This article is written by Shubhang Gupta, pursuing a Diploma in Cyber Law, Fintech Regulations and Technology Contracts from Lawsikho.com. Here he discusses “How should privacy policy and terms & conditions be amended post-GDPR?”.

What is General Data Protection Regulations?

General Data Protection Regulations are guidelines, which are enacted to protect the personal data of persons (whether natural or artificial) located in the European countries. These regulations are implemented by the European Union, which have effect from 23^rd May 2018. These regulations consist of different components like- duties of controller and processors, the establishment of superior authority, fines and Penalties etc. this Regulation is enforced to curb the hands of big corporations, who were putting on the private rights of the people. These regulations had put a strong impact on the collection of personal data been collected by these big Corporations. This data are put to use by this corporation to manipulate the people’s decision and psychological thinking. This resulted in grave destruction to mankind, so it becomes most important to come up with a strict law regulating the functioning of such big Corporations. These regulations also include penalty and fines as its core element. This allows the EU to impose a heavy fine upon any party violating the terms of the regulations. This is the first and major step taken against the protection of personal data. This law had a long way to go in terms of its acceptability and practicality by the big market forces.

Certain principles related to the processing to be followed by an organisation

An organisation should follow certain principles during the processing of personal data of the data subject. This includes, the processing of personal data should be processed lawfully, fairly and with transparency. The data should be processed which is adequate, relevant and limited to what is necessary for relation to the purpose for which such data are processed. The processing shall be lawful only if at least one condition mentioned under the regulations is followed, which as follows:

• The data subject has given consent to the processing of his/her personal data;
• Processing is necessary for the compliance with a legal obligation to which the controller is subject to;
• Processing is necessary in order to protect the vital interests of the data subject & so on.

There are some conditions mentioned under the regulations which are related with the consent of the data subjects. There is a responsibility of the data controller to demonstrate that the data subject has consented to the processing of his/her personal data. If the data subject had given written consent for the processing of personal data concerning other matters, then the matter shall be presented in a manner which distinguishes from the other matters.

Some principles of the regulations are related to the conditions applicable to the child’s consent in relation to his/her personal data been processed. In this, the age of such child shall be at least 16 years old. In case he/she is below 16 years old the consent shall be given by a holder of parental responsibility for the child.

Under the regulation, there are restrictions on the processing of personal data on several grounds like: data relating to racial or ethnic origin, political opinion, religious or philosophical beliefs, or trade membership etc. the concerned provision also states provisos relating to prohibition on the processing of personal data. 

Rights of the Data Subjects

The regulation also defines the certain rights of the data subjects. This empowers the data subjects to control and could practice appropriate right to defend against the improper use of his/her personal data. These rights include: Right of access by the data subject, this empowers a data subject to obtain the information from the controller. This right includes the purpose of the processing, the categories of personal data concerned etc.

The other right is right to rectification. This deals with the right of the data subject to obtain from the controller without undue delay the rectification of inaccurate personal data concerning him or her. This also provides a right to have completed personal data completed.

The other right under the regulation is right to erasure. This right can be practised under the following situations:

• When the personal data is no longer necessary against the purpose for which it had been collected.
• When the personal data have been unlawfully processed & so on.

The regulation also mentions the right to restriction of the processing. This deals with the restrictions that could be imposed on the processing of personal data of the data subjects. This provision includes such grounds like the accuracy of the personal data is contested by the data subject, for a period enabling the controller to verify the accuracy of the personal data.

It is also mandatory for the data controller to notify all recipients about the rectification or erasure of personal data or restriction of processing of data has been disclosed. If it is impossible or disproportionate to the data controller to notify such recipient of the above-mentioned process, then the controller could not be liable for any infringement of the regulations.

The data subjects now have a right to port their personal data, which had been given to the data controller with his/ her consent, to other data controller without facing any hindrance in the process. The former data controller could not bar the data subject from porting their data to the other data controller where it is technically feasible.

This right could not be used in cases where A) processing is necessary for the performance of a task carried out in the public interest, or B) in the exercise of official authority vested in the controller.

Responsibility of the data controller

Under Article 24 of the GDPR, the data controller has the crucial responsibility to implement appropriate technical and organisational measures to ensure and to be able to show that processing is performed in accordance with this regulation. This Article shifts the onus on the Data controller to apply such a technical mechanism to secure the processing of the personal data. Article 25 of the regulation is the extended part of the Article 24 of the regulation. This article states the required steps to be taken for the compliance of the regulations by the data controller. The provision clearly states that the controller shall implement appropriate technical and organisational measures, such as pseudonymisation, which are designed to implement data- protection principles in an effective manner and to integrate the necessary safeguards into the processing of personal data in order to meet the requirements of the GDPR and to protect the rights of data subjects.

Appoint the representatives of controllers or processors in the union

Under the regulations, it is mandatory for the enterprises or corporations to designate the representatives of data controller or processors if not established in the European Union. This means that there should be a representative in one of the member states where the data subjects whose personal data are processed in co-relation to the offering of goods or services to them, or whose behaviour is monitored by such Corporations. The representative shall authorize by the controller or processor to be addressed in addition to or instead of the controller and processor in front of supervisory authorities and data subjects, on all issues related to processing, for the purpose of ensuring compliance with the GDPR. 

Maintenance of Records relating to the processing of data 

Under the regulations, it is mandatory for the data controller or controller’s representative or processor or processor’s representative to maintain a record of processing of personal data of the data subject. This provision includes the complete information regarding the processing of data like name and contact details of the controller, purpose of the data processing the description of the categories of data subjects, etc. These conditions are also applicable, where the data processor is involved in data processing.

Designation of Data Protection officer

Under the regulation, it is mandatory for all the organisations involved in data processing of the mentioned organisation such as processing carried out by a public authority or body, except for courts acting in their judicial capacity and so on. The articles 37 to 39 deals with the designation, power, and task shall be carried out by the data protection officer. The designation of data protection officer is mandatory and this plays an important role in securing the safety of the data during the processing carried by the data controller or processor. The data protection officer shall be supported and provided with all required things by the data controller or processor, which is necessary to carry out its duty. The task of such officer includes: to inform and advise the controller or the processor and the other employees who carry out the processing of their obligation pursuant to the GDPR and also to cooperate with the supervisory authority.

Regulate the transferring of personal data to third countries or International organisation

The GDPR regulates transferring the personal data of any data subject of the European Union to third countries. This provision is stretched from Article 44 to 50 under the regulation. This provision has mentioned articles which deal with: general principle for transfers, transfers on the basis of an adequacy decision, transfer subject to appropriate safeguards etc. The main rationale behind the implementation of this provision is to secure the personal data of the data subjects to be used by any organisation or institution outside the union in any manner which could be against the security and integrity of the union.

Penalties for the infringement of the regulation

Any person or organisation who has infringed the conditions mentioned under the regulation shall be subjected to the penalties stated under the regulation. The penalty imposed under the regulation is heavy, which makes its strict implementation and acceptability by the organisation and institutions. The administrative fines are stated under Article 83 whereas penalty is stated under Article 84 of the regulations.

Students of Lawsikho courses regularly produce writing assignments and work on practical exercises as a part of their coursework and develop themselves in real-life practical skill.