knowledge of the entity’s administrative procedures and operations.
The inspector is, therefore, to play a crucial role in supporting the “data protection culture” and help in the implementation of the necessary elements of the GDPR, i.e.:
- rules for the processing of personal data;
- the rights of data subjects;
- data protection by design and data protection by default;
- keep a register of processing activities;
- processing security requirements;
- reporting violations.
DPO suppose to be easily accessible as a point of contact for employees, individuals, and Information Commissioner’s Officer (ICO). His contact details should be published on your website. If you are not obliged to appoint a DPO, you can designate a person who will track the newest trends, UE recommendations and keep a hand on your company’s personal data security.
Note from the author:
Even though it contains a lot of practical information about legal stuff, you cannot treat it as legal advice. Each case is different and requires an individual approach. The purpose of this article is to help you to understand the essence of its subject.
Let's stay in touch!
Would you like to be notified about new posts? Please fill this form.
Have you found a bug in the code? Please add a GitHub issue.
Do you have problems with running the code or setup and need help? Please add a StackOverflow question with django-react tag.