The General Data Protection Regulation an
Territorial Scope
The Data Protection Regulation applies to all processing of personal data by data controllers outside the European Union, where the processing activities are related to goods or services offered to data subjects in the European Union, or the monitoring of their behaviour. Non-European Union data controllers will be affected as the new regulation’s span is wider than the current position. Offshore cloud services, ‘information society’ services and a host of other services will be caught through this regulation, which is also most likely to catch data processors that are not themselves based within the EU, but who have contracts with EU businesses or deal with personal data of EU data subjects.
Definition of personal data
The European Union data protection law only applies to personal data. ‘Personal data’ has now a broader meaning which covers also any information related to living individuals, and has specific definitions for genetic data, location data, online identifiers and biometric data. Through the new regulation, data controllers will simply have to continue finding an answer to their usual question: ‘is it personal data’?
Liability for data processors
For the first time, data processors now have a statutory liability to implement appropriate security measures when processing personal data on behalf of a data controller, as well as to follow the instructions of the data controller. In addition, they have an express obligation in relation to notification of security incidents. IT and services suppliers, as well as customer organisations will all need to review their contractual arrangements and internal reporting procedures.
Consent
Through the GDPR, it will also be more difficult to obtain consent from the data subject. It is up to the data controller to demonstrate that explicit consent has been granted and that permission was freely given, through the data subject’s free choice.
Article 29 Data Protection Working Party also clarifies about the word ‘specific’. The controller must clearly and precisely explain the scope and consequences of the data processing in an informed and unambiguous manner. This means that for the consent to be valid, the data subject must be provided with all the relevant information to enable them to understand what they are consenting to. In some cases, consent will not provide a legal basis for processing, that is where there is a ‘significant imbalance’ between the position of the data