The GDPR is effective since the 25th May 2018. To get a head start in understanding what this new Europe-wide privacy law is about, let us explain the nine basic concepts and how they fit together.
- Personal data: personal data are all data that relate to natural persons. Even if it seems that data is not personal, think again. Under the GDPR, data potentially revealing information about a natural person also counts as personal data. So this is not limited to obvious things such as names, addresses and portrait pictures, but also includes personal e-mail addresses without names in them and IP addresses. Err on the side of caution and treat all data as personal unless they are really clearly not.
- Processing: Doing anything with personal data, from using it to target people to simply storing it is considered processing. As such, collecting information for 'later use' is certainly defined as processing, and therefore falls subject to the GDPR. Whether you do something with personal data in automated systems or just on paper (in a filing system) does not matter. Only if you process data in the context of a household or if you are in particular branches such as , you are exempt from GDPR's rules.
- Purpose: processing personal data must have a specific purpose. So again, random storage of personal data you collect is not allowed. Processing has to serve a specific purpose (such as a subscription administration or salary payment). A purpose such as 'keeping these data because they could potentially be valuable to our business at some point in the future’ will not be accepted as a valid processing purpose.
- Data subject: the data subject is the natural person on whom personal data have bearing. The data subject has all kinds of rights that they can exercise towards the controller of a processing activity, including the right to concise and accessible information on the processing activity, the right to rectification, erasure and restriction of processing. And there is a right to data portability, allowing the data subject to take his personal data from one organisation to another.
- Controller: the controller of a processing activity is the entity that determines purpose and means of that activity. By being a controller, you automatically get assigned all kinds of obligations towards the supervisory authority and the data subject (the latter mirroring the rights of the data subject described above). Except for being accountable for what your organisation does, you are also accountable for what any processor might do with personal data.
- Processor: a processor is an entity outside the controller that processes personal data on behalf of the controller. The controller should take care of sufficient safeguards such that nothing goes wrong with personal data in the chain between a controller and (sub)processors. A controller can never just point towards a processor, because the controller is always held accountable.
- Lawful processing: in article 6 of the GDPR, six 'processing grounds' can be found that can, together with a sufficiently specific purpose and other safeguards, make the processing activity lawful. These grounds include consent by the data subject, performance of a contract, and performance of a public task. Note that in case of the use of special categories of personal data, processing such data is prohibited unlessone of the exemption grounds from article 9 of the GDPR applies.
- Special categories of personal data: these are a limitative list of categories found in (a.o.) art. 9 GDPR, including data revealing racial origin, political opinions, and health data. The exemption grounds from art. 9 GDPR may apply, but beware: processing special categories of personal data will attract the attention of supervisory authorities because these data are supposed to impose considerable risks to the data subject when, e.g., a breach occurs.
- Supervisory authority: each EU Member State has one (or sometimes multiple) supervisory authority that has the right to check compliance of organisations against the rules of the GDPR. There is not a single 'EU supervisor', although there is a European Data Protection Board that plays a role in solving conflicts should they arise between different supervisory authorities. The supervisory authority can require the controller or processor to provide all kinds of information on its data processing activities.
How do these nine concepts relate to each other?
Well, personal data are used in a specific processing activity, which has a sufficiently specific purpose relating to the data subject whose data are being processed. The controller is responsible for this activity and might engage one or more processors in it. However, the processing is only lawful if one of the six processing grounds applies, or - in case of the processing of special categories of personal data, one of exemption grounds for processing such data applies. In the end, it is up to the supervisory authority (or a competent court) to assess the legality of the processing activity.