General Data Protection Regulation (GDPR) (Regulation (European Union) 2016/679) is a Regulation by which the European Commission intends to strengthen and unify data protection for individuals within the European Union (EU).

General Data Protection Regulation also addresses export of personal data outside the EU. The Commission's primary objectives of the GDPR are to give citizens back the control of their personal data and to simplify the regulatory environment for international business by unifying the regulation within the EU.[1]

When the GDPR takes effect it will replace the data protection directive (officially Article 29 of Directive 95-46-EC) from 1995. Perhaps confusingly for some, there is a new directive as well as a new regulation; it will apply to police procedures, which will continue to vary from one Member State to the other.

The regulation was adopted on 27 April 2016. It enters into application 25 May 2018 after a two-year transition period and, unlike a Directive it does not require any enabling legislation to be passed by governments.

The regulation applies if the data controller or processor (organization) or the data subject (person) is based in the EU.

Furthermore (and unlike the current Directive) the Regulation also applies to organizations based outside the European Union if they process personal data of EU residents.

The regulation does not apply to the processing of personal data for national security activities or law enforcement ("competent authorities for the purposes of prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties").

personal data#

According to the European Commission "personal data is any information relating to an individual, whether it relates to his or her private, professional or public life. It can be anything from a name, a photo, an email address, bank details, posts on social networking websites, medical information, or a computer’s IP address." [1]

Any information related to an identified or identifiable Natural Person that could be used to directly or indirectly identify that Natural Person is covered by the regulation. Such data includes:

  • Customer data, purchasing histories, pictures, emails, names and phone numbers;
  • IP addresses and motor vehicle registration numbers;
  • B2B and B2C information;
  • Biometric information such as fingerprints, faces, voice prints and eyeballs.
entities are responsible for any personal information they collect, whether that data resides in a customer database, employee database, or even a supplier database. What’s more, Custodian of personal data collected by a company — even if they just store the data and don’t have access to it — need to comply with the GDPR or risk being fined.

Not only is the personal data itself covered by the new rules, but everything that’s done with the data, too. “Processors [of data] also have a Responsibility,” Hammarstrand said. “What’s new in this legislation is they have a direct responsibility. They could actually be reviewed and fined if they are not complying with the legislation.”

When is processing permitted?#

  • Necessary for the performance of a contract which the data subject is party
  • Necessary for compliance with a legal obligation
  • Necessary in order to protect the vital interests of the data subject
  • Necessary for the performance of a task carried out in the public interest.
  • Legitimate interests when not overridden by the interests of the data subject
  • Informed Consent
Generally you may not store the data for marketing or statistical purposes.

In One Paragraph[2]#

General Data Protection Regulation defined Personally Identifiable Information (PII) as any information that relates to a EU resident’s private, professional or public life (that is, banking information, medical information, email addresses, social media posts and so on), and a lot of the regulation goes into making sure that this PII is not only stored with a person’s permission, but that it’s also kept for a specified purpose and for a duration that makes sense, given the initial reason for obtaining the data. So, if a customer signs up for a product warranty, and the warranty is good for three years, the company would need to get the customer’s explicit permission to use his or her PII for marketing campaigns or to keep that data beyond the three-year warranty limit.

More Information#

There might be more information for this subject on one of the following:

Add new attachment

Only authorized users are allowed to upload new attachments.
« This page (revision-17) was last changed on 24-Mar-2017 09:13 by jim