If you have not lived under a rock in recent weeks, you'll have noticed a flood of emails from companies that have notified you about changes to their privacy policy and terms of service. Of course, this is no coincidence: on Friday, 25 May, a comprehensive new legislation will come into effect in the European Union dealing with the privacy and business practices of a company's personal data. The Regulation, the so-called General Data Protection Regulation (GDPR), grants individuals a number of rights to their personal data and sets out a number of obligations that companies have with regard to the processing of such data.

The 88- The Page Document contains 99 articles, covering topics such as the right to be forgotten, consent management, data likelihood and protocols for handling data breaches. It's a rather lengthy document with its fair share of legal terminology, so we'll try to sort it out and clarify who it is, what it enforces and what rights it gives. (Disclaimer: I am not a lawyer and this should not be taken in any way as legal advice.)

For whom and what does the GDPR apply?

The laws are obviously within the borders of the European Union, but things are never really that easy. For starters, it applies only to persons who are in the EU even when they are on vacation. It also does not necessarily apply to EU citizens so a Frenchman living in the US is not protected by the GDPR.

On the other hand, he will be enforceable on every . Company processing data on at least one person in the EU, regardless of whether it is a European company or if it has any physical presence in the EU at all. The definition of the regulation, which means "processing" of personal data, is very broad and covers all operations performed on personal data such as "collection, recording, organization, structuring, storage, adaptation or modification, retrieval, consultation, use, disclosure by transmission , Dissemination or Other Provision, Approximation or Combination, Restriction, Deletion or Destruction "(Article 4)

The definition of personal data is no less broad. The Regulation characterizes them as "any information relating to an identified or identifiable natural person" (Article 4). In plain language this means that any data that relates either to a specific person – such as nationality, gender or income – or specific enough to identify a person directly or indirectly – such as name, identification number, address or possibly even a very rare disease. It should be noted that the Regulation applies only to personal information . If the information can not be considered personal in the sense defined above, it is not protected by the GDPR.

One of the more drastic changes introduced by the GDPR is the severity of the associated fines. An undertaking which fails to comply with the regulation may impose a fine of up to € 20 million or 4% of the total worldwide annual turnover whichever is the highest (Article 83). For this reason, so many companies are trying to prepare for the GDPR by 25 May, the day it comes into force. And since the EU is such a big player in the world economy and has a gross domestic product of 17 trillion US dollars and a population of more than half a billion, the withdrawal from the European market is not an option for most Companies.

The approach "screw it" to compliance

I'm not a European, why should I be interested?

Even if you have never been to Europe and are not planning a visit, the GDPR will still affect you. In fact, you have probably already experienced some effects of the GDPR. Countless companies, from Microsoft to Twitter to Facebook to LinkedIn to Google have updated all their terms and conditions of service and Privacy Policy, Sending Emails en mass to users to inform them of the changes.

A video from Google explaining its updated privacy policy

The GDPR will also have very direct consequences for non-EU citizens

The GDPR will also have very direct consequences for outsiders, the EU , For example, Facebook has already confirmed that it would extend some DSGVO requirements for users throughout the rest of the world, such as the tightened data protection controls of the Regulation although this is not required by law. In fact, it's much simpler, cheaper, and easier for businesses to implement the same privacy options for all users, rather than managing different rules for different groups of users. It will not be surprising if other companies follow this example and at least guarantee a part of the DSGVO's increased privacy.

In a more indirect sense, the GDPR will affect how we view the way companies interact with us, and what we expect them to do. However you look at it, DSGVO will inevitably have a significant impact all over the world

What rights does the DSGVO grant?

The GDPR grants the European citizens several rights that can reasonably be reduced to a list Seven. Many of these rights are really new, while others have existed in the EU for some time.

Right to transparent information (Articles 12-14)

The right to "transparent information" can be easily summarized as the right for a user to know how a company uses its data. At the time of collection of user data, companies must inform users

  1. of the identity and contact details of the company and, where applicable, its representative.
  2. the contact details of the data protection officer of the company (explained in more detail below).
  3. the purposes and legal basis for the processing of a user's information.
  4. the recipient of a user's data, if any.
  5. 19659023] Where applicable, the fact that the company intends to transfer personal data to a third country or an international organization
  6. the period for which the data of a user are stored, or the criteria for determining that period, if that can not be given previously
  7. the rights of the user in relation to his data, namely the rights of access, rectification and deletion of personal data, the rights to restrict or deny the processing of personal data and the right to data portability.
  8. User r may revoke consent to the processing of personal data at any time, provided that processing is not required for legal reasons (eg in the case of a contract with the user or for the protection of vital interests of a person) (19659023) the right of the user to lodge a complaint with the supervisory authority
  9. whether and how "automated decision-making" is performed on a user's data, e.g. B. profiling.

In addition, if the data was not obtained directly from the user (19459007) (for example, if they are obtained from third parties), companies must also inform users of the types and sources of data obtaining personal information

The right to transparent information also stipulates that companies must comply with a request of a user for one of the rights listed below "without undue delay" and within one month of receiving th The application may be made available with the possibility that the period may be extended for up to two additional months in exceptional circumstances, such as complexity or number of applications

As protection in the event that companies receive applications from a person, the "obvious are unfounded or excessive," a company can either refuse full compliance with the application or a "reasonable fee" based on the administrative costs involved in processing the application.

Right to Information (Article 15)

This right allows users and customers to know whether a company is processing their personal information and, if so, accessing such data and information on how and why these data are

Right to repair (Art. 16)

The right to subsequent correction entitles the user to correct incorrect information as well as incomplete information.

Right to be Forgotten (Articles 17, 19)

The right to be forgotten states that individuals may require that an enterprise refuses to process and erase all personal data concerning them as long as at least one specific list of conditions is met. These conditions are:

  1. the data is no longer required for the purposes for which it was collected.
  2. There is no legal obligation to process data
  3. the data was processed unlawfully.
  4. Data must be deleted in order to comply with a legal obligation.
  5. The data refer to a person who is legally underage.

There are also some cases where the law does not apply, namely where the processing of the data is necessary for:

  1. Exercise of the right to freedom of expression and information
  2. Fulfillment of a legal obligation
  3. Grounds of public Public health interest
  4. public archival public interest or scientific, historical or statistical purposes
  5. the establishment, exercise or defense of rights.

This right is by no means new – its conception dates back to at least 1974 with the law for the rehabilitation of offenders back to the UK. Their purpose is probably a dignified and noble one: people convicted of relatively minor offenses should not be punished permanently with a permanent stain on their records. In other words, once a conviction has been "spent", it should not have to be disclosed if, for example, the person applies for a job or obtains insurance.

However, the law gained some fame in 2014 when a man was named Mario Costeja González filed a lawsuit against Google for not being satisfied with the results he found on Googling. Costeja had asked Google to remove links to a 1998 newspaper with an announcement of compulsory sale of its property. Google refused to comply with the request, arguing that Costeja was not allowed to delete lawfully published material, but the court ultimately joined Costeja and forced Google to remove the links. It was also around this time that the rights became known as the right to be "forgotten".

Ironically, Costeja's suit paid much more attention to the news article he was trying to hide. He even tried to remove links to his case against Google from the search engine, but was rejected by the Spanish Data Protection Authority . Someone would have done well to warn him about the Streisand Effect before deciding to sue the world's largest search engine.

The inclusion of the right to be forgotten in the GDPR is significant and makes it applicable outside the EU borders. A case like Costeja's now requires that Google not only remove offensive links provided through the Spanish version of the search engine, but also in any other region, including the United States. And while the law does provide for some exemptions for information of public interest (such as politicians), it is not difficult to see how it could be abused and how it undermines and contradicts the right to freedom of information.

Right to Restrict Processing (Articles 18, 19)

If a person wishes to pause the processing of their personal data, rather than delete it altogether, they may do so. This section of the document grants individuals the right to temporarily refrain from processing of personal data ( in any way (except memory processing):

  1. the accuracy of the data is disputed by the individual , and the company must be given time to verify its accuracy.
  2. The processing is unlawful.
  3. The company no longer needs the data, but it is still needed by the person for the establishment, exercise or defense of
  4. The individual objects against the processing of their data, and the company must verify that there are no legal requirements that override the request.

Right to Data Portability (Article 20) [19659021] Users may their personal data also in a structured, machine-readable format and if requested transferred to another company . There are some conditions for the type of data processing to which the law applies, namely that the processing is based on the consent of the individual (eg the users are not entitled to transfer their criminal records) and that the processing is carried out automatically (Transferability requests on manually processed data would be unreasonably cumbersome because they would need to convert analogue data into a digital format.)

Interestingly, this right allows users to easily migrate all their data from one service to another. This could be a potential playmaker for companies like Facebook, who rely to some extent on the difficulty of switching to a competitor in order to keep users engaged in their service.

Right to Oppose (Articles 21-22) [19659021] The right of opposition includes provisions that allow individuals to object to the use of their data in "automated decision-making" such as profiling or targeted advertising. In addition, users may object to their data being used for direct marketing purposes.

What forces them in companies that process personal information?

In addition to users' requests for their rights, businesses that handle personal information must now be much more scrutinized and must take several proactive measures to protect user data.

Data Protection Officer (Articles 37-39)

The GDPR introduces a new, high-level corporate governance role called the Data Protection Officer (DPO), who reports directly to senior management. The task of the Data Protection Officer is to oversee all matters related to the protection of personal data in an organization. One of the main tasks of the Data Protection Officer is also the point of contact for persons who have a problem related to the processing of their personal data. It is important that companies can not use their privacy officer as a scapegoat in the event of a data breach or similar incident, nor are they able to punish or dismiss the Data Protection Officer for his or her duties.

The Regulation specifies the following: A Data Protection Officer must be appointed by any company whose core activities require "systematic monitoring" of "large scale" people or who process "sensitive" data (eg biometric data, personal beliefs or personal data) criminal records). The request is a bit vague, but it's pretty clear that every company from Google and Facebook to medium-sized banks and retailers will fall under that definition. On the other hand, sites (like these) that collect little more than cookies from their users probably do not need a privacy officer.

The duties of the Data Protection Officer include:

  1. informing and advising the Company and its employees on compliance with the GDPR
  2. to monitor compliance with the GDPR in their company
  3. co-operation with the Supervisory Authority and as a contact point for Issues related to the processing of personal data
  4. on the implementation of privacy impact assessments (Art 35) assess the potential risks associated with and prior to the implementation of particularly effective measures, such as large-scale data migration.

It is possible that the Data Protection Officer will take on other tasks than those imposed by the Regulation as long as those obligations do not create a conflict of interest. However, since their responsibilities for full-time employment are already more than enough, most medium to large sized companies are likely to choose a dedicated person as their DPO.

Wenn Sie nur hier sind, um die Überschrift zu lesen und einen Kommentar zu hinterlassen, Sie könnten etwas verpassen. Wenn Sie jedoch nur eine Zusammenfassung der Auswirkungen der Datenschutz-Grundverordnung auf einen Satz wünschen, gilt hier: Die Datenschutz-Grundverordnung wirkt sich auch auf Nutzer aus, die nicht in der EU sind, und verleiht ihnen mehr Rechte hinsichtlich ihrer personenbezogenen Daten sowie mehr Transparenz darüber, wie Unternehmen unsere Daten nutzen.

Source link


Please enter your comment!
Please enter your name here