This article is written by Barathwaz T, third semester student of School of law Christ University, Bangalore.
What are the Protected Categories of User Data under GDPR?
The whole concept of GDPR revolves around the elements of protecting the personal information of natural persons and its associated use relating to individuals in the EU from individuals, organisations or companies. This protection of privacy does not apply for legal or deceased person. The restrictions are applicable only if the use or process of data is for reasons other than personal or activities carried out in the household. The categories of user data, that is protected under GDPR which are “personal data” and “sensitive data”.
Before moving the concept of “Data Subjects” has to be clarified. Data subjects are those natural persons whose data enables one to identify the person. The following are some examples of categories of data subjects.
- Public officers
- Website end-users
- Application end-users
Understanding of the term “personal data” is essential. Article 4 (1) of the GDPR defines “personal data”. Personal data or information is an identification or recognition that is associated with the natural person. It can be in the form of direct information that reveals the person’s identity or it can be a group of “innocent” data such as height, job position etc, put together will serve the purpose. In layman’s terms it the information that clearly indicates a natural person is his personal data. Personal data that is served encrypted, pseudonymised and de-identified, but can be used to identify the person will still be governed under GDPR and be considered personal data. To get more clarity as to the ambit or categories of personal data, follow the table below.
Knowledge and Belief
Government Identification and Name
Professional / Employment and business
Personal device Identification
GDPR applies to all regardless of the technology used for processing or collecting personal data. GDPR is technology-neutral and applies to both manual and automated information collection systems, only criteria being a predetermined data organisation technique. All personal data is governed under GDPR irrespective of the data storage mechanism, be it use of IT or paper or video surveillance, the data is subject to GDPR.
“Sensitive Personal Data” is a subset of personal data which receives a higher pedestal of regulation and a ban on its collection without the explicit permission of the data subjects, except for a few special situations enlisted in Article 9 of GDPR. Categories of such data are as follows:
- genetic data,
- biometric data,
- racial or ethnic origin,
- religious or philosophical beliefs,
- political opinions,
- sex life and sexual orientation,
- health data.
Exemptions to this general rule is given under the second paragraph of Article 9. It has ten exemptions to it, they are as follows: (to know more click here)
- Explicit Consent,
- Vital interest,
- Membership organisations,
- Information in public domain,
- Legal proceedings,
- Public interest,
- Public health,
- Medicine, and
Do Users Own Their Data? User Rights Under GDPR and how companies can comply with those liabilities.
GDPR has enlisted a set of eight rights that all EU citizens are entitled to under chapter 3 of the GDPR. All data controllers and processors have to take up exercises to comply with and protect the rights of the citizens. To move further, it is very important to understand the terms “Data controller” and “data processor”. The data collector is an individual, company or any other organisation that decides purpose and means of processing data. Data processor is someone who processes data on behalf of the controller.
The Right to Be Informed
If a data controller or a data processor use or process personal data of someone then the person has the right to know about it. The GDPR requires disclosure of:
- The details of the person processing his or her data.
- Contact details ought to be shared with the data subjects.
- The reason behind the processing of their data.
- Detail of the legal basis upon which their data is collected.
- The duration of storage and process of their data.
- If the information is shared then, the details of the third party and its associated reason.
- What rights does the controller or processor have over their data?
The Right of Access
Under Article 15 of the GDPR, a customer can ask for information regarding the use and process of the personal data that are used. This is technically known as Subject Access Request. Recital 59 mandates for the facilitation of the exercise of the rights of data subjects. This information shall include:
- Confirmation as to the usage of data.
- Copy of all the personal details of the user.
Subject Access Request
GDPR all advocates for a system that provides for electronic request. It is always necessary to create a subject access request form.
The Right to Rectification
One of the fundamental principles of data processing is “accuracy. This is not just principal it is also given as a right to the user under article 16; right to rectification. This right granted to the user gives the opportunity for the user to request to change any data or modify any data that is inaccurate that is being held by the data controller or processor.
The Right to Erasure
The right to erasure is also called as the right to be forgotten which is mentioned under article 17 of the GDPR. This right was a codification of an existing principal which stems from the case Google Spain v AEPD, Mario Costeja González (2014). In this case, Mario Costeja Gonzalez succeeded in his efforts to get google to remove all the reference that it has made to him in the search results. However, no right is absolute. Data subjects cannot enforce this right against all the data controllers and processors, but such right shall be exercised in certain situations like:
- The data is no longer used.
- On withdrawal of consent by the user.
- If there is a legal obligation to do so.
- If the data of the user is unlawfully obtained.
- Certain conditions related to children under Article 8.
The Right to Restrict Processing
This right to restrict processing is available to the users under article 18 of the GDPR. This guarantees a substitute right when the right to erasure is not feasible due to any situations that are mentioned above. User can demand the company or the data controller to restrict the use of his or her personal data to specific terms and conditions even though he has failed in exercising is right of erasure.
It is always advisable to have an electronic system for handling restricted data when the user demands to exercise his right. Recital 67 suggests tips to manage this type of request from users:
- Moving restricted data into a separate system through which it can be operated.
- Temporarily remove the data from the website or the place where such data is stored.
- Make the data temporary unavailable to be accessed by the user or any other user who uses your website or who has access to any such systems.
The Right to Data Portability
Article 20 of GDPR gives users the right to demand a copy of personal data that the company process and the right to transfer their personal data to whomsoever they want to. However, this right is not absolute and can’t be exercised by the users when it is done on a legal ground other than consent.
A company can save itself from obliging to the exercise of rights by users, by getting consent or contracting with them for providing such user data and it’s associated processing. Other ways to save oneself from such request is by creating a third party system to provide such services.
Third Party System
Company shall consider creating a third party service which shall enable them to do data portability on behalf of their uses. Such services are offered in most of the European countries including the UK. Recital 69 solicits for easy facilitation of data transfer of data subjects from one company to another or from one controller to another in a technically organised manner. Companies can also consider creating their own systems instead of outsourcing the service to a third party, the only concern being such systems have to be technically organised, commonly used and machine-readable format.
The Right to Object
Article 21 of GDPR deals with this right of objection, by the data subjects against processing their data. This right of objection does not mean that the data subjects can request to delete the information stored. This right is very important in case of direct marketing, as the user can absolutely object to processing their information for the purpose of direct marketing and if such exercise of the right of objection is made it is mandatory for the companies to comply with it. However, exercising of this right other than direct marketing needs little more complex legal ground that has to be established by the data subject to enforce his right.
Recital 70 solicits companies and other data users to make an attempt in creating awareness about the right to object in clear terms. It is always better to give an unsubscribe link while sending marketing emails sent to the customers.
Rights Related to Automated Decision-Making and Profiling
Article 22 of GDPR talks about this rate of data subjects it is also one of the most unpopular rights amongst all rights that are guaranteed in the GDPR. This right of the data subjects relating to their Automated Decision-Making and Profiling is not applicable to all types of companies. To know the type of companies that must be concerned in ensuring compliance will be all those who are involved in automated decision making and profiling activities.
Automated decision making means any system generated output that is not intervened by human interaction, for example, systems that generate credit score to customers based on their past credit performance. Profiling is using pool data to predict the behaviour of a specific group. Companies that are involved in such activities or using such a system in the business operation have to provide for a review by humans (stall or employee) mechanism which shall be done on-demand to exercise of the rights of users.
Consent under GDPR and How to Obtain such User Consent
Consent under GDPR
Data being one of the most sensitive and vital information about a person: the GDPR has prohibited the processing of such data but has also allowed for six grounds on which such data shall be processed. These six grounds are provided under Article 6(1) of the GDPR. One such ground is the consent of the relevant party. Article 7 of GDPR exclusively deals with valid consent, which requires consent to be freely given, specific, informed and unambiguous. To have a better understanding of the elements of consent under Article 7, it shall be discussed in detail.
Free consent involves a voluntary declaration of the data subject. Such consent obtained must be free from any form of undue influence and pressure.
Informed and specific consent shall be ensured by means of disclosing a few essential information such as the controller’s identity, kind of data to be processed and the purpose etc. The power of the data subject to withdraw the consent at his will can be an addition to the list of information to be disclosed.
The last element is that the consent so given has to be unambiguous. To ensure ambiguity the shall be an affirmative act or clear communication. Under GDPR the concept of implied consent is not recognized, hence there shall be clear and unambiguous consent.
As discussed above, obtaining consent is not a silver bullet; it is too complicated as all the elements of consent have to be fulfilled. Also, the concept of implied consent is not recognised. Therefore, it is always better to choose consent as the last choice while obtaining or processing the information from the customer because of the above said reason and also, it can be withdrawn by the data subject at any time in the future. Usually, business organisations to whom the processing of data is a core activity, don’t rely on consent as a base to obtain information.
How to Obtain such User Consent
If at all consent is inevitably the only base that one can rely on, it is advised to follow the steps below to ensure that the consent so obtained has fulfilled the requirements under GDPR.
Methods of data collection
- Consent request forms: digital and on physical paper;
- Opt in-box in an electronic form to be ticked by the customer;
- Make opt-in button or create link online to get their consent;
- Making dashboard preferential settings;
- Send a Consent Request form through the mail;
- Oral consent request is also an efficient source or;
- Any other equally efficient means of acquiring consent.
The method of obtaining consent shall be any of the above, but the real question is whether these methods address all the elements of consent. The withdrawal to such consent should be very easy to be done by the party.
General instances where consent is required
Most websites use the default application of the cookies on to users and if the users have the freedom to opt-out of this from the dashboard. This is the conventional way of obtaining cookie consent. With the advent of GDPR, free consent has become very strict which renders the conventional methods invalid. Look at South Bank’s conventional approach to cookie consent, which under GDPR is not valid consent.
The cookie consent of the European Central Bank is for very basic, check out Experia’s consent request which involves various types of cookies out of which the user can choose the type of cookies that one wants.
Consent for Sending Marketing Material
The conventional methods the websites and other digital forums use is the pre-ticked boxes that help users automatically the subscribers of their email list. However, this method does not qualify as free consent under GDPR. To make sure that there is compliance with all the elements of free consent is fulfilled; one should adopt practice similar to Dynastar which enables the users to enter their email id by themself if they do so, it is deemed to be that free consent is given. Double opt-in is a very popular way to ensure that the consent is given, in this method the user is asked to confirm his or her subscription.
Consent for Third Party Marketing
The conventional methods the websites and other digital forums use is they share the details of the third party or directly send in their marketing material to the users, both of which are prohibited under GDPR. The best way to get around this problem is by using bundled consent request. This technique requires the data controller to acquire consent for sharing the information with the third party and also includes the relevant information of the third parties to whom the information is shared. This is bundled with the other consent request protocols. Take a look at how Escapio has handled the bundling technique in its website.
GDPR: purposes for which data can be collected (and processed) or not
GDPR talks in detail about the six lawful bases or instances that will be invoked while collecting or processing user data. These bases are scenarios in which it will be legal to process personal data of people.
- Consent: is a no brainer, as we have discussed in the earlier section as to the element, ineffectiveness of consent, situations where consent is needed and methods of getting consent. Another most important part about consent is that it should be easy for the user to opt-out if he wants to.
- Contractual obligation: is one of the most common and simple bases available for businesses to process data under GDPR. A business organisation shall process user data on a contractual basis. Which shall then be a contractual obligation of the user to provide access to his data and give permission to process such data obtained. The contractual relationship does not give the data processors an absolute right to the user’s data, any data so processed outside the scope of the contract shall be substantiated with any other legal basis.
- Legitimate interest: of the user can be a legal base for processing the data. This processing activity is what the user would generally expect to be done by the processor when he gives his data like fraud protection and marketing activities. To use legitimate interest as a base to process the data of the user a balancing test shall be undertaken: is the processing activity of the business so essential to the functioning of the business? Does this activity of the business cause less risk to the privacy and freedom of the data subject? If the answer to either of the questions is “no”, then the business cannot use legitimate interest as a legal basis to process such data.
- Vital interest: is an interest that is associated with an emergency situation where personal data of the subject is very vital to the life of the data subject; situations like a medical emergency
- Legal requirement: arises when the processing activity is necessary as a legal obligation arising out of a statute or any other equally efficient legal document. These obligations may arise under security, consumer law or employment laws.
- Public interest: can be invoked only by a government organization or government authorized agents who can process the data of the users.
Pointers to be noticed before choosing a legal base
- There shall be a legal base that the business will decide before processing the data of the data subjects. This legal base so selected shall be final and the business can’t be alternated between two legal bases whenever necessary. Also, the legal base has to be decided before processing the data, it can’t be chosen after all the processing is done.
- The processor has to be open with the legal base that it has opted, and should be able to demonstrate it at all times of the process. Also, the data processors should be able to demonstrate the way in which the data or the consent (if gotten) was obtained.
- The type of legal base that is used to get users data will significantly affect the way in which the rights of the users are exercised. So, a firm which is willing to obtain user data must also think in lines of this to arrive at a perfect base to process data.
- If the organisation uses multiple bases to process data, it shall be obliged to distinguish between the legal bases that are being used to process different types of data.
- There is no hierarchy of legal base that is ranked most or least desired. The appropriate base shall solely depend on the purpose for which the data is being processed.
- It is important to be noted that there is a special group of data that is categorized as sensitive personal data that attract a higher level of regulation and collection of which without the consent is not permitted. These types of data needs a different legal base, unlike regular personal data that is being processed.
How should an Indian business operating in the EU or collecting EU User data comply with GDPR?
Any organisation who use or process EU citizens’ data irrespective of their presence or operation in the EU region. All startups and other organisations who wish to collect or process the data of EU citizens, then the compliance part kicks in. The following is an account to ensure compliance of the GDPR for all those small and medium firms out there struggling to comply due to paucity of resources. Territorial applicability of the regulation is given under Article 3 of the Regulation.
- The policy must be easily accessible by the data subjects.
- The policy shall be very transparent, clear, concise and unambiguous in nature.
- The language should be plain and simple and special care has to be given to when the request is made to a child (16 Years old).
In addition to this, GDPR also talks about the type of information that has to be written in a privacy document. This information substantially differs, if the information is directly obtained from the data subject and indirectly obtained from the data subject.
Information to be provided if directly obtained from the data subject
- Information and contact details of the controller and its DPO (Data Protection Officer).
- The purpose and need for the processing of users’ data.
- The legal basis that has been invoked.
- Mention the recipient or the categories of recipients of the users’ data.
- The details are to be provided if the data is shared with any third country and the safety measures taken, to avoid data breach of any nature.
- The retention period for which the controller will have access to the data and the categories that are used to fix such a retention period.
- The existence of the rights of the user has to be expressly mentioned in the policy document.
- Withdrawal procedure that has to be followed by the data subject when he or she wants to enforce his or her right.
- The right to lodge a complaint to a superior authority.
- If the legal base is of a contractual or statutory in nature, then the consequence of not providing the requisite information has to be given.
- Provide information about the automated information system that has been adopted by the organisation in profiling and other information.
Information to be provided if indirectly obtained from the data subject
- All the above said information except point 10.
- And, add categories or types of data that is obtained.
Obtain valid consent
Obtaining consent and other ways in which consent can be obtained is discussed in detail in the earlier part of the document. Please refer the same for more information regarding the same.
Appoint a Data Protection Officer (DPO)
GDPR mandates for a DPO who will be the enterprise’s data security leader. The core functions of a DPO is to formulate data managing strategies and ensuring compliance with the GDPR.
A DPO has to be appointed at all public organisations that stores or processes the data of citizens of the EU. However, there is a threshold that has to be reached for this purpose. DPOs must be appointed for public authorities when data processing is the core activity of the business which deals with personal data on a large scale or when the special category of data is constantly being used in a very large scale.
GDPR has in its language made it clear that the size of the enterprise does not contribute as a factor when deciding the need for a DPO but has rather mentioned that the size and scope of the data being used should be the factor. However, the concept of large scale is not being discussed in the GDPR. This shall be decided with the help of the four determining factors they are:
- Data Subject
- Data Items
- The period of data retention
- The geographical range of processing
Data controllers and Data processor
Under the GDPR regime, the roles and responsibilities of a data processor and controller have been made very stringent. If an organisation or business wish to be a GDPR compliant then they can’t afford to miss out on the data controller and data processor responsibilities.
The data controller is a legal, natural or authority who decides as to why and how the data is being processed. In instances where there are more than one legal, natural or authority who decides as to why and how the data is being processed, then they shall be collectively referred to as “Joint Controllers”. The data processor is simply that organisation or business who undertakes the activity of processing the data supplied by the data controller. This transaction is commercial in nature where the controller is the customer of the processor.
Joint controller compliance
- Each controller who is a part of the joint controller of data shall be able to clearly and unambiguously demonstrate his specific responsibility in the joint controllership to any individual or any other superior authority.
- If the joint controllers are from an EU state then their relationship shall not violate the municipal laws of their respective EU member state.
- Each controller who is a part of the joint controller of data shall be able to clearly and unambiguously demonstrate the nature and type of arrangements that have been established with the other controllers in the joint controllership.
- Implementation of a code of conduct (Discussed later in the article).
- Implementation of the certification process mentioned in GDPR (Discussed later in the article).
The controller has to adhere to a few principles during the two stages of deciding “why” and “how” the data is being processed. These principles include technical and organizational measures. The most important ones are:
- Pseudonymization of the data given by the users.
- Encrypting all the personal data.
- Adhere to the principle of CIA: confidentiality, integrity and availability.
- Creating a resilient processing system.
- Ability to restore data in case of mishaps.
- A system that supports audits, inspection and other security measures.
- The processing and collection of information shall be related only to the current purpose.
- The controller is obliged to select only processors who are GDPR compliant.
- The controller has to do data protection impact assessment (DPIA) on a regular basis (Discussed later in the article).
Controller’s compliance outside the EU region
The above-said responsibilities of the controller have to be adhered to, in addition, a representative has to be appointed by the controllers and also ensure the following pointers:
- The representative should be within the EU.
- The representative shall be in a position to engage with the supervisory body and individuals to respond to issues and ensure compliance under GDPR.
- The representative shall act as a mere mediator and does not reduce any kind of responsibility that lies with the controller.
- The appointment of such a representative shall b in a written mandate.
- The data processing shall be undertaken only on the basis of a written statement that requires the data processors to do so also, the same shall be documented.
- The data processors should be able to demonstrate the GDPR compliance in a clear and unambiguous manner.
- The processor is prohibited from outsourcing the processing work from a third party who process the data for them, without written consent from the controller.
- If a processor is under any special data regulation under any municipal laws of the member state, the same shall be communicated to the controller beforehand.
- The processor has to commit to be confidential with the data which is being dealt with.
- Assistance as to the compliance by the controller has to be provided by the processor.
- On-demand by the controller, the processor must deletes the information.
- The processor has to record all the information regarding the processing including:
- Name and other details of the controller, processor and DPO of the organisation they deal with.
- The purpose for which data processing is done for each controller.
- Categories of data subjects and types of data.
- Details of 3rd party transfer.
- Details of 3rd party country’s involvement.
- Data retention period of the data for each controller.
- Technical and organizational systems that are employed by the processor.
Data Breach compliance
The organisation (controller or processor) has to ensure that there is a mechanism which ensures that there is no possibility of a data breach, but it is close to impossible to give 100% protection. So the GDPR mandates for regulations that have to be followed during times of data breach. The organization have to ensure the data breach is been communicated to:
- The supervisory authority and;
- The individuals whose data is possibly breached.
For both these notifications, there is a communication procedure that has to be followed by the organisation that has been internally made. Such an internal mechanism has to be in line with the following guidelines:
- Communication has to be made within 72 hours of the occurrence of such a breach.
- If the information breach has occurred from the side of the processor it has to be informed to the controller without any delay.
- Provide the contact details of the Data Protection Officer.
- Documentation of the facts related to the breach that occurred, and make it available to the authorities.
- Nature of the breach.
- An approximate number of data records affected and the number of individuals affected.
- Consequences that might arise due to the breach.
- Propose the measures to mitigate the losses that have occurred.
Communication to individuals
- The notice has to be made immediately to the data subjects individually.
- The notice has to be made in a clear and unambiguous manner.
Data Protection Impact assessments (DPIA)
GDPR recommends undertaking a DPIA with respect to the nature of data processing and especially when moving or adopting new technology. If the DPO is present then the controller ought to take his guidance before running a DPAI. The following are the instances where the GDPR mandates for a compulsory DPIA:
- When huge amount of special category data is being processed.
- When an automated system for profiling and other activities are extensively used.
- Large scale processing of publicly accessible data.
- Other instances of similar nature, when mandated by the relevant authorities.
What is the prime focus while doing a DPIA?
- Examine the purpose of processing.
- Examine the method of processing.
- Assess the risk associated with individuals’ freedom.
- Measures to mitigate in case of any breach or loss.
Code-of-conduct and certifications
The GDPR recommends for a professional community to represent various types of processors and controllers to come up with code of conduct that can be aligned to the GDPR, which will help these small group of organizations to comply with the data protection law.
GDPR also encourages for certification of the level of security that is being served by the organisation. This shall help the consumers to make an informed decision. To know more about the Code-of-conduct and certifications please refer to the official document of GDPR.
GDPR and reciprocity arrangements of EU with other countries for data transfers
Though GDPR is an EU based law there is a need for a robust mechanism that has to be set in place, so as to ensure there is smooth flow of data transfer. This is so important in the regime of liberalisation and globalisation where all the organisations are dependant on each other to survive in the market. To ensure this the EU authorities have created a mechanism known as the “Adequacy decision”.
The adequacy decision is a finding undertaken by the EU regarding the data protection laws of other countries, territory, sector or organisations to ensure whether the country has a data protection regime that is as robust as the GDPR. If the country, territory, sector or organisation is covered under adequacy decision then a restricted data transfer shall be undertaken.
Andorra, Argentina, Canada, Faroe Islands, Guernsey, Israel, Isle of Man, Jersey, New Zealand, Switzerland, Uruguay, Japan and USA (Privacy Shield). Data transfer to these countries is expressly permitted.
India is not on the list does it mean that it forecloses any kind of data transfer between India and EU members.
What to do if there is no adequacy decision?
A restricted data transfer can be made between two public authorities or organisations provided that they create a legal instrument which provides for safeguards of the rights of the data subjects whose data is being processed. This legal instrument must include appropriate safeguards which must include enforceable rights and effective remedies for the individuals whose personal data is being transferred by means of this legal instrument. If the organisation does not fall under the category, who has the power to enforce a legal document then the organisation might consider creating an administrative document which is equally effective.
Binding corporate rules
Binding corporate rules is a group document that is signed by both the receiver and sender through which restricted data transfer can be made. These rules are just like code of conduct operating within an MNC through which restricted data transfer can be made. Members of BCR are usually involved in a joint economic activity such as merger or franchise etc.
These BCRAs have to be submitted for approval by the EEA supervisory authority where one of the participant’s head office is located in that EEA region. This is done in order to ensure that there are adequate safety measures that have been incorporated in BCR by the parties.
Standard data protection clauses adopted by the Commission
Standard data protection clauses are contractual clauses that have to be incorporated in and contract that has been entered between a sender and the receiver while dealing with the restricted transfer. These contractual clauses are created by the commission to ensure that safety has been given due regard to. The contractual clauses provide for obligation and the rights of the data provider and the receiver. Under this clause, an individual can directly exercise his or her right against a data export or a data importer.
Click on this link for a sample of the standard data protection clauses.
An approved code of conduct together with binding and enforceable commitments of the receiver outside the EEA
An approved form of data transfer can be made if the receiver has agreed to a code-of-conduct that ensures the safety of the user data, which is directly enforceable by the data subject on the receiver in case of mishaps.
GDPR approves such forms of code-of-conduct and encourages private parties to do so. This is very recent and because of this, there is no code-of-conduct that is in practice right now.
Certification under an approved certification mechanism together with binding and enforceable commitments of the receiver outside the EEA
This is an approved form of transferring restricted data. Under this method, the receiver has certification under a scheme that is approved by the superior authorities. The certificate scheme must include all safety measures that can be included to protect the rights of the data subject.
This is also a new option that has been introduced under the GDPR and there is no certification scheme that is available which has been recognized by the superior authorities.
Students of Lawsikho courses regularly produce writing assignments and work on practical exercises as a part of their coursework and develop themselves in real-life practical skill.