General Data Protection Regulation – The What, How And Why

In an increasingly digital world, personal data protection has become a paramount concern. The General Data Protection Regulation (GDPR) is a law implemented to safeguard the privacy rights of individuals and ensure the responsible handling of personal data. This article aims to thoroughly understand GDPR by exploring its key concepts, principles, implementation, and why it is essential in today’s data-driven society.

Understanding GDPR

The General Data Protection Regulation is a set of regulations enacted to provide a unified framework for data protection across member states. GDPR applies to organisations that process personal data, regardless of the organisation’s location. It establishes a harmonised approach to data protection, ensuring consistency in privacy rights and obligations. GDPR is built upon several key concepts and principles organisations must adhere to when processing personal data. These concepts include defining personal data, data subject rights, lawful basis for processing, consent, data minimisation, accountability, and privacy by design and default. For compliance, organisations may consider GDPR training or consulting with legal experts specialising in data protection and privacy laws. Understanding these concepts is crucial for organisations to ensure compliance with GDPR requirements and protect individuals’ personal data privacy.

Scope and Application

GDPR applies to data controllers and processors. Data controllers establish the purposes and means of processing personal data, while data processors handle personal data on behalf of the data controller. GDPR places significant responsibilities on controllers and processors to protect personal data, maintain accurate records of processing activities, and implement appropriate security measures. The regulation applies to all sectors and industries that process personal data, including businesses, non-profits, public authorities, and service providers.

Data Subject Rights

GDPR grants individuals several rights to exercise control over their data. These rights encompass the right to access, rectify, erase, restrict processing, data portability, and object to processing their personal data. Organisations must respect these rights and give individuals mechanisms to exercise them effectively. Data subjects also have the right to be informed about the processing of their data, including the purposes, legal basis, and recipients of their data.

To effectively uphold data subject rights, organisations must establish transparent and accessible processes for individuals to exercise these rights. This includes providing clear channels for data subject requests, such as designated contact points or online forms, and promptly responding to such requests within the specified time frames outlined in GDPR.

Organisations should also ensure that their data management systems are equipped to handle these requests efficiently, enabling the retrieval, rectification, or erasure of personal data as required. By respecting and facilitating data subject rights, organisations comply with GDPR and foster trust and transparency in their relationships with individuals, promoting a culture of privacy and data protection.

Consent

Consent is an essential element of GDPR. Organisations must obtain clear and explicit consent from individuals before processing their data. Consent should be freely given, specific, and unambiguous. Organisations must provide individuals with clear information about the processing activities and enable them to withdraw consent at any time. Consent is just one of the lawful bases for processing, and organisations should consider other legal bases when appropriate.

Lawful Basis for Processing

Under GDPR, organisations must have a lawful basis for processing personal data. The regulation outlines six lawful bases for processing, including the necessity of processing for the performance of a contract, protection of vital interests, consent, performance of a task carried out in the public interest, or legitimate interests pursued by the data controller or a third party. Organisations must assess their data processing activities and identify a lawful basis aligning with their purposes.

Data Protection Impact Assessments (DPIAs)

The Data Protection Impact Assessments (DPIAs) are needed for high-risk processing activities likely to result in a high risk to the rights and freedoms of individuals. DPIAs help organisations identify and mitigate potential privacy risks associated with their data processing activities. They provide a systematic approach to assessing the impact on individuals’ privacy and enable organisations to effectively implement appropriate safeguards and measures to protect personal data.

DPIAs thoroughly examine the data processing activities. Through this assessment, organisations can identify vulnerabilities, evaluate the necessity and proportionality of the processing, and implement necessary safeguards to minimise risks. DPIAs also promote transparency, requiring organisations to document and communicate the findings and mitigating measures to relevant stakeholders. By incorporating DPIAs into their data protection practices, organisations demonstrate a commitment to privacy and responsible data processing, instilling confidence in data subjects and regulatory authorities.

Accountability and Data Security

One of the fundamental principles of GDPR is accountability. Organisations must demonstrate compliance with the regulation by implementing appropriate technical and organisational measures in an aim to protect personal data. These measures include data encryption, access controls, regular security assessments, and incident response plans. Organisations must also maintain records of processing activities, appoint a Data Protection Officer (DPO) in certain cases, and ensure that their third-party processors adhere to GDPR requirements.

Enforcement and Penalties

Supervisory authorities play a vital role in ensuring compliance with GDPR and safeguarding the privacy rights of individuals. These authorities can investigate complaints, conduct audits, and impose sanctions on organisations that fail to meet the regulation requirements. The severity of fines can vary, with higher penalties reserved for more serious breaches. Apart from financial repercussions, organisations may also face reputational damage and loss of customer trust in the event of non-compliance.

Therefore, organisations must prioritise data protection, implement robust security measures, and maintain a culture of compliance to mitigate the risk of penalties and build a reputation as a trustworthy custodian of personal data. Compliance with GDPR demonstrates a commitment to protecting individuals’ privacy. It fosters a competitive advantage by assuring customers and partners of an organisation’s commitment to data protection and responsible data handling practices.

The General Data Protection Regulation (GDPR) is a landmark legislation that protects individuals’ privacy and personal data. By establishing a harmonised framework for data protection, GDPR promotes accountability, transparency, and responsible data handling practices. Organisations that process personal data must understand the key concepts, principles, and requirements outlined in GDPR to ensure compliance and protect the privacy rights of individuals. Adhering to GDPR helps organisations avoid significant financial penalties, fosters trust with customers, enhances data security, and promotes a culture of respect for privacy in our increasingly data-driven society.

Your Rights As a Data Subject Under the GDPR: “The Right of Access”

As a data subject whose personal data is processed, you invariably have the right to access. However, this right of access is not absolute. We clarify what this means, how you exercise this right and what response should be given.

First of all, the terminology used is somewhat misleading as it creates the impression that you can actually inspect the processing itself, when the reality is more nuanced. Rather, it concerns a right to know about the processing of your personal data. You can exercise this right at any time, regardless of whether you were informed about the processing of your personal data at the start of the processing.

Article 15 GDPR clarifies what information you are entitled to, beyond the actual personal data itself, when exercising your right to access:

  • the purposes of processing;
  • the categories of personal data concerned;
  • the recipients or categories of recipients to whom the personal data have been or will be disclosed, in particular recipients in third countries or international organisations;
  • the period for which the personal data are expected to be stored or, if that is not possible, the criteria for determining that period;
  • the existence of the right to request from the controller rectification or erasure of personal data or restriction of processing of personal data concerning the data subject or to object to such processing;
  • the right to lodge a complaint with a supervisory authority;
  • where the personal data are not collected from the data subject, any available information as to their source;
  • the existence of automated decision-making, including profiling, and, at least in those cases, meaningful information about the logic involved, as well as the significance and the envisaged consequences of such processing for the data subject;
  • when transfers are made to a third country or international organisation, the appropriate safeguards taken.

In principle, you are entitled to one free copy; for additional copies, the controller may charge a reasonable fee in proportion to the administrative costs.

If you make your request for access in electronic form (e.g. by e-mail), it is sufficient for the controller to send you the copy in electronic form as well, unless you explicitly request otherwise.

However, your right to access is not absolute. Article 15.4 GDPR clarifies that this must not infringe on the rights and freedoms of others.

For example, if you exercise your right of access vis-à-vis your (former) employer, the latter has the right and actually even the duty to anonymise/censor the evaluation forms as the personal data of others (e.g. the evaluator, colleagues) must also be protected under the GDPR. In this view, the controller also has the right to request a clarification of your request. After all, if you are already employed for a long period of time, it may be disproportionate and impose an excessive burden to have to anonymise/censor and copy all data over the entire period in order to comply with your request. A concrete assessment must always be made in this regard.

In the recent ECJ judgment of 4 May 2023, the Court clarified that the right of access can extend very broadly in the sense that copies of the underlying documents or extracts must be provided. However, never should one lose sight of the rights and freedoms of others in doing so:

“the right to obtain from the controller a copy of the personal data undergoing processing means that the data subject must be given a faithful and intelligible reproduction of all those data. That right entails the right to obtain copies of extracts from documents or even entire documents or extracts from databases which contain, inter alia, those data, if the provision of such a copy is essential in order to enable the data subject to exercise effectively the rights conferred on him or her by that regulation, bearing in mind that account must be taken, in that regard, of the rights and freedoms of others.”

Your request in itself is not subject to any formal conditions. However, with a view to dealing with it efficiently, you are well advised to already clearly identify yourself since every controller obviously has a duty to proceed with identification before providing any information.

Subsequently, the Controller has in principle one month to comply with your request. Within this period, he must either provide the data or inform you of the reason why he believes he should/could not do so and inform you of your right to lodge a complaint with the supervisory authority (GBA) and the possibility of a subsequent appeal to the court (Market Court). The period can be extended by an additional two months if the controller notifies you of this before the expiration of the original period.

If you have any further questions about (the exercise of) your right of access, you can always contact us by e-mail: gpdr@studio-legale.be or by telephone on 03/216.70.70.