GDPR

GDPR

The European Union 'General Data Protection Regulation'

The General Data Protection Regulation is the most recent iteration of European personal data protection regulation. The regulation does not apply to -non-personal data as defined by the European Commission to be "data which does not relate to an identified or identifiable natural person" (European Union, GDPR). Elements of the GDPR are enforced in over 80 countries legal frameworks and applicable not only to entities within the European Union, but also to any processor or controller entity worldwide that uses data relating to personal data of any citizen of an EU Member State. The GDPR indicates to data processors and controllers which actions fall under their responsibilities and focuses on the controller's ultimate responsibility under 'Article 24'.


"Taking into account the nature, scope, context, and purposes of processing as well as the risks of varying likelihood and severity of the rights and freedoms of natural persons, the controller shall implement appropriate technical and organisational measures to ensure and to be able to demonstrate the processing is performed in accordance with this regulation. Those measures shall be reviewed and updates where necessary" (Article 24 of the GDPR).


Important GDPR Articles

The General Data Protection Regulation is a rights-oriented framework, grounded in Article 8(1) of the European Union Charter of Fundamental Rights. "Everyone has the right to the protection of personal data concerning him/her." (European Commission, 2012)


GDPR Data Subject Rights

(Article 15) Right of Access

          - Article 15 gives data subject the right to request information about the processing of their personal data.


(Article 14 & 13) Right to be Informed

          - Article 14 and 13 give data subjects the right to transparency in processing.


(Article 16 & 19) Right to Rectification

          - Articles 16 and 19 of the GDPR give data subjects the right to request the correction of any personal data that is inaccurate or incomplete.


(Articles 17 & 19) Right to Erasure

          - Articles 17 and 19 define the right to request that controllers erase their data. Often referred to as "the right to be forgotten."


(Article 20) Right to Data Portability

          - Article 20 outlines the right of data subjects to obtain their data in a commonly used format so that they can transfer that data to another controller, or where technically feasible, that one data controller may transfer the data directly to another.


(Article 22) Right to not be Subject to Automated Processing

          - Article 22 lays out prohibition on automated data processing that meaningfully affects the data subject or has subsequent legal effects.


(Article 21) Right to Object

          - Article 21 provides data subjects with the right to stop the processing of their data in certain circumstances. They may also object to processing in connection with research, public interest, official authority or the interest of others in some circumstances.


(Article 18) Right to Restricted Processing

          - Article 18 gives data subjects the right to request restrictions on the processing of their personal data. This means that the data can be stored, but that the controller must request permission in order to process the data. This right only applies in certain circumstances.


Data Protection Commission, n.d.

Share by: