GDPR…Are You Ready?
What you need to know about GDPR
GDPR is the EU General Data Protection Regulation which will be enforced on 25 May 2018 at which time those organizations in non-compliance will face heavy fines.
The GDPR was approved by the EU Parliament on 14 April 2016. It entered force 20 days after its publication in the EU Official Journal to be directly applicable in all member states two years after that date.
What’s the objective of GDPR?
- This Regulation lays down rules relating to the protection of natural persons with regard to the processing of personal data and rules relating to the free movement of personal data.
- It protects fundamental rights and freedoms of natural persons and in particular their right to the protection of personal data.
- The free movement of personal data within the Union shall be neither restricted nor prohibited for reasons connected with the protection of natural persons with regard to the processing of personal data.
What’s the scope of GDPR?
- This Regulation applies to the processing of personal data wholly or partly by automated means and to the processing other than by automated means of personal data which form part of a filing system or are intended to form part of a filing system.
- It applies to the processing of personal data in the context of the activities of an establishment of a controller or a processor in the Union, regardless of whether the processing takes place in the Union or not.
- It applies to the processing of personal data of data subjects who are in the Union by a controller or processor not established in the Union, where the processing activities are related to: (a) the offering of goods or services, irrespective of whether a payment of the data subject is required, to such data subjects in the Union; or (b) the monitoring of their behaviour as far as their behaviour takes place within the Union.
- It applies to the processing of personal data by a controller not established in the Union, but in a place where Member State law applies by virtue of public international law.
What is “Personal Data” in the context of GDPR?
- Any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.
- It can be anything from a name, a photo, an email address, bank details, posts on social networking websites, medical information, or a computer IP address.
Does GDPR affect UAE and Middle Eastern Organizations?
- Short answer is: It’s conditional.
- Not only does the GDPR apply to organizations located within the EU but it also applies to organizations located outside of the EU if they offer goods or services to, or monitor the behavior of, EU data subjects.
- It applies to all companies processing and holding the personal data of data subjects residing in the European Union, regardless of the company’s location.
- The GDPR does not apply to any processing of personal data of Europeans by a company established abroad but only to the processing of data that takes places in the context of an offer of goods or services to individuals in the EU (art. 3, par. 2). Therefore, there must be a specific element of “targeting” of EU users. This is further developed in recital 23 of the GDPR: “In order to ensure that natural persons are not deprived of the protection to which they are entitled under this Regulation, the processing of personal data of data subjects who are in the Union by a controller or a processor not established in the Union should be subject to this Regulation where the processing activities are related to offering goods or services to such data subjects irrespective of whether connected to a payment. In order to determine whether such a controller or processor is offering goods or services to data subjects who are in the Union, it should be ascertained whether it is apparent that the controller or processor envisages offering services to data subjects in one or more Member States in the Union. Whereas the mere accessibility of the controller’s, processor’s or an intermediary’s website in the Union, of an email address or of other contact details, or the use of a language generally used in the third country where the controller is established, is insufficient to ascertain such intention, factors such as the use of a language or a currency generally used in one or more Member States with the possibility of ordering goods and services in that other language, or the mentioning of customers or users who are in the Union, may make it apparent that the controller envisages offering goods or services to data subjects in the Union.”
- So for ex. the GDPR will not apply to the processing of data of Europeans (e.g. EU employees of a company in the UAE) collected in UAE (outside of an offer of good or services specially targeting individuals in the EU). But if the UAE company is present in the EU and has employees in the EU, then the GDPR will apply.
What are the penalties for non-compliance?
- Organizations can be fined up to 4% of annual global turnover for breaching GDPR or €20 Million.
- It is important to note that these rules apply to both controllers and processors — meaning ‘clouds’ will not be exempt from GDPR enforcement.
Are companies’ terms and conditions attached to contracts sufficient to obtain consent for processing personal information?
- Short answer is: No. Specially for sensitive information.
- Where processing is based on consent, the controller shall be able to demonstrate that the data subject has consented to processing of his or her personal data.
- If the data subject’s consent is given in the context of a written declaration which also concerns other matters, the request for consent shall be presented in a manner which is clearly distinguishable from the other matters, in an intelligible and easily accessible form, using clear and plain language. Any part of such a declaration which constitutes an infringement of this Regulation shall not be binding.
- The data subject shall have the right to withdraw his or her consent at any time. The withdrawal of consent shall not affect the lawfulness of processing based on consent before its withdrawal. Prior to giving consent, the data subject shall be informed thereof. It shall be as easy to withdraw consent as to give it.
What is the “Right to be Forgotten”?
- Under article 17 of GDPR the data subjects have the right for erasure.
- Subject to certain conditions being met, the data subject shall have the right to obtain from the controller the erasure of personal data concerning him or her without undue delay and the controller shall have the obligation to erase personal data without undue delay including any information that has been made public.
What do you need to do in relation GDPR and how can we help you?
For more information, contact us and let’s start the conversation Contact Us.
In the article we have adapted text from the articles of the GDPR.