The Gen­eral Data Pro­tec­tion Reg­u­la­tion an

Malta Independent - - NEWS -

Ter­ri­to­rial Scope

The Data Pro­tec­tion Reg­u­la­tion ap­plies to all pro­cess­ing of per­sonal data by data con­trollers out­side the Euro­pean Union, where the pro­cess­ing ac­tiv­i­ties are re­lated to goods or ser­vices of­fered to data sub­jects in the Euro­pean Union, or the mon­i­tor­ing of their be­hav­iour. Non-Euro­pean Union data con­trollers will be af­fected as the new reg­u­la­tion’s span is wider than the cur­rent po­si­tion. Off­shore cloud ser­vices, ‘in­for­ma­tion so­ci­ety’ ser­vices and a host of other ser­vices will be caught through this reg­u­la­tion, which is also most likely to catch data pro­ces­sors that are not them­selves based within the EU, but who have con­tracts with EU busi­nesses or deal with per­sonal data of EU data sub­jects.

Def­i­ni­tion of per­sonal data

The Euro­pean Union data pro­tec­tion law only ap­plies to per­sonal data. ‘Per­sonal data’ has now a broader mean­ing which cov­ers also any in­for­ma­tion re­lated to liv­ing in­di­vid­u­als, and has spe­cific def­i­ni­tions for ge­netic data, lo­ca­tion data, on­line iden­ti­fiers and bio­met­ric data. Through the new reg­u­la­tion, data con­trollers will sim­ply have to con­tinue find­ing an an­swer to their usual ques­tion: ‘is it per­sonal data’?

Li­a­bil­ity for data pro­ces­sors

For the first time, data pro­ces­sors now have a statu­tory li­a­bil­ity to im­ple­ment ap­pro­pri­ate se­cu­rity mea­sures when pro­cess­ing per­sonal data on be­half of a data con­troller, as well as to fol­low the in­struc­tions of the data con­troller. In ad­di­tion, they have an ex­press obli­ga­tion in re­la­tion to no­ti­fi­ca­tion of se­cu­rity in­ci­dents. IT and ser­vices sup­pli­ers, as well as cus­tomer or­gan­i­sa­tions will all need to re­view their con­trac­tual ar­range­ments and in­ter­nal re­port­ing pro­ce­dures.


Through the GDPR, it will also be more dif­fi­cult to ob­tain con­sent from the data sub­ject. It is up to the data con­troller to demon­strate that ex­plicit con­sent has been granted and that per­mis­sion was freely given, through the data sub­ject’s free choice.

Ar­ti­cle 29 Data Pro­tec­tion Work­ing Party also clar­i­fies about the word ‘spe­cific’. The con­troller must clearly and pre­cisely ex­plain the scope and con­se­quences of the data pro­cess­ing in an in­formed and un­am­bigu­ous man­ner. This means that for the con­sent to be valid, the data sub­ject must be pro­vided with all the rel­e­vant in­for­ma­tion to en­able them to un­der­stand what they are con­sent­ing to. In some cases, con­sent will not pro­vide a le­gal ba­sis for pro­cess­ing, that is where there is a ‘sig­nif­i­cant im­bal­ance’ be­tween the po­si­tion of the data

Newspapers in English

Newspapers from Malta

© PressReader. All rights reserved.