Data Privacy laws

This article is written by Adv. Komal Arora. The article discusses what is GDPR, its purpose, principles, rights, who does GDPR apply to, privacy policy requirements under the GDPR, the role of the data controller and other regulatory bodies, GDPR checklists, penalties under GDPR, and frequently asked questions on it. If you are finding it difficult to navigate through the complex laws of GDPR, then this article will help you by giving an easy explanation of the GDPR compliance. 

This article has been published by Sneha Mahawar.

Table of Contents

Introduction

In the current digital age there is a heavy reliance on data with our daily lives revolving around it. Our days are filled with online presence, beginning with reading news online, to writing emails, ordering groceries or products from any website, browsing websites to paying our bills online, all these activities use our personal data in order to function. No one stops to ask how the companies are using this data and how safe it is with them. The issue of breach of privacy and identifiable information was gaining impetus and it led to the requirement of a law to regulate it effectively. Thus, came the GDPR, considered to be the toughest law governing the right to privacy of individuals. The GDPR requires all companies to re-evaluate how they used to regulate the privacy of their users and now take some principles into consideration.

Download Now

What is GDPR

GDPR stands for the General Data Protection Regulation. The GDPR pertains to data protection of the data subjects, and it binds every member of the European Union, be that its member states, impacting companies, individuals and other countries around the world. With an aim to harmonise data protection and privacy laws across Europe, it is often regarded as a long and complex law. The regulation was made on 14th April 2016, and it became effective on May 25, 2018. It is a very comprehensive and intricate regulation, consisting of 11 Chapters, 99 Articles and a 173-section Preamble or Recitals. It is pertinent to note that compliance with these regulations has been made mandatory for companies if they wish to do business within Europe. Further, the obligation is on the companies to show that they have complied with the GDPR. These regulations require strict adherence to the requirements that it imposes. 

History of GDPR

  • The right to privacy came to be officially recognized in 1948 when the Universal Declaration of Human Rights ((hereinafter referred to as UDHR) was enacted. The right to privacy has been formally acknowledged in these covenants: Article 12 of the Universal Declaration of Human Rights, provides that no one shall be subjected to arbitrary interference with his privacy, family, home or correspondence. A similar right has been granted by the International Covenant on Civil and Political Rights, 1976 (hereinafter referred to as ICCPR). Article 17 of the ICCPR states that no one shall be subjected to unlawful interference with his privacy, family, home or correspondence. The European Convention on Human Rights, 1950 (hereinafter referred to as ECHR) through its Article 8 also grants similar rights stating the need for the right to respect for private and family life, home and correspondence. Let’s take a quick look at the evolution of privacy rights in the EU: 
  • The ECHR was framed in 1950 and then ECHR internet was made specifically for the issue of data protection. Resultantly, on 24 October 1995, Directive 95/96/EC was adopted by the European Council. It aimed to protect the privacy of individuals in the EU by formulating provisions for the processing of personal data and the movement of their data. 
  • On 25 January 2012, the European Commission proposed that there was a dire need to reform the 1995 directive to develop a stronger privacy framework. 
  • Then on 23 March 2012, the Article 29 working party adopted an opinion on the data protection reform proposal. 
  • Later, on 12 March 2014, the European Parliament showed its enthusiasm towards building a robust privacy framework by voting in favour of GDPR with  621 to 10 votes.
  • Then On 15 June 2015, it was agreed that the European Data Protection Board will replace the Article 29 working party. The main role of the data protection board was to ensure uniformity and compliance with GDPR throughout the union.
  • After years of effort and deliberation, the General Data Protection Regulation was introduced in 2016. 
  • On February 2 2016, the Article 29 working party issued an action plan to ensure effective implementation of the GDPR. 
  • Later, on 27 July 2015, the European Data Protection Supervisor published recommendations to the legislators to help in finalising the provisions of GDPR.
  • It was passed by the European Parliament but was enforced with a gap of two years. As of 25 May 2018, it was mandated that all organisations had to comply with the GDPR. 

It must be remembered that the beauty of the GDPR lies in the fact that it applies to every company or business, even if it’s not set up in the European Union. The fact that the company deals with the data of European citizens or residents is enough to trigger the applicability of the GDPR.

Purpose of GDPR

We have previously explored the series of events that contributed to the development of the GDPR. Now, it’s important to examine the driving forces behind the GDPR’s adoption. What were the compelling reasons that led countries to believe that data regulation was imperative? To address these inquiries comprehensively, let’s delve into the purpose and the underlying need for the establishment of these regulatory measures.

The assertion that safeguarding an individual’s privacy constitutes an essential human right is unquestionable and requires no additional elucidation. The acknowledgement of this entitlement to personal privacy is likewise evident in Article 8 of the European Convention on Human Rights (hereafter referred to as the ECHR). Furthermore, Article 7 of the European Union Treaty on Fundamental Rights also affirms this right. The GDPR further extends these rights by making provisions to protect the personal data of people. It contains provisions that impose an obligation on businesses handling this data to guarantee data protection while also stipulating penalties for non-compliance.

By doing so, it increases the accountability of the businesses that collect data to protect the data of its users and not transfer it to any third party. This way it ensures to the users that whatever information they share with these companies is safe and secure and that their privacy will not be violated for personal gains or commercial exploitation. The compliance with GDPR ensures that there is transparency and faith in the transactions of people and companies. Furthermore, it provides a simple and comprehensive legal framework for the privacy rights of people. There are provisions in the GDPR that we will see below that grant certain rights to the consumers such as the right to be informed as to what data is being collected, why is their data being collected and also and how is their data being collected. They have the right to rectify any incorrect data, right to data portability, right to be forgotten, right to withdraw consent, right to object to the data processing, etc.

It is pertinent to note that the GDPR modernised the rules that were laid down in the data protection directive in 1995 and updated them for the modern digital society. GDPR has served a bigger and better purpose at the global level by making people aware of their rights to their data and how to protect them. Following the GDPR by the European Union, other countries like the USA also started coming out with their data privacy laws. Recently, even India formulated its own data privacy act called The Digital Personal Data Protection Act, 2023.

M&A

Principles of GDPR 

Article 5 sets out the seven principles for GDPR. These principles can be considered to be the essence of GDPR compliance, as the full text of GDPR law is based on these principles. GDPR compliance starts with these seven principles: 

  1. Lawfulness, fairness and transparency
  2. Purpose limitation
  3. Data minimization
  4. Accuracy
  5. Storage limitation
  6. Integrity and confidentiality
  7. Accountability of data controllers

Lawfulness fairness and transparency

Article 5 provides that the personal data shall be processed lawfully, fairly, and in a transparent manner in relation to the data subjects. This principle consists of three components:

  • Lawfulness: It mandates the organisations or companies to collect data and process it in a lawful manner.
  • Fairness: It indicates that personal data should be collected and processed in the best interest of the data subjects.
  • Transparency: The term means that the process of collecting, processing, and storage of personal information is communicated to the stakeholders.

Purpose limitation

Article 5(1)(b) further provides that the personal data shall be collected for specified, explicit, and legitimate purposes only. It should not be processed for any other unlawful purpose incompatible with the GDPR. It also explains that public interest, scientific or historical research purposes or statistical purposes which are in accordance with Article 89(1) are not considered to be incompatible. The principle states that data should be processed keeping in mind the purpose for which it was originally intended. The companies should frame a data retention policy indicating for what purpose information is collected,  how long they will retain personal information and when it will be deleted as it will help them define the purpose of collecting personal information.

Data minimisation

This principle simply means that the data should be minimised. There is no need to gather excessive personal data than what is essential to fulfil the purpose. Data minimization is considered to be a very fundamental principle for the reason that no organisation can collect, process, and store personal data about their customers permanently. It focuses on complying with the individual’s right to privacy and data protection. 

Why data minimisation is beneficial

It is crucial to process only that data which is essential and relevant to the specified grounds of processing. Data minimisation is a direct method to minimise any plausible risk attached to processing or retaining unnecessary personal information. The companies should remember that if any leak or breach happens, then it will cause boundless damage to the individuals involved. Data minimisation ensures that with limited data, it is convenient to locate data as and when required. Data minimisation can also lead to cost reduction as with less data there is less investment in managing it.

In order to limit the data collection there is a need to figure out some factors, as :

  • Which data is necessary and which is not?
  • how to effectively manage the data?
  • methods to follow to delete the data, which basically means that the data is destroyed in the same order by which it becomes outdated. 

How to decide if the data collected is necessary or not:

Whether the data collected serves the intended purpose rests on deciding these pertinent questions-

  • How will the data be used
  • Is the data subject aware of the data being collected
  • Is there a direct link between the purpose of the data and the actual data collected
  • For how long will this data be required

Accuracy

It means that the data should be as accurate as possible by making sure that it is up to date and correctly fed. It is considered to be the duty of the data controller to take reasonable measures to ensure the accuracy of the data.

Storage limitations

This principle states that personal data should be removed or deleted once it becomes no longer necessary. This principle complements the data minimisation principle as both work together to guide the data controllers to control the data collected to the bare minimum and then destroy the dispensable data in a secure way. So, data destruction means when the data that is stored in devices and tools is destroyed to the extent that it cannot be used by any unauthorised persons.

How to ensure that data is destroyed completely 

It is possibly the best solution to have a data destruction policy in place. A policy that guides on how to destroy the data, and when to delete it can save from a lot of trouble. There is no set method provided under GDPR for data destruction, but to know more on how to correctly delete the old data click here. To frame a data destruction policy there is a need to find answers to questions like: 

  • Where is the data stored, whether it is stored in devices like USB, cloud, etc.?
  • Who has access to that data?
  • How sensitive is the data?
  • What is the nature of data?
  • Who is responsible for data destruction and its failure?

Integrity and confidentiality

Integrity means that no personal data should be manipulated. Confidentiality means that the data collected remains only with the authorities who have access to it. It should not travel to other unauthorised people.

Accountability

This principle figures out that data controllers should take responsibility for data processing. They are made accountable for ensuring that personal data is processed correctly and GDPR rules are complied with.

Grounds on which personal data can be collected

GDPR by virtue of Article 6 sets forth some specific grounds for which personal data can be collected. These are:

  1. Consent of the data subject
  2. Performance of contract
  3. Legal obligations
  4. Vital interest of data subject or other natural person
  5. Legitimate Interests 
  6. Public interest 

Whenever data is collected, the data subjects have the right to know what kind of personal data is collected, what purposes it serves, how their data will be utilised and processed, how long the company will retain their data, what rights they as data subjects have over their data collected etc. The data must not be used for camouflaged, malafide purposes.

Consent

Consent is the first legitimate ground for which personal data can be collected. Article 7 deals with the conditions of consent.

The Office of the Data Protection Ombudsman provides some essentials for consent to be legally valid. These requirements consist of:

  • Free

Consent must be free, meaning that it should be obtained without any coercion, undue influence, or threats. If the consent is free from any shades of compulsion and intimidation, then it is considered to be valid. The data subjects must be given the right to refuse consent and withdraw it without any consequences.

  • Informed

Consent when taken from the data subject, needs to be in regard to a specific, lawful purpose. In a case where the mentioned ground for processing personal data changes or a new ground arises, consent has to be obtained again and the previous consent becomes obsolete.

  • Unambiguous 

Consent when given freely, after being informed of the ground for personal data must also be unanimous, which means that it should be clear and precise. It must not leave any room for misinterpretation. Consent should not be derived from silence. It can be through a confirmation code, SMS, or reply to mail etc. In our virtual world, consent is unambiguous by making sure that the part of the privacy policy that asks for consent is separated from other terms of policies. A genuine opportunity to assert or refute consent is the right of every data subject. 

How to take consent effectively

The data subjects must be informed about :

  • Who will get the access to their personal data
  • Specific and lawful purposes for which consent is being taken
  • The data subject’s right to refuse or withdraw consent
  • The risk of data being transferred to other countries

Performance of the contract

If the data subject is a party to a contract, in that case, their personal data can be processed for the performance of that contract. A simple example of this is an online shopping website, which in order to take the order and deliver it successfully, needs the personal data of the customer. The requirement in such cases is to make the grounds for collecting personal data in the contract as limited as possible.

Legal obligations

Another reason why personal data can be processed lawfully is to comply with legal obligations. As an example, the legal obligation can exist in case of any financial suspicious transactions, for which the financial institution can search through the data of that company. Interests of data subjects when in any danger or risk are also a good reason to process their personal data. These situations can be health emergencies, natural disasters, etc.

Vital interest of data subject or other natural person

Recital 46 states that the term vital interest means something that is essential for the life of the data subject or any other natural person, for example, in the case where the data subject requires an emergency medical treatment, his personal data can be processed accordingly.

Public interest

Processing of personal data can also be allowed for the public interest and for the exercise of public authority. The reason must be lawful, for example, any research essential for the development and growth of the country.

Legitimate Interests

Processing of personal data is permitted for the data contr  oller’s legitimate interests. There is a test to determine if there is any legitimate interest of the data controller, it is called the balance test. It includes weighing the interests of controllers on one hand against the fundamental rights of the data subjects. If the scale tilts towards the interest of the controller, it is defined as a legitimate interest.

Who does GDPR apply to

Article 3 of GDPR  deals with the territorial scope of GDPR. Simply said, the GDPR applies to the following entities:

  • A company which processes the personal data of EU citizens in the EU or monitors the behaviour of citizens of the EU.
  • A company which is established outside the European Union and offers goods or services to individuals in the EU or monitors the behaviour of citizens of the EU.

The term “offering goods and services” is interpreted to mean a company which has any member state of the EU, or uses any language of a member of the EU and delivers goods to the EU. The term “monitors the behaviour of EU citizens” implies that if any company uses cookies or tracks IP addresses of citizens based in the EU in any way is also covered under the purview of GDPR compliance.

Frequently asked questions on who does GDPR apply to

  1. Does GDPR apply to an individual?

 GDPR provides that it does not apply to a natural person who is conducting a personal or household activity and has no connection with any commercial or professional activity.

  1. Does GDPR apply outside the European Union?

Any organisation or company whether in the EU or outside the EU if providing goods and services to citizens of the EU or monitors the behaviour of EU citizens.

  1. Does GDPR apply to the US?

GDPR serves the goal of protecting the personal data of the citizens of the EU only. It does not apply to the US and the citizens of the EU living in the US. But please note that if any US company provides goods or services to EU citizens or monitors the behaviour of EU citizens then it must comply with the GDPR

  1. Does GDPR apply to US citizens?

Yes, as long as US citizens are residing in any member state of the EU, the GDPR is the data regulating law that they must abide by.

  1. Does GDPR apply to public and private companies?

Yes, GDPR is a general regulation for data protection and privacy. It applies to all companies whether public or private as long as they are concerned with processing data of EU citizens.

  1. Are there any exceptions to these rules?

Yes, Article 30 of the GDPR states that there are two exceptions to these general rules:

  • Collecting personal data for a household or personal activities.
  • Cloud hosted companies with less than 250 employees.
  1. Does it mean that all the small and medium sized enterprises with less than 250 employees are exempted under the GDPR?

No, the exception of 250 employees applies when the processing of personal data is not a major part of that company or the activity undertaken by them does not pose any threats or risk to anyone.

Personal data under GDPR

Article 4 of the GDPR covers the definitions of important terms like: processor, controller, consent, processing and third party etc. It also goes on to define personal data under Article 4 (1) as the information or data that relates to the identifiability of a natural person directly or indirectly. This personal data may include details such as name, identification number, location data, physical, physiological, genetic, mental, economic, cultural or social identity of the natural person.  It also includes any data that concerns the health of a person such as mental and physical health information is also included within personal data under the GDPR. 

The definition provided above can be broken down into these elements to determine whether information is personal data:

  • Any information- it means that the term is inclusive of objective and subjective information
  • Relating to- it indicates that the data should be in relation to any individual who can be identified from that data
  • An identified or identifiable- the term signifies that information should be of such nature that the individual can be identified on its basis
  • Natural person- GDPR protects individuals who are natural persons and not artificial persons like companies.

It must always be remembered that the GDPR is applicable only for the protection of the personal data of a natural person. GDPR applies whether the information is out in the public domain or not. Moreover, GDPR doesn’t protect the rights of an unnatural person such as corporations, foundations and institutions. Also, the main criterion for deciding the personal data is the factor of identifiability. So, anything that can be used to link to a person is personal data. This also includes telephone number, credit card number, identification number, address, appearance, number plate, fingerprints etc.

The definition of personal data is very wide. There has been a decision by the European Court of Justice where it was decided that work recordings such as when an employee starts and ends his work is also covered within the ambit of personal data. The written answers that a candidate gives at the time of an examination are also ruled to be personal data, check here. A child’s drawing of his family as a part of his psychiatric evaluation is also personal data. The IP Address, the cookie identifier of a person, is also termed to be the personal data of an individual. It is worth mentioning that it is not necessary that personal information only includes objective data such as phone number and email IDs but any information that is subjective such as one’s opinions, judgments, and estimates are also covered as personal data. Other than Article 4, Article 9 of the GDPR covers the provision for processing of special categories of personal data. Any data that relates to racial, or ethnic origin, political opinions, religious or philosophical beliefs or trade union memberships, genetic data, biometric data, or data concerning health is sensitive personal data and would be processed only as per Article 9 of the GDPR. So, it includes a variety of data, however, the below mentioned information is not considered to be personal data:

  • Company registration number
  • Public email address 
  • Anonymized data

Managing sensitive data under the GDPR

GDPR recognises the difference between personal data and sensitive personal data. It is dealt with under Article 9 of the GDPR. Sensitive data is personal data which may include some confidential information like: financial records, race, ethnicity, gender, political opinions, health information, relationships etc. This data as the name suggests is sensitive and must not fall into the wrong hands of unauthorised persons. Article 9 (1) of the GDPR provides that processing of any sensitive personal information is prohibited. Article 9 (2) further states that the prohibition shall not apply in these cases:

  1. Data subject has given explicit consent
  2. Processing is necessary for exercising rights and obligations
  3. Processing required for vital interest of data subjects
  4. Processing done for legitimate activities with safeguards
  5. Personal data to be processed is made public by the data subject
  6. Substantial public interest
  7. Preventive or occupational medicine
  8. Public interests and health
  9. Public interest, historical or scientific purposes

So, how should such data be handled in consonance with the GDPR? Let’s answer this question through the below mentioned points.

  • If you are collecting any sensitive data, first make sure to get explicit and informed consent from the data subject.
  • There should be a lawful reason behind the purpose of collecting sensitive information
  • Delete obsolete data in time
  • Collect as minimal data as is absolutely necessary
  • Store sensitive data separately from other data
  • Be vigilant about cyber attacks like hacking or phishing
  • Save these data with secure passwords
  • Use pseudonymisation to disguise identity of users 

Important Articles of GDPR 

The GDPR has 99 Articles in total. It’s a laborious task to go through all these Articles and understand what they provide, so, here we are providing a brief summary of all the important Articles in the GDPR.

As Article 1 of the GDPR states these regulations are related to the protection of the rights of processing of personal data of all natural persons.The fact that the GDPR protects not only the European Union citizens but also the residents needs to be emphasised further. A citizen is one legally recognized inhabitant of the European Union even If he is currently not residing in the European Union. So, the GDPR applies to the citizens of the European Union even if their data exists outside the union. The resident, however, is a person who lives somewhere in the European Union. The GDPR has to be complied with for a resident too, who may belong to some other country but is living in the European Union. A lot of businesses do not need a physical place to operate anymore as they are reliant on their websites to operate. These websites that do not have a real tangible presence in the European Union also need to abide by the GDPR. Even if they don’t sell specifically to people of the European Union. 

Article 2 of the GDPR describes the material scope of the GDPR. It states that the GDPR doesn’t apply to the processing of personal data

  • In the course of an activity that falls outside the scope of union law
  • By member states when they are carrying out activities that fall under the scope of the treaty of the European Union
  • By a natural person in the course of purely personal or household activity
  • By competent authorities for the purpose of prevention, investigation, detection or prosecution of criminal offences or execution of criminal penalties, including the safeguarding against and prevention of threats to public security.

Article 3 of the regulation covers the territorial scope of the GDPR. It applies to the processing of personal data in the context of the activities of an establishment of a controller or a processor in the union regardless of whether the processing takes place in the union or not. It applies to the processing of personal data of the data subjects who are in the union by a controller or a processor that is not established in the union where the processing activities are related to:

  • Offering of goods and services irrespective of whether payment of data subject is required to data subjects in the union
  • The monitoring of their behaviour as far as their behaviour takes place within the union.

GDPR is a widely celebrated document as it is the first of its kind. This is the first legislation that gave a definition to terms such as personal data, data processing, data subject, data controller, data processor etc.

Article 5 covers the principles relating to the processing of personal data. It states that the processing of the data should be lawful, fair and transparent. The data must be collected for specified, explicit and legitimate purposes. The personal data shall be adequate, relevant and limited to what is necessary in relation to the purpose. The data must be accurate and kept updated. Article 6 states the situations where the processing of personal data shall be considered to be lawful. These are as follows:

  • When the data subject has given consent for the processing of their personal data
  • When processing is necessary for the performance of a contract
  • When processing is necessary for compliance with legal obligation to which the controller is subject
  • When processing is necessary to protect the vital interests of the data subject
  • When processing is necessary for the performance of a task carried out in public interest pursued by the controller.

As per Article 7 of the GDPR the consent must be given freely, it must be clear, affirmative and should be easily withdrawn. Article 9 provides that the special categories of personal data such as one’s race, political views, religious beliefs, sexual life, genetic, biometric or health data should be processed under very specific circumstances and not otherwise. These exceptional situations are when the person concerned has given his consent for the processing of the data that too for that very specific purpose when his life is at risk or when there is some other legitimate interest involved. If the data relates to criminal convictions and offences then according to Article 10, the processing is allowed only if it is done under the control of an official authority or it is authorised under GDPR compliant law of a European Union member state.

Undoubtedly the most important keynote of the GDPR is that it grants certain rights to the data subject. Article 12 states that the data controller should inform the data subjects about the processing of personal data in a clear, concise, and transparent way. The data subjects should answer the requests and queries of the data subjects. Wherever the information is collected from the data subject, he should be made aware of it. The company must provide information such as the company’s contact details, how and why is the information being collected and what are the rights of the data subjects concerning their data. This is mentioned in Article 13. Similarly, if no information has been taken from the user, it needs to explicitly mention that the information has not been taken from the data subject himself. One of the rights accorded to the data subject is the right to access data. The data subjects have a right to request information from the data controller as to what personal data has been collected, how it is used or processed etc. This is provided by virtue of Article 15. The GDPR through Article 16 provides the data subjects the right to rectify their data. If the data so collected is inaccurate then the data subject can ask for its rectification. Another essential right provided by the legislation is the right to erase. Famously titled as the right to be forgotten, enshrined under Article 17 of the GDPR it allows the data subjects to erase their personal data when it is no longer needed or when the consent has been withdrawn or if the data is being processed unlawfully. Article 18 grants the data subjects the right to restrict the processing of personal data.

Another right in this set is called the right to data portability. Article 20 of the GDPR ensures that people have the right to request a copy of their personal data that has been provided to the data controller. The data provided must be in a readable format. Article 21 of the GDPR accords the right to object. It states that the users have the right to object to the processing of their data. Article 22 provides for automated individual decision-making. The users may object to the automated decisions. In certain situations, the objection can be chosen to be ignored such as when the processing is necessary under contract when it is authorised in GDPR complaint law of a European member state or when processing has been consented to.

Article 24 states that the data controller has the responsibility to ensure compliance with GDPR. Article 25 imposes a duty on the data controller to ensure that he uses adequate data protection measures and safeguards to protect the data of the data subjects. Article 27 states that in cases when the data controller or the data processor is based outside of the European Union, they have to designate someone as their representative in the European Union. Every data controller or data processor is obligated under the GDPR to maintain a record of its data processing activities pursuant to Article 30 of the GDPR. This record would include the company details, the personal data that is being processed, the purpose of the processing, what are the security measures employed to protect the data. If the company has less than 250 employees then it need not maintain such data processing records.

Article 31 mandates the data controllers and data processors to cooperate with the supervisory authorities. Article 31 demands that the data controllers and processors must implement certain security measures such as encrypting the personal data of the users, ensuring the confidentiality of the user’s data and testing their security systems time and again to ensure that the data is secure. If in a case the data security is breached, according to Article 34 it is upon the data controller to inform the data subject whose data has been leaked. One of the most important Articles in the GDPR is Article 35 which provides for data protection impact assessment. If any business does any work that involves high risk to data privacy then they need to do a data protection impact assessment. This impact assessment is mandated if the business is involved in automated decision-making, or is processing special category or criminal record data or monitoring in a public area.

Article 37 of the GDPR calls for companies to designate a data protection officer. As per Article 39, this data protection officer is responsible for advising the organisation regarding compliance with the data protection laws, they have to monitor compliance and cooperate with the supervisory authority as well. Chapter 5 of the GDPR deals with the transfer of personal data to other countries or international organisations. As per Article 45 of the GDPR, every transfer of personal data must be only after it has been approved by the European Commission. Before the approval is granted, the European Commission has to check different factors such as the country’s record on human rights, the existence and effectiveness of a supervisory authority, and whether the country is a party to international agreements on data protection or not.

Even if the country is not approved as per Article 45, the transfer may still be made in such conditions:

  1. There exists a legally binding agreement between the countries
  2. If there are viding corporate rules as per Article 47 of the GDPR
  3. There is an approved code of conduct as per Article 40 of the GDPR.

In connection with the above provision, Article 47 provides for binding corporate rules. It states that if the country hasn’t been approved of by the European Commission then there must be binding corporate laws between the concerned nations. These rules will cover who will be affected by the transfer of the data, what data will be transferred and how the communication will be done. Even in cases that do not fall under the above two cases of transfer to a third country, the transfer might be made in a third case that is covered under Article 49. It mentions that the transfer can happen in certain situations such as:

  1. The person whose data is being transferred has specifically consented to the transfer
  2. The transfer is necessary in the course of a legal claim
  3. The transfer is necessary in the course of a contract between the data subject and the controller
  4. The transfer is necessary to save the person concerned. 

Article 51 of the GDPR provides for the constitution of a supervisory authority. It provides that there will be a public body that would monitor the application of the GDPR.  This supervisory authority will be an independent body as per Article 52. The members of this authority shall be appointed by the state institutions. Also, as per Article 54 of the GDPR, there must be laws to provide the qualifications that are required to become members of this authority, these laws should provide for appointment and the process to be followed in the appointment of the members of the authority, number of terms they will serve as members, their removal etc. Pursuant to Article 57 the supervisory authority is supposed to monitor and enforce GDPR compliance, it should promote good data protection practices, and handle complaints lodged by people.

Article 58 mentions as to what are the powers of the authority. This supervisory authority has investigative powers, corrective powers and advisory powers. This supervisory authority also has the power to pass temporary laws if there is an emergency that poses a significant risk to the personal data of the people. Similarly, Article 68 provides for the establishment of a European Data Protection Board that is also independent and would advise the European Commission on amendments to GDPR. 

Article 77 grants the individual’s right to lodge a complaint with a supervisory authority. Article 82 provides that every individual whose right to privacy has been infringed can claim financial compensation. Article 85 provides that the European Union members have to strike a balance between data protection and freedom of expression. Article 94 mentions that the GDPR replaces the older European Union directive 95/46/Ec. The last Article, Article 99 states that the GDPR shall be enforceable from 25 May 2018.

Rights under GDPR

There are eight rights outlined in Chapter 3 of the GDPR:

  1. Right to be informed
  2. Right to access
  3. Right to rectification
  4. Right to be forgotten
  5. Right to data portability
  6. Right to restrict processing
  7. Right to object
  8. Right to object to automated processing 

Right to be informed

This right is enshrined under Articles 13 and 14 of the GDPR. Article 13 states that when personal data is collected from the data subjects they must be informed about the following:

  • The identity and contact details of the controller
  • Data protection officer’s contact details
  • Explaining the legal basis for processing data
  • The country where data is processed
  • Legitimate interest of processors and third parties
  • Recipients of personal data
  • Chances of transfer of data to other countries which are not covered in the EU
  • Data retention policy
  • Right to rectify, erase, restrict processing and portability must be explained
  • Explanation of right to withdraw consent
  • Right to complain to the concerned authority
  • Consequences of refusal to share personal data when required by contract
  • Automated decision making

Right to access

Further, Article 15 outlines the right to access. The data subjects have a right to access their personal data, where and how it is processed, categories of personal data, who has access to the data etc. The data subjects have the right to request a copy of personal data collected completely free of cost.

Right to rectification 

Article 16 states that the data subjects have the right to rectification. Under this right, the data subjects have the right to rectify the data if it is incorrect or incomplete. This right is generally read with the principle of data accuracy. In order for the data to be accurate, it must be modified or rectified when any change in personal data occurs. 

Right to be forgotten

Then, comes the right to be forgotten which is covered under Article 17 as the right to erasure. It provides the data subjects the right to request erasure of their personal data in these circumstances:

  • When personal data is not required for the purpose for which it was collected
  • The data subject objects to the processing of data pursuant to Article 21(1) and there are no legitimate grounds to override it
  • The data subject withdraws consent
  • Personal data is unlawfully processed
  • Personal data is required to be erased as per a legal obligation

Right to restrict processing 

Article 18 covers the right of data subject to request restriction of processing of their data. Restriction of processing means that the companies or data controllers should immediately cease any processing of personal data if the request to restrict falls under these categories:

  • The data subject is contesting the accuracy of the data
  • The data subject objects to the unlawful processing of data
  • The data controller does not require the data for processing but keeps it for the establishment, exercise or defence of a legal claim

Article 18 also provides that if the restriction is to be lifted the data subject must be duly informed about it.

Right to data portability

Right to data portability falls under Article 20, it states that the data subject has a right to receive personal data concerning him or her from the data controller in a commonly used, machine readable format and send it to another controller or use it for his own purpose.

This right can be applied in only two conditions:

  • Processing of data is based on consent or contract
  • Processing of data is done with automated means

Right to object 

The right to object is a much needed right which is enshrined under Article 21. It provides that when the data subject objects to the processing of personal data based on valid grounds then the controller is under obligation to no longer process it unless the controller is able to show that there is a compelling legitimate ground for processing. The legitimate ground should be of such a nature that it overrides the freedom, rights and interests of the data subject. The GDPR makes it clear that the right to object is very important and every company communicating with the customers must make them aware of their right to object. 

Automated decision making

The last right is covered under Article 22 which is automated decision making. It states that the data subjects shall have the right not to be subject to a decision solely because of automated processing which includes profiling. There are some exceptions to this right:

  • When automated decision making is necessary for a contract
  • Authorisation from the EU or member state
  • Consent of the data subject

Data Subject Access Request (DSAR)

Data subjects under the GDPR have the right to access the personal data concerning them as collected by organisations and companies. It is a part of this right for the data subjects to be aware of their data and verify the lawfulness of processing done by the company. It is an excellent example of how the GDPR allows the data subjects to protect their fundamental right to privacy.

Who can submit a DSAR

Anyone, whose personal data is being collected, processed and stored by the organisation or company can request to get access to their personal data. It can also be made by any authorised agent of that person, parent or guardian.

Time period for DSAR

Under the GDPR, the companies are required to respond to such requests within a period of 30 days. This time period can be extended under some certain circumstances when the request is complex.

Format of the DSAR

It is important to note that there is no straightjacket format given under the GDPR to be followed for responding to a DSAR. The format basically depends on what kind of information the access is requested for. The request can be for editing data, deleting data, confirmation for processing of personal data, retaining data, opting out of sharing personal data etc.

Is responding to a DSAR mandatory

It is definitely required to respond to the DSAR, however, there are a few exceptions: If the request for information exceeds the limits set under the GDPR or the data subject’s identity cannot be verified. It is important to note that before claiming that a DSAR is a sham, it is very important to confirm the person’s identity.

Repercussions of not following the DSAR

In addition to raising security concerns and damaging reputation, the GDPR imposes fines when the DSAR provisions are not abided by.

Requirements for data privacy policy in compliance with GDPR

Privacy policy is mandatory for every company or organisation as it protects the fundamental right to privacy of the data subjects. The GDPR has considered the importance of a good privacy policy and created some requirements for privacy policy to be valid. Article 12 states that there are some requirements for communication of data processing, these are:

  • Language must be clear and precise
  • Transparent communication
  • Intelligible communication
  • It should be easily accessible
  • Privacy policy must be free of charge

Further, other Articles together create some must-haves for privacy policies. Here is a checklist of how privacy policies can be made GDPR compliant:

Identity and contact details of the company

Pursuant to Article 13 (1)(a), the privacy policy must include details like the identity and contact details of the controller that is processing the personal data of data subjects. These details include the name, address, and contact information of the company. In some cases where there is a data protection officer, their details of how to contact the DPO should also be included.

Purpose and legal basis for which the personal data is processed

Article 13(1)(c) requires that the purposes for which personal data of data subjects are collected and the legal basis for the processing must be included. The legal basis for the processing of personal data has been discussed before under the principles which are covered by Articles 5 and 6. The most common legal basis is consent, so, for example, the company must state that we process the personal data based on consent as provided under Article 6, the customers have complete right to give or refuse their consent. These decisions based on consent can be changed, or withdrawn later. The requirement for communicating the purposes behind the processing of personal data is to make it clear, easy to understand and comprehensive.

Type of personal data processed

Just writing that personal data is collected in the privacy policy is not enough now under the GDPR. The details of what type of personal data is being processed should be incorporated in the privacy policies. Mostly, in order to make it more accessible and easier to understand the companies are now using tabular representation of the type of personal data and the purpose for which it is being collected.

Who receives the personal data

Article 13 (1) (e) states that who are the recipients of personal data is important information which should be communicated to the data subjects.

Transfer of data to third countries

Article 13 (1) (f) states that the information about the intention of the controller to transfer personal data to a third country or any international organisation should be inserted in the privacy policy.

Retention of data

Article 12 provides that the maximum time period for which personal data will be stored is to be clearly stated. If no such period can be determined, then what criteria is used to decide that time period must be included? The time period mentioned must be reasonable.

Rights of data subjects

Article 13 (2) (b) states that the rights of data subjects also must be included. The rights have been discussed earlier.

Remember that there is no way to use legal complex terms to hide in the GDPR. The privacy policy is required to be as simple and easily accessible as possible. A study of European countries has revealed that about 33% of people do not read the terms and conditions when using online services. The companies are still bound to make their policies crystal clear and easy to locate.

Who is responsible for ensuring GDPR compliance

For GDPR compliance there are some bodies which are responsible for data security and privacy. The ultimate responsibility lies with the data controller.

Data controller

A data controller is defined under GDPR as a person, natural or legal, public authority, agency or other body which, alone or jointly with others, determines the purpose and means of processing personal data. The data controller has to follow the primary obligations, such as:

  • Compliance of GDPR
  • Obtaining valid consent from the data subjects
  • Maintaining the accuracy of data
  • Keeping secure records of data 
  • Correcting or deleting data when requested
  • Taking reasonable care to protect personal data
  • Ensuring that third parties data processors comply with GDPR

The GDPR.EU provides a checklist for the data controllers, click here to know more.

Data processor

A data processor is defined under GDPR as a natural person, public authority, agency or other body which processes personal data on behalf of the controller. The key responsibilities of a data processor include:

  • Processing personal data as instructed by the data controller
  • In case of any data breach notifying to data controller
  • Making proper records of processing activities
  • Implementing technical and organisational measures to protect data

 Data Protection Authority (DPA)

The Supervisory Authority or Data Protection Authority is an independent public authority that ensures GDPR compliance and enforcement in the EU. They were set up by the Data Protection Act, of 2004. Each member state of the EU has its own DPA and its role is to: 

  • Provide expert guidance to member states of the EU on data protection and privacy
  • Handle data breach
  • Enforcement of data protection laws
  • Interpret GDPR law when required
  • Manage fines and penalties in cases of non-compliance

Data protection officers  (DPO)

A Data Protection Officer is appointed for companies where the core processing activities consist of collecting and processing personal data. It’s not the size of the company but the kind of work undertaken by them that is the deciding factor for the appointment of DPO. In the EU every government body except courts have a DPO. The DPO can be any employee of the company or any external person appointed as DPO. The role of the DPO can be summarised as:

  • Informing and advising the controller or processor on data protection issues
  • Ensuring compliance with the GDPR in the company
  • Being the mode of communication with the DPAs and individuals
  • Reporting directly to the highest officer in management.

Difference between data controllers and data processors

The GDPR has made different roles for data processors and controllers to highlight the fact that not every company or organisation shares the same degree of obligation. There is some difference in the responsibilities of both these bodies but it is important to remember that in the end they complement each other and work together to protect the personal data and privacy of the data subjects.

  • The primary responsibility for ensuring that the organisation is GDPR compliant falls upon the data controller. At the same time, he is also responsible for making sure that the data processor follows the GDPR.
  • There are definitely more obligations on the data controller, but the data processor has to take organisational measures to support the data controller.
  • There is generally a contract defining the relationship between these two regulatory bodies.
  • The data controller collects the personal data from data subjects and makes a GDPR  compliant privacy policy. If the data processor is doing these functions of the controller then he will be responsible accordingly.
  • The data controller is responsible for giving directions and instructions to the data processor.
  • The data controller conducts the data protection impact assessment DPIA and the data processor has to assist him.
  • Both the data controller and data processor must follow the GDPR rules.
  • The duty of the data controller includes keeping a report of the following:
  1. Controller information
  2. Type and nature of data
  3. When and to whom data is transferred 
  4. Data security measures.

The data processor also keeps records of processing done by controllers.

  • In case of any data breach, the data controller must notify the superior authorities in 72 hours and the data processor in such a case must notify the data controller.

What is data protection impact assessment

A Data Protection Impact Assessment (DPIA) is a formal process undertaken to record personal data processing and to find out the risks of processing personal data and reduce such risks by considering the likelihood of its impact on natural persons. DPIA is an important facet of the GDPR and its provisions create accountability on the organisation for processing personal information. It states that where processing technique, particularly using new technologies, considering the nature, scope, context and purpose of processing, if it is likely to result in a high risk to the rights and freedoms of natural persons, then the controller shall, before the processing takes place, conduct the assessment of its impact. If the controller doesn’t perform the DPIA, it can attract a fine of up to 2% of that organisation’s annual global turnover or €10 million whichever is higher. It is important to understand that the DPIA is not a once in a few years kind of activity. It is for the benefit of the organisation to conduct it frequently to make sure that there is no apparent risk to the personal data of the data subjects.

Benefits of conducting the DPIA

Conducting the DPIA is very beneficial for an organisation in the following ways:

  • Ensuring GDPR compliance
  • Minimising risks of violation of data protection rights
  • Reducing the cost of managing unnecessary data
  • Eliminating obsolete data
  • Ensuring data protection by introducing data protection and privacy in the early stages

When is the DPIA  to be conducted

DPIA is considered to be mandatory in cases where data processing “is likely to result in high risks” to the data protection rights of the data subjects. There is also Recital 90 dealing with the DPIA. Although, the GDPR doesn’t define this high risk. For example, under GDPR, Article 35 (3) provides three such cases:

  • Systematic and extensive profiling with significant effects
  • Large-scale use of sensitive data
  • Public monitoring

Where the personal data covered under the special category as provided under Article 9, or data related to criminal convictions as provided under Article 10 is being processed it is important to get data protection impact assessment done. Similarly, if the personal data of the data subjects is being evaluated based on automated processing like profiling, creating legal concerns, then DPIA is required.

When is the DPIA not required

A DPIA is generally not required in certain cases, like:

  • When processing of personal data is not likely to result in high risk to the rights and freedoms of data subject Article 35.
  • If a similar DPIA has been conducted and the nature, scope, and purpose of that processing are very similar to current processing.
  • If processing is optional.

As provided under Articles 35(1), 35 (10), Recitals 90 and 93 of the GDPR, the DPIA should be done before the processing of personal data is done. It is considered to be a precautionary step to carry out the DPIA as early as possible. Before conducting the DPIA it is important to first figure out what personal data is required and how it is being processed and stored, what are the possible risks involved.

Who is responsible

The data controller is responsible for making sure that the DPIA is carried out effectively and in due time. By virtue of Article 35, it is necessary for a data controller who has a data protection officer DPO to take advice from the DPO and make it a part of the DPIA process. Similarly, if the data processor is involved in the processing part, then he should work in the DPIA process which is provided under Article 28. 

Features

Article 35(7) GDPR details some of the required features of DPIA, such as:

  • It should describe the processing operations and the purpose of processing.
  • It should assess the necessity and proportionality of processing.
  • It should also assess the possible risk or danger to the data protection rights of the data subjects.
  • What are the steps undertaken to mitigate the risk involved and ensure compliance with the GDPR.

Elements of a successful DPIA

To make the DPIA successful there are a few elements you must follow:

  1. Purpose behind processing: It should discuss the purpose behind the processing of personal data and the context of data processing of data subjects.
  2. Nature of personal data: Next, the DPIA should detail the nature of how the personal data will be processed, what is the necessity of collecting that personal data, proportionality of purpose and personal data, who has access to the data, sharing of data with third parties, how long will the personal data be retained, etc.
  3. Scope of personal data: Then, the DPIA should discuss the scope of personal data which the organisation is processing, like how long will processing take, is there any sensitive personal data involved, frequency of processing, etc.
  4. Identify risks: The DPIA should identify the risks or damage that the processing can cause to the data subjects, like, discrimination, physical or reputational harm, denial of rights, identity theft, etc.
  5. Solutions to risks: Finally, the measures that the organisation can undertake to reduce these risks should be discussed. For example, cease collecting any personal data which is causing harm, advancing technological security measures etc.

Steps to ensure GDPR compliance

In order to be a GDPR compliant company here are a few checklists to abide by:

Understand the type of data you collect

In order to be GDPR compliant, the first step is to consider what kind of data the organisation collects and for what purpose. This process should answer questions such as:

  • what kind of data is being targeted,
  • does this data include any sensitive data, if yes what is the way to process it securely,
  • is data being collected from children/minors, what is the right way to collect such data,
  • how you collect it,
  • the purpose behind the data, 
  • where do you store it,
  • who has the access to it,
  • does any third party have access to this data, including third parties outside the European Union,
  • what is the time period for which this data can be retained and how, and
  • the provision for deleting or correcting the data.

Website security

Websites are prone to attacks by hackers and other companies seeking personal data with malicious intent. So, it needs to be as attack and hack-proof as possible. For that, the principle of data minimisation and deleting obsolete data works perfectly. Do not keep unnecessary data stored on your website when it is of no use to you, as it may be transferred into the hands of other unauthorised people. Try to add extra layers of protection, improve security, encrypt the data and use anti-virus software.

Privacy policy

We have discussed how privacy policy can be made GDPR compliant. A privacy policy must be easily accessible to inform the users and visitors of how you are protecting their personal data. It includes the user’s rights and obligations. It is an important facet of the GDPR and should be given due weightage.

Seek consent

We have discussed the essentials of valid consent under the GDPR. It is fundamental under the GDPR to have legally viable consent and remember that consent once taken cannot be ambiguously used for other activities. A common method to enable sound and explicit consent from the users is to take permission or consent through email by sending a verification code. It is called the double opt-in method. The companies nowadays are taking note that consent cannot be just assumed. It is important to allow the users to freely give consent and choose the opt-in method. At the same time, if you contact the users through newsletters sent to their emails then make the option of unsubscribing equally transparent.

Using cookies intelligently

You must inform the visitors about how your website collects the data through cookies. It is important to mention that there are essential cookies and non essential cookies and the visitors must be given the option to opt out of the non essentials cookies. This is called a cookie banner.

Conduct risk assessment

It is an important part of the GDPR to conduct regular risk assessments and take effective measures to mitigate and reduce the risks. It is important for the company to minimise the damage caused. The possibility of attracting heavy fines in case of a breach of GDPR can motivate companies to conduct frequent risk assessments

Appoint a data protection officer

Regulating bodies like DPO are required under the GDPR to ensure the protection of the rights of data subjects. The role of DPO has been discussed as a mandatory body for every organisation under Article 37.

Reporting of the data breach

The GDPR requires that every breach in a company should be reported within a period of 72 hours. The company should effectively respond to such breaches and take immediate measures. 

Use GDPR compliant services

It can be really productive to use GDPR compliant services early on in your company or organisation. The reason is that it builds trust of the users, which will be beneficial in the long run. Also, it makes managing the data of data subjects convenient. Some famous alternatives of normal services which are actually GDPR compliant include:

Emails

Some common options which are providing email service following the GDPR include the following: 

Proton Mail: It is the world’s largest encrypted email company. It is widely used in European countries. It is reported that the European Commission has recognised Proton Mail’s dedication to ensuring their service security.

Hushmail: Another option is Hushmail, which is known to be the world’s first end to end encrypted mail service.

Virtual personal network (VPN)

VPN is basically used to encrypt the user’s internet and hide the online identity, by not revealing your IP address. It is an excellent tool used to protect the user’s privacy. The best alternative for a VPN which is in consonance with the GDPR is:

Proton VPN: Proton also has VPN services. The GDPR is very stringent on companies using unsecured internet connection which may lead to hefty fines or penalties. It is stated to be the only VPN service company providing secure core technology.

Air VPN: It is a VPN service developed by an Italian company, made with the sole intention of protecting the privacy of its users. It offers some features with transparency and it doesn’t collect any personal data from its users.

Messaging

For messaging, there are a few alternatives for a GDPR compliant service, these include:

Signal: It is a messaging app known for protecting data and privacy. All communications are end to end encrypted. It is a great shift to secure apps for messaging.

WhatsApp: Whatsapp provides end to end encrypted messaging apps. It is considered to be the largest messaging app providing services in the world. It is a good alternative for messaging which is also GDPR complaint.

Cloud storage

Cloud storage has become a very essential service for companies now-a-days. It is necessary to choose a cloud based service that complies with the GDPR. Here is an option for it:

Tresorit: It is a cloud storage company which is GDPR compliant and allows users to manage the permission settings. It belongs to a company based in Switzerland.

What are the penalties and fines for breaching GDPR 

GDPR also comprises provisions that assist in its enforceability. Article 58 of the GDPR bestows some powers on the supervisory authorities. These powers have been broadly classified as investigative powers and corrective powers. The investigative powers allow the supervisory authority to get the required information, access, and audits, for the purpose of investigation into the violations under GDPR. The corrective powers allow the supervisory authority to issue warnings to data processors and controllers, issue reprimands, order compliance, issue temporary or definitive limitations like a ban on processing, withdraw certification or order suspension of data flow and also impose administrative fines on breach of the provisions pursuant to Article 83.

Article 70 of the GDPR mentions the list of the tasks of the board. Amongst all the responsibilities of the board, the board is also responsible for making guidelines for the supervisory authorities concerning measures of Article 58 and the setting of administrative fines under Article 83. As per Article 83, the fines enforced on violation must be effective and proportionate to the wrong committed. They shouldn’t be exceedingly high or low and must be imposed keeping in mind the facts and circumstances of the case and the relevant factors. There are no arbitrary criteria to decide the quantum of penalty imposed, there is a statutory method to decide what fine has to be imposed. Pursuant to Article 83 there are a few factors that may result in a greater quantum of penalty such as these:

  • Nature, gravity and the duration of infringement
  • Intentional or negligent infringement
  • Action taken by the data controller or processor to mitigate damages suffered by data subjects
  • Degree of responsibility of the data controller or processor taking into account technical and organisational measures
  • Relevant previous infringements by the data controller or processor
  • lack of collaboration with the authorities
  • categories of personal data affected by the infringement
  • the manner in which the infringement became known to the supervisory authority
  • whether similar measures have been ordered against the data controller or processor with regard to the same subject matter
  • whether they adhered to approved codes of conduct as per Article 40
  • any other aggravating or mitigating factors that may impact the facts and circumstances of the case

What is the quantum of fine

GDPR doesn’t expressly mention what would be the quantum of the fine imposed. Article 83 gives the general conditions for imposing administrative fines. The fine imposed is subjective and depends on the facts and circumstances of each case. There are two tiers based on the severity of violations of GDPR provisions:

  1. For violations that find a place in article 83 (4) of GDPR, the quantum of the fine may go up to 10 million euros or 2% of the total global turnover of the undertaking, whichever is higher.
  2. For violations that find a place in article 83 (5) of GDPR, the quantum of the fine may go up to 20 million euros or 4% of the total global turnover of the undertaking, whichever is higher.

Here the term ‘undertaking’ refers to any entity engaged in economic activity regardless of the legal status of the entity. So, it can consist of one company and a bunch of companies operating as a group as well.

Are the fines uniform throughout the EU

Though the GDPR applies throughout Europe, the fines imposed might vary. There is a difference in how and what fine is imposed in different states, how it is enforced, etc. As per Article 83, each member state has the power to lay down the rules as to what and when these administrative fines might be imposed on the public authorities and bodies established in their state.

Article 84 covers the aspect of penalties. It states that the member states shall lay down rules on other penalties that are applicable to the infringement of GDPR in particular for the infringements that aren’t subject to administrative fines under Article 83 and shall take all measures that are necessary to ensure its implementation. It’s crucial to take a look at the circumstances where fines and penalties might be probably imposed. These are as follows:

  • Violation of basic principles of data processing as enshrined under Articles 5, 6, and 9 of the GDPR.
  • Ineffective and improper security measures
  • Failure to obtain valid consent under Article 7 of the GDPR
  • Violation of the rights accorded to the data subjects from Articles 17-22 of GDPR
  • Negligence to appoint data protection officer as mandated by GDPR
  • Failure to report a breach of data privacy
  • Failure to follow basic data protection principles
  • Transfer of personal data outside the European Union without proper safeguards pursuant to Articles 44-49.

This fine is imposed by the national authorities. However, it must be noted that a fine isn’t the only power that can be exercised to ensure compliance with GDPR. Fines and penalties are an additional tool to ensure that data controllers follow their obligations mandated by GDPR. The data protection authorities have a history of imposing huge fines and penalties on the data controllers and processors for violation of provisions of GDPR so it’s better to ensure

conformity with the law rather than facing the brunt of the law.

Biggest GDPR fines in 2023

GDPR is indeed a lengthy document and following it to the core is not as easy as it seems. This is also why in the past few years adhering to the GDPR has become a daunting task and the companies are always at risk of paying hefty fines. Every year some of the global leaders are fined for not complying with the law. Here are a few companies heavily fined in 2023. For the full list check here.

Name of the companyGDPR fineReason
Meta platform Ireland ltd. (twice)€1.2 billion€ 390 millionUnlawful processing and storage of data
Amazon€ 746 millionNot taking consent for targeted advertising
WhatsApp 225 millionNot transparent in sharing of data and sharing data with Facebook companies
Google LLC€ 90 millionNot allowing users the option to refuse cookies
Criterio€ 40 millionNot taking proper consent for cookies

Frequently asked questions (FAQs) on GDPR

When did the GDPR come into force?

The GDPR was made on 14th April 2016 and it came into force on May 25, 2018.

Who made the GDPR?

It was made by the European Parliament and Council of the European Union.

Does GDPR apply outside the EU?

Yes, GDPR is a “general” data protection regulation for the residents of the EU. Article 3 of GDPR  also provides that if any company set up in another country is collecting data from any EU citizens, then it is also required to follow GDPR.

What are the principles followed under the GDPR?

There are seven principles under the GDPR:

  • Lawfulness, fairness and transparency
  • Purpose limitation
  • Data minimisation
  • Accuracy
  • Storage limitation
  • Integrity and confidentiality
  • Accountability

What constitutes personal data under the GDPR?

The whole text of GDPR focuses on the term personal data, which is defined under Article 4 as any information that relates to an identified or identifiable natural person (called data subject). This information can be particularly in reference to identifiers such as name, location, data, or factors like physical, genetic, physiological, mental, economic, cultural or social identity of a natural person.

Is it compulsory to have a data protection officer in every company?

A data protection officer (DPO) is not a mandatory officer for every company. A data protection officer is required only if the organisation is a public body or works on a large scale and processes huge volumes of data.

What are the rights of data subjects under the GDPR?

Every data subject has been empowered with some fundamental rights, such as:

  • Right to be informed
  • Right to get access to their personal data
  • Right to rectify personal data if found incorrect or incomplete
  • Right to erase obsolete data
  • Right to object
  • Right to data portability
  • Right to restrict processing of personal data
  • Rights relating to automated decision making and profiling

Should the companies update their privacy policies in compliance with the GDPR?

In short, yes. All the companies falling under the territorial scope of the GDPR are required to frame and review their privacy policies to adhere to the requirements set forth in the GDPR. The privacy policy, user terms and conditions, and cookies policies are the first part of the company that directly affect the data subjects and these should follow the principles of GDPR to the core.

What is the deadline to report a data breach under the GDPR?

Under the GDPR, if any data breach happens, then the authorities concerned are required to notify such breach to the supervisory authorities in a period of 72 hours after the incident.

What is the maximum penalty for non compliance with the GDPR?

The maximum penalty/fine for a company non complying with the GDPR is provided under Article 83(5), which is a fine of 20 million or 4% of the annual global turnover, whichever is greater.

Is there any benefit of being GDPR compliant?

According to a report from CISCO, companies investing in privacy are receiving positive returns on it. There is also a direct relation between privacy accountability and the low rate of breaches of GDPR.

References

LEAVE A REPLY

Please enter your comment!
Please enter your name here