General Data Protection Regulation


General Data Protection Regulation (GDPR) (Regulation (European Union) 2016/679) is a Regulation by which the European Commission intends to strengthen and unify data protection for individuals within the European Union (EU).

General Data Protection Regulation also addresses export of personal data outside the EU. The Commission's primary objectives of the GDPR are to give citizens back the control of their personal data and to simplify the regulatory environment for international business by unifying the regulation within the EU.[1]

When the GDPR takes effect it will replace the data protection directive (officially Article 29 of Directive 95-46-EC) from 1995. Perhaps confusingly for some, there is a new directive as well as a new regulation; it will apply to police procedures, which will continue to vary from one Member State to the other.

The regulation was adopted on 27 April 2016. It enters into application 25 May 2018 after a two-year transition period and, unlike a Directive it does not require any enabling legislation to be passed by the individual European Union governments.

The regulation applies if the data controller or processor (organization) or the data subject (person) is based in the EU.

Furthermore (and unlike the current Directive) the Regulation also applies to organizations based outside the European Union if they process personal data of EU residents.

The regulation does not apply to the processing of personal data for National Security activities or law enforcement ("competent authorities for the purposes of prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties").

General Data Protection Regulation Personal Data#

European Commission defines Personal Data

Not only is the personal data itself covered by the new rules, but everything that’s done with the data, too. “Processors [of data] also have a Responsibility,” Hammarstrand said. “What’s new in this legislation is they have a direct responsibility. They could actually be reviewed and fined if they are not complying with the legislation.”

General Data Protection Regulation definitions#

General Data Protection Regulation Examples of Data processing#

When is Data processing permitted?#

  • Necessary for the performance of a contract which the data subject is party
  • Necessary for compliance with a legal obligation
  • Necessary in order to protect the vital interests of the data subject
  • Necessary for the performance of a task carried out in the public interest.
  • Legitimate interests when not overridden by the interests of the data subject
  • Informed Consent
Generally you may not store the data for marketing or statistical purposes.

In One Paragraph[2]#

General Data Protection Regulation defined Personally Identifiable Information (PII) as any information that relates to a EU resident’s private, professional or public life (that is, banking information, medical information, email addresses, social media posts and so on), and a lot of the regulation goes into making sure that this PII is not only stored with a person’s permission, but that it’s also kept for a specified purpose and for a duration that makes sense, given the initial reason for obtaining the data. So, if a customer signs up for a product warranty, and the warranty is good for three years, the company would need to get the customer’s explicit permission to use his or her PII for marketing campaigns or to keep that data beyond the three-year warranty limit.

Jurisdiction and Scope#

Under the GDPR, jurisdiction is less related to the location where a business is incorporated or headquartered and more to the location of business activity. To be sure, the General Data Protection Regulation will apply to the processing of Personal data by businesses "established" within the {EU}. More controversially, the General Data Protection Regulation also will apply to businesses established outside the EU if their processing activities relate to the offering of goods or services to individuals in the European Union or to the monitoring of such individuals’ behavior. This provision expands the territorial scope of the General Data Protection Regulation well beyond the EU, essentially implying it is global law.

There are some limits in place on the General Data Protection Regulation’s reach—the regulation makes clear that having a commerce-oriented website that is accessible to EU residents does not by itself constitute offering goods or services. Rather, a business must show intent to draw EU residents as customers, for example, by using a local language or currency.

General Data Protection Regulation, under, GDPR or PSD2, is not applicable to deceased persons or to Business to Business Relationships

General Data Protection Regulation FAQ#

Data Protection#

More Information#

There might be more information for this subject on one of the following: