<meta charset="UTF-8">
<meta name="robots" content="noindex,nofollow" />
<link rel="shortcut icon" type="image/x-icon" href="/wiki/images/favicon.ico" />
<link rel="icon" type="image/x-icon" href="/wiki/images/favicon.ico" />

<pre>
!!! Overview[1][3][4]
[General Data Protection Regulation] ([GDPR]) (Regulation ([European Union]) 2016/679) is a [Regulation] by which the [European Commission] intends to strengthen and unify data protection for individuals within the [European Union] ([EU]). 

[{$pagename}] also addresses export of [personal data] outside the EU. The Commission's primary objectives of the [GDPR] are to give citizens back the control of their [personal data] and to simplify the regulatory environment for international business by unifying the regulation within the EU.[1] 

When the [GDPR] takes effect it will replace the data protection directive (officially [Article 29 of Directive 95-46-EC]) from [1995|Year 1995]. Perhaps confusingly for some, there is a new directive as well as a new [regulation]; it will apply to police procedures, which will continue to vary from one Member State to the other.

The [regulation] was adopted on 27 April [2016|Year 2016]. It enters into application __25 May [2018|Year 2018]__ after a two-year transition period and, unlike a Directive it does not require any enabling legislation to be passed by the individual [European Union] governments.

The regulation applies if the data controller or processor ([organization|Organizational Entity]) or the [data subject|Digital Subject] (person) is based in the [EU]. 

Furthermore (and unlike the current Directive) the [Regulation] also applies to [organizations|Organizational Entity] based outside the European Union if they process personal data of EU [residents|Digital Subject]. 

The regulation __does not apply__ to the processing of [personal data] for [National Security] activities or law enforcement (&quot;competent authorities for the purposes of [prevention], investigation, detection or prosecution of criminal offences or the execution of criminal penalties&quot;). 

!! [{$pagename}] [Personal Data|Personal data#section-Personal+data-EuropeanCommissionGDPRPSD2]
[European Commission] defines [Personal Data|Personal data#section-Personal+data-EuropeanCommissionGDPRPSD2]


Not only is the personal data itself covered by the new rules, but everything that’s done with the [data], too. “Processors [[of data] also have a [Responsibility],” Hammarstrand said. “What’s new in this legislation is they have a direct [responsibility]. They could actually be reviewed and fined if they are not complying with the legislation.”

!! [{$pagename}] definitions
* [Processing|Data Collection] - means any operation performed on [Personal data] such as:
** [Collection|Data Collection]
** Recording
** organizing
** [storing|Data Store|DataStore]
* [Data Controller] is an [entity] that determines the purposes and means of processing [personal data]
* [Data Processor] is an [entity] that processes [personal data] of a [Data Controller]
* [Data subject] - means an [person] who is the subject of [personal data]. In other words, the [data subject] is the [person] whom particular personal [data] is about.

! [{$pagename}] [Examples] of [Data processing]
* staff management and payroll administration;
* access to/consultation of a contacts [database] containing [Personal data];
* sending promotional [emails*];
* shredding documents containing [personal data];
* posting/putting a photo of a [person] on a [website];
* storing[IP Address] or [MAC Address];   
* video recording (CCTV).

!! When is [Data] processing permitted?
* Necessary for the performance of a contract which the [data] subject is party
* Necessary for [compliance] with a [legal] obligation
* Necessary in order to protect the vital interests of the [data] subject
* Necessary for the performance of a task carried out in the public interest.
* Legitimate interests when not overridden by the interests of the [data] subject
* [Informed Consent] 
Generally you may not store the [data] for marketing or statistical purposes.

!! In One Paragraph[2]
[{$pagename}] defined [Personally Identifiable Information] ([PII]) as any information that relates to a __EU resident’s__ private, professional or public life (that is, banking information, medical information, email addresses, social media posts and so on), and a lot of the regulation goes into making sure that this [PII] is not only stored with a [person’s permission|consent], but that it’s also kept for a specified purpose and for a duration that makes sense, given the __initial reason__ for obtaining the data. So, if a customer signs up for a product warranty, and the warranty is good for three years, the company would need to get the customer’s explicit permission to use his or her [PII] for marketing campaigns or to keep that data beyond the three-year warranty limit.

!! [Jurisdiction] and Scope
Under the [GDPR], jurisdiction is less related to the location where a business is incorporated or headquartered and more to the location of business activity. To be sure, the [{$pagename}] will apply to the processing of [Personal data] by businesses &quot;established&quot; within the {EU}. More controversially, the [{$pagename}] also will apply to businesses established __outside the EU__ if their processing activities relate to the offering of goods or services to individuals in the [European Union] or to the [monitoring] of such individuals’ behavior. This provision expands the territorial scope of the [{$pagename}] well beyond the [EU], essentially implying it is global law. 

There are some limits in place on the [{$pagename}]’s reach—the regulation makes clear that having a commerce-oriented [website] that is accessible to [EU] residents does not by itself constitute offering goods or services. Rather, a business must show intent to draw [EU] residents as customers, for example, by using a local [language] or currency.


[{$pagename}], under, [GDPR] or [PSD2], is not applicable to deceased [persons] or to [Business to Business] [Relationships]

!! [{$pagename}] FAQ
* [Data Protection Officer] ([DPO]) - (Article 37 GDPR) is the person designated, where applicable, to facilitate compliance with the provisions of the GDPR. The GDPR defines the criteria and the conditions under which a DPO must be designated.
* [Customer EU Representative] -  (Article 27 GDPR) is the person designated, where applicable, to represent [customers] not established in the [EU] with regard to their obligations under the [GDPR].
* [Data Processing Agreement] - 

!! [Data Protection]


!! More Information
There might be more information for this subject on one of the following:
[{ReferringPagesPlugin before='*' after='\n' }]
----
* [#1] - [General_Data_Protection_Regulation|Wikipedia:General_Data_Protection_Regulation|target='_blank'] - based on information obtained 2016-07-10
* [#2] - [Two Ways GDPR Will Change Your Data Storage Solution|https://www.linuxjournal.com/content/two-ways-gdpr-will-change-your-data-storage-solution|target='_blank'] - based on information obtained 2017-03-24
* [#3] - [GDPR Reference Guide: All 99 Articles in 25 Minutes|https://www.eckerson.com/articles/gdpr-reference-guide-all-99-articles-in-25-minutes|target='_blank'] - based on information obtained 2018-05-11- 
* [#4] - [eugdpr.org|https://www.eugdpr.org/|target='_blank'] - based on information obtained 2018-05-27- 

</pre>