11 February 2020
Below you'll find a summary and brief explanation of each Recital of the GDPR.
The Recitals are important because they provide additional details and insight into the purpose and functions of the Articles.
*Please note that the Recital titles used here are not official
Data protection is a fundamental right. Citizens of EU Member States owe this right, in part, to the Charter of Fundamental Rights of the EU and the Treaty on the Functioning of the EU.
No matter where they are from, people have a right to protection of their personal data. Any rules around data processing should respect this right. The GDPR aims to:
The Data Protection Directive (an older EU law which the GDPR replaces) aims to:
Data should be processed in a way that serves the public good. However, personal data rights have to be weighed against other rights. In setting out the rights people have over their personal data, the GDPR has to balance these against all of their other fundamental rights.
A large amount of personal data is now flowing between EU Member States. EU law is asking those Member States to cooperate and carry out duties on behalf of one another.
Technological improvements and globalization have brought about a huge increase in the amount of personal data being shared. Businesses and public bodies processing personal data on a large scale. This increase in personal data processing has brought about new challenges.
Technology should be used to encourage the free flow of personal data, and ensure a high standard of data protection.
The recent increase in the sharing of personal data means that a new data protection framework is required. This framework will:
EU Member States can incorporate parts of the GDPR into their national law where necessary.
For example, the UK passed the Data Protection Act 2018, a national law which brings the GDPR on the UK's statute books.
Under the Data Protection Directive, an older EU law which the GDPR replaces, data protection has been applied unevenly across the EU. People generally feel that their personal data is not safe online.
Data has not been flowing entirely freely across the EU. This is an obstacle to economic activity. This is because of the inconsistent application of the Data Protection Directive.
All EU Member States should offer the same consistent level of data protection. This will enhance people's rights and allow for the free flow of data across the EU.
EU Member States can specify how the GDPR is applied via their own national law. They can make specific rules about the processing of personal data in particular circumstances, such as where:
The only way to effectively protect personal data throughout the EU is to:
The Treaty on the Functioning of the European Union, one of the EU's founding treaties, gives the European Parliament and Council the power to make rules about the processing and protection of personal data.
Some of the reasons that the GDPR is necessary are:
Businesses with fewer than 250 employees aren't required to follow all of the GDPR's rules regarding record-keeping. EU Member States should be conscious of how they apply the GDPR when it comes to small and medium-sized businesses.
The GDPR applies to personal data of natural persons, but not legal persons.
The name of a business might contain a natural person's name and/or address, e.g. "Tom Jones 1st Avenue Web Development Services Inc." In this context, this would be personal data of a legal person, and the GDPR wouldn't apply to it.
Data protection should apply no matter what technology is used. The GDPR applies wherever personal data is collected automatically or as part of a filing system. Where personal data is stored in an unstructured way, it might not be covered by the GDPR.
The GDPR doesn't apply to issues that fall outside the scope of Union law, such as the processing of personal data by Member States when carrying out issues of national security.
Any other EU laws which cover the processing of personal data should be adapted so that they're compatible with the GDPR.
The GDPR doesn't apply to purely personal or domestic activity, for example keeping an address book or using a social media account.
The GDPR doesn't generally apply to the investigation or prosecution of crime, which is covered by the Law Enforcement Directive, another EU law. However, there are some circumstances where processing of personal data in relation to criminal investigations might be within the scope of the GDPR. In such circumstances, EU Member States can restrict individuals' data rights in the interests of public security.
Although the GDPR does apply to the activities of courts in certain contexts, supervisory authorities shouldn't interfere with courts when they're acting in a judicial capacity. The data processing activities of judges can be monitored by bodies within the judicial system itself. This is so that they remain independent.
Under the Electronic Commerce Directive, another EU law, certain rules apply to Internet Service Providers (ISPs) (known as "intermediary service providers" in EU legislation). For example, they aren't legally responsible for the information that passes through their networks. The GDPR doesn't affect these rules.
The GDPR applies to the processing of personal data by any person or organization established anywhere in the EU, regardless of whether the actual act of processing takes place within the EU.
The GDPR applies to you if you are processing the personal data of people in the EU with the aim of offering them goods or services (whether paid or free). This is true whether you are established in the EU or not.
The mere fact that your website is accessible in the EU doesn't, by itself, mean that you'll necessarily fall into this criteria. There should be some evidence that you intend for EU residents to use your service. This will be context-dependent, but some examples include:
The GDPR applies to you if you are monitoring the behavior of people in the EU, whether you are established in the EU or not.
In general, if you're profiling someone in order to try to predict their future behavior or preferences, this is a form of monitoring. This might include tracking internet activity through the use of targeted cookies. Targeted advertising generally requires profiling and monitoring, and thus falls within the scope of the GDPR.
The GDPR applies to EU diplomats working outside of the EU, or any other situation where EU law applies.
Because the GDPR only applies to personal data - that is, information that can be used to identify a person - it doesn't apply to data that has been properly anonymized.
It's important to consider whether the data could still be used to identify a person using technology, for example by de-encryption. But generally speaking, anonymous data used for research or statistical purposes doesn't fall within the scope of the GDPR.
The GDPR doesn't apply to the personal data of deceased people.
The GDPR refers frequently to the process of pseudonymization as a good way of protecting people's personal data. It should be made clear that whilst this is a good method of data protection, it's not the only acceptable method.
Pseudonymization of personal data can be performed by the same data controller that's processing that personal data for other purposes, so long as appropriate safeguards are in place to ensure that unauthorized people cannot identify who the personal data refers to.
The following things can be used to identify a person, and therefore might be considered personal data:
The UK's supervisory authority, the Information Commissioner's Office (ICO), also suggests:
Anything that leaves a trace online might be used to help identify a person.
The GDPR doesn't apply to certain public authorities if they're processing personal data to carry out certain public tasks. Such public authorities include:
This isn't to say that such bodies are entirely exempt to GDPR, but that they shouldn't fall within its remit when they're carrying out tasks under a legal obligation. There will usually be separate rules around this type of data processing that they'll have to follow.
You can provide such public authorities with people's personal data if they request it in the proper way. They shouldn't normally be asking for all of the personal data you're storing.
The GDPR sets out new conditions for consent. Consent must be:
Consent can be given in writing, orally, or via electronic means. Some examples of where consent might be properly gained include:
The following things do not count as consent:
Consent should be 'granular,' meaning that where you are seeking to use personal data for more than one type of data processing, or more than one purpose, you must earn consent for each different use.
If you're processing personal data in the context of scientific research, you might not know the exact purpose of the personal data at the time you're collecting it. Therefore, it's important that the people whose personal data you're collecting are allowed to specify which areas of scientific research it can be used in.
The GDPR makes reference to genetic data. This is defined as a person's inherited or acquired characteristics, which result from certain methods of analyzing a biological sample (or an equivalent), in particular:
Health data refers to any data about a person's past, present or future state of physical or mental health. Some examples given include:
A data controller's main establishment in the EU should be the place where it makes decisions about how and why to process personal data. This is not necessarily the same place where the data processing occurs. Rather, it's the place where the data processing activities are managed.
A data processor's main establishment in the EU should be wherever it has its central administration in the EU. If it has no central administration, then it should the main place that it does its data processing.
In a case involving both a data controller and a data processor, the lead supervisory authority should be the supervisory authority of the Member State in which the data controller has its main establishment. If the data processor has a different supervisory authority, it should cooperate with the lead supervisory authority via the cooperation mechanism.
A group of undertakings can consist of an undertaking, plus some other undertakings whose data processing it controls.
In EU law, the term "undertaking" refers to some enterprise, organization or business offering goods or services or engaged in economic activity (whether for profit or not).
Children's personal data is specially protected, especially with regard to certain activities, including:
While parental consent is required for some activities under the GDPR, this shouldn't apply to certain counseling services offered directly to children.
Data processing should adhere to certain principles.
Lawfulness, fairness and transparency:
Integrity and confidentiality:
Data processing must take place on a lawful basis, such as:
When the GDPR refers to a "legal basis," it doesn't necessarily mean a basis in any particular piece of legislation - although in the legal systems of certain EU Member States this might be a necessary part of the definition. In such a case, this legislation should be easily understood by the people who are subject to it.
If you're relying on a person's consent as your lawful basis for processing their personal data, you need to be able to demonstrate that you've gained it.
People need to be aware of what they've consented to. If you're asking someone to consent to a pre-written statement, this statement must be:
Consent must be informed. This means that people need to at least know who is processing their data and why.
Consent must be freely given. This means people must have a genuine choice to consent. They should be able to easily withdraw their consent, without suffering any negative consequences.
Consent should be freely given, and must not be coercive. It might not be considered freely given if:
If you need to process someone's personal data to fulfill or enter into a contract with them, it's legal to do so. This is a separate lawful basis from consent.
If you're relying on a legal obligation or public task as your basis for processing personal data, the obligation or task should have some basis in the law of the EU or an EU Member State.
To satisfy this requirement, the GDPR doesn't require an individual law for each act or type of processing. A law that covers various types of processing in the context of the GDPR should suffice if it complies with the GDPR's principles of data processing.
EU Member States can decide whether a "public task" has to be carried out by an actual state authority or some other organization or person that has legal powers.
If you need to process someone's personal data to save a life (theirs or another person's), it's legal to do so. Processing personal data on this lawful basis should be a last resort, only to be used if they are unable to consent.
Some examples of situations where this might be necessary include:
A data controller may have a legitimate interest in processing personal data, but only where its interests are not overridden by the rights of the person whose personal data it wants to process.
For example, a data controller might have a legitimate interest in processing the personal data of a client or regular customer. In this case, the controller might not have to rely on consent or another legal basis to carry out the processing. The context of the relationship is important.
When seeking to rely on its legitimate interests as a lawful basis for processing personal data, the data controller will always need to consider what the person would reasonably expect. If the person wouldn't reasonably expect their personal data to be processed in a particular context, this expectation will override the contoller's legitimate interest. The applies even where the person is a client or regular customer of the controller.
Legitimate interests is a very broad basis for processing personal data. It might be a lawful basis for fraud prevention or even direct marketing. It all depends on a person's rights in a particular context.
A data controller might have a legitimate interest to share personal data within a group of other controllers. This group of controllers would have to fit the definition of a "group of undertakings" as defined at Recital 37.
Any such data-sharing arrangement would still have to comply with the rules around transferring personal data to non-EU countries, if relevant.
Ensuring data protection or the security of a network might represent a legitimate interest in processing personal data.
A data controller needs to be confident that their networks are secure and should be testing them regularly. Where this requires them to process personal data, they have a legitimate interest to do so.
You should only process personal data for the same reason and on the same lawful basis for which you collected it.
There may be exceptions to this if national law permits it. Some types of processing are considered compatible with one another. This means that further processing of personal data on a particular basis might be lawful, depending on the original reason it was collected.
For example, the following purposes for processing personal data are considered compatible:
An assessment of whether purposes are compatible must always take certain things into account, for example:
Sometimes a controller can engage in further processing even if the new purpose is not compatible with the old one. For example, where the person has consented to further processing, or where it's being carried out in the public interest. Further processing of criminal conviction data might be in the legitimate interests of a public authority.
When considering the lawfulness of further processing, always keep the GDPR's data processing principles in mind.
The high degree of risk involved in processing special category (sensitive) personal data means that special safeguards are required.
The rule is that by default, special category data should not be processed. There are specific exceptions to this rule, such as where:
The use of the term "racial origin" in the GDPR doesn't mean that the EU necessarily accepts that there are distinct races of humans.
Photographs are only special category data if they are biometric data, i.e. they have been processed via special technology.
Processing special category data is, by default, not allowed. There are some exceptions to this, where it is legal and performed under special safeguards, for example:
Special category data might be processed in the field of health, but only where it benefits wider society. For example:
The GDPR aims to harmonize the conditions under which special category data can be processed for health purposes - particularly where it's subject to professional confidentiality. EU Member States can introduce additional laws around protection people's rights in relation to their health data - so long as these laws don't stop data from flowing freely around the EU.
It may be necessary to process special category data without consent in the context of public health. The definition of public health includes data relating to:
Third party processing for purposes such as employment, insurance or banking doesn't fall into this category of "public health."
Where public authorities process personal data in order to achieve the aims of religious associations, this is in the public interest.
Processing personal data for producing opinion polls during elections can be justified in the public interest - if there are appropriate safeguards in place.
If the reasons you're processing personal data don't require you to know who the data you're processing actually belongs to, you aren't required to find out.
However, if you have the personal data of an unknown person, that person should still be allowed to exercise their data rights. If they provide you with more information in order to identify themselves, for example, their login credentials, you should use this to identify them and help facilitate their data rights.
Sometimes it can be difficult for people to understand who is collecting their personal data, and why they're collecting it. So, it's particularly important to be transparent if you're engaged in online advertising.
You should have systems in place to help people exercise their data rights. This includes a way to allow people to get access to their data, and also request that you rectify or erase it.
If you're processing personal data electronically, your users should be able to make such requests electronically.
You must respond to such requests as soon as reasonably possible, and within one month at most. If you're refusing a request, you need to explain why.
You should tell people:
The rules on when you need to provide information about your processing activities vary depending on context. For example:
You might not need to provide information about your processing where:
The above might not apply if you're processing children's personal data.
Anyone whose personal data you're processing has a right to access that data. They should be able to access it easily and as often as they desire. This allows them to check that you're processing their personal data lawfully.
Here's how legal firm PwC informs its users about this right in its Privacy Statement:
You should be able to give your users information about your processing on request, including:
You should try to provide some remote system by which your users can access their personal data - but ensure that your other users' personal data remains secure.
If you're processing a lot of someone's personal data, you can ask them to be specific about the data that they want you to reveal to them.
You should take steps to verify anyone who has made a request to access their personal data. This may include asking them for ID. You can't store people's ID for this purpose.
Anyone whose personal data you're processing has a right to request that it's rectified or erased. This right to erasure is known as "the right to be forgotten."
You must erase your users' personal data on request if:
An example of a specific situation is where a person made comments on a social media account and now wants them removed.
There are certain reasons you might refuse to erase someone's personal data, for example:
If you have made someone's personal data public online, and they wish to exercise their right to be forgotten, you're responsible for informing any third parties who might have links to or copies of that personal data.
Anyone whose personal data you're processing has the right to request a restriction of the ways you're processing their personal data.
Some examples of ways that you might comply with this request include:
This function should be built into databases that are used for processing personal data.
Anyone whose personal data you're processing has the right to request a copy of their personal data in a portable, commonly used electronic format so that they can give it to another data controller if they wish to.
This applies either where the person has consented to your processing their personal data, or you're doing so under contract. It doesn't apply under any other lawful basis.
You must be careful not to include anyone else's personal data in this file.
By making a request for data portability, a person doesn't forgo their right to erasure.
Where possible, you should carry out a requested transfer to another data controller yourself.
If you're processing someone's personal data on the lawful basis of a public task, official authority or legitimate interests, they have the right to object to your processing. If you can demonstrate an overriding legitimate interest in continuing to process their personal data, you may able to refuse to stop.
People have an absolute right to object to direct marketing, and you must stop if they do object.
You must make people aware of this right. You must present this information separately from other information.
People have the right not to have certain types of decisions made about them by automated means. These types of decisions might involve "profiling." In the GDPR, profiling refers to the act of analyzing someone's past behavior or characteristics in order to predict their future behavior.
The right to object to automated decision-making exists where very serious decisions are made, such as the denial of credit or the denial of a job interview. Such processing is generally not allowed except under very specific conditions, and is never allowed in the case of children.
If you are carrying out this type of data processing, there is potential for it to go wrong. Because of this, you'll need safeguards in place. These safeguards should include the option of having a human review the decisions and give explanations for them.
The GDPR applies to profiling. The European Data Protection Board, referred to throughout the GDPR as "the Board," can issue guidelines on profiling.
Under certain circumstances, EU Member States can suspend or restrict people's ability to exercise the GDPR's eight data rights. This is only when it's necessary in certain extreme situations, such as:
Such restrictions on these rights should only occur where sanctioned by EU-recognized human rights law.
Data controllers are legally liable for their acts of data processing. They must comply with the GDPR and be able to demonstrate that they're doing so.
The GDPR refers to data processing that might cause risks to people's rights and freedoms. Some examples of particular risks that might arise from processing include:
Risk should be assessed objectively. Factors such as the scope and context of the processing should be considered. You should establish whether your data processing involves risk, or if it is high risk.
The GDPR suggests some mechanisms that can be used to advise data controllers and processors about the risks involved in processing personal data, and how to safeguard against them. These include:
If you're processing personal data, the GDPR requires that you take particular technical and organizational measures to protect your users. One of the key concepts in the GDPR is "data protection by design and by default."
Data protection measures should be built into your data processing methods and systems. Such measures might include:
Anyone designing products or services that enable the processing of personal data is expected to design them in such a way that respects the principles of data protection.
Where a data processing operation is shared between a group of data controllers, or where a data controller hires a data processor, it should be clear who is responsible for fulfilling which obligations under the GDPR.
If your organization is based outside of the EU and is offering goods or services to people in the EU or monitoring their behavior, you are accountable under the GDPR. You should designate a person to represent you in the EU. You don't need to do this if:
This representative will act on your organization's behalf and liaise with supervisory authorities, and will not be held legally liable for any compliance issues.
Data controllers should only hire data processors that can demonstrate their GDPR compliance. One way they might partly demonstrate this is by showing that they adhere to an approved code of conduct or hold certifications.
Data controllers must have a contract with their processors that gives information about the nature of the job, including:
Supervisory bodies and the European Commission should offer standard contractual clauses that data controllers and processors can use in such a contract.
When the data processor has finished their job, they should usually return the personal data to their controller or erase it at the choice and direction of the controller.
You should keep records of your data processing activities. Supervisory authorities may need to see these records, and they must be made available if so.
You should evaluate the risks involved in your data processing activities and take measures to guard against them. Consider the risks associated with your data processing. These might include:
If you're engaged in risky data processing activities, you may need to carry out a data protection impact assessment. Consider:
As a result of this impact assessment, you should understand what measures you need to put in place to ensure your processing is secure.
If you're in any doubt about your ability to appropriately mitigate against the risks associated with your data processing activities, you need to consult with your supervisory authority before processing.
If you become aware that there has been a security breach and that some of your users' personal data has potentially been compromised, you need to inform your supervisory authority right away. This should be done within 72 hours at the latest. If for some reason it will take longer, you need to explain the reason for the delay.
You might not need to report a breach if it's unlikely to represent a serious risk to your users. Bear in mind that you are accountable under the GDPR.
If you become aware that there has been a high-risk security breach and that some of your users' personal data has potentially been compromised, you need to inform your users right away. You should do this in cooperation with your supervisory authority.
You need to let people know the nature of the breach and what they might do to mitigate against the risks.
Data protection and security of data processing are very important, and there are penalties for failing to protect people's personal data under the GDPR. If you have suffered a data breach, it is crucial that you know about it as early as possible. This means taking the appropriate organizational and technical measures to ensure this.
Reporting promptly is important because the supervisory authority might be able to act in such a way as to limit the damage caused by a breach. Whether you reported the incident promptly will be investigated and noted.
Certain bodies may be tasked with producing rules about the way that data breaches are reported. These rules need to take into account the context in which a data breach has occurred.
It may be, for example, that the compromised personal data had been pseudonymized. This means that it is unlikely to be used for fraud.
It may also be in the legitimate interests of law enforcement authorities not to disclose a breach immediately if doing so might prevent them from bringing the culprit to justice.
The old Data Protection Directive, which the GDPR replaces, required all personal data processing activities to be reported to a supervisory authority. This was an unnecessarily burdensome requirement that didn't necessarily improve the protection of personal data. Therefore, this is no longer a requirement under the GDPR.
The requirement has been replaced with a focus on having effective procedures and mechanisms in place to protect data processing operations that come with high risks to rights and freedoms of individuals.
If you're a controller and engaged in particularly high-risk data processing operations, you should carry out a data protection impact assessment.
Consider what technical and organizational measures you can implement to safeguard and mitigate against risk, and how you will comply with the GDPR.
It is particularly important that you carry out a data protection impact assessment if you're processing personal data in particular contexts, including if you're:
A data protection impact assessment isn't mandatory if the data processing is small-scale, for example, performed by an individual doctor or lawyer.
Under certain circumstances, it's possible for a data protection impact assessment to be broad enough to cover the activities of several data controllers, or even a whole industry.
Where an EU Member State regulates a particular type of data processing, it may wish to carry out a large-scale data protection impact assessment before the processing is allowed to take place.
Where your data protection impact assessment reveals that the data processing you're planning is particularly risky, and you can't work out a way to guard against that risk effectively, you'll need to consult with your supervisory authority before processing.
The supervisory authority should respond to you within a specified time. If it doesn't respond to you within this time-frame, this doesn't mean that you can just proceed with your planned processing.
After the consultation with the supervisory authority has taken place, you can submit a new data protection impact assessment to it for approval.
Where a data controller is conducting a data protection impact assessment, their data processor is expected to help them with this if necessary or requested by the data controller.
The supervisory authority should be involved when any laws and regulations about processing personal data are being drawn up.
If you're a data controller, you might need to designate a data protection officer, including if you're:
You don't need a data protection officer if you're only processing personal data to support your main activities.
Your data protection officer can be someone already employed within your company, but they must have an expert-level knowledge of data protection and the GDPR and they need to be able to act with complete independence.
EU Member States should encourage certain bodies, such as associations of small or medium-sized enterprises, to draw up codes of conduct which instruct their members on how to comply with the GDPR.
These codes of conduct will serve to set out the specific obligations of particular types of data controllers and processors, in the context of the particular risks involved in their data processing activities.
When drawing up a code of conduct, you should try to consult with those groups and individuals who have some stake in it. Listen carefully to their opinions.
There should be certificates available for those organizations and individuals who can demonstrate their compliance with the GDPR.
New challenges have emerged due to the general increase in personal data traffic. These challenges are particularly apparent when trying to safely transfer personal data from the EU to third (non-EU) countries.
Nonetheless, data transfers to third countries must be GDPR-compliant. They cannot take place if they are not.
The EU has some international agreements in place with third (non-EU) countries regarding data transfer arrangements. These aren't overridden by the GDPR.
EU Member States can also enter into such agreements so long as they are compatible with the GDPR and include appropriate levels of protection of the fundamental rights of data subjects.
If the European Commission has given approval to a third country's data processing practices, affirming that they are adequate, you can transfer personal data from the EU to this country without any additional permissions being required.
Here's the Commission's list as of 30 September 2018:
The Commission can decide that a third country's data processing practices are no longer adequate and revoke its decision after it has explained their reasoning to the country concerned.
The European Commission will take certain factors into account when deciding whether a third country's data protection practices are good enough to allow data transfers from the EU.
The basic requirements are that the third country's data protection practices are:
Whether a third country is signed up to any international data protection agreements would be a relevant factor for the European Commission in deciding whether data transfers should be automatically allowed to that country.
Of particular relevance is the Council of Europe's Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data (Convention 108).
The European Commission should carry out regular reviews of the data protection practices of third countries that it has deemed adequate for data transfers. These reviews should take the opinions of the European Parliament and Council into account.
The European Commission has the power to decide that a third country has adequate data processing practices. This means that personal data to be transfers out of the EU into that country are permitted by default. None of the GDPR's additional safeguarding requirements apply.
The Commission also has the power to reverse or amend this decision if it deems that the situation has changed. At this point, personal data transfers to this country will require appropriate safeguards again.
You may wish to transfer personal data from the EU to a country that has not been deemed "adequate" for transfers by the European Commission. If so, you'll need to put particular safeguards in place before you can do this.
Such safeguards fall into the following categories:
The safeguards should ensure that the rights of the people whose personal data is being transferred are protected. In particular, they should be able to take their case to court if their rights are infringed regardless of whether the court is in the EU or the third country.
The European Commission and supervisory authorities can produce standard data protection clauses that can be inserted into a contract.
Using these clauses doesn't mean that you can't also place other data protection clauses in your contract, or in a wider contract - so long as they don't contradict the standard data protection clauses you require.
A group of organizations or individuals might work together in pursuit of economic activity, with one member of this group having some power over another. This is known in the GDPR as a "group of undertakings."
Sometimes a group of undertakings can transfer personal data amongst its members, even if one member is based in the EU and another is based in third country that has not been approved by the European Commission.
To do this, it must have binding corporate rules in place. These binding corporate rules should follow the principles of the GDPR, and allow the people whose personal data is being transferred to enforce their rights.
The rules around international transfers should be waived in certain situations, such as where:
Certain public interest situations might also require third-country transfers. For example, where people's personal data is compiled in a legal register that can be consulted by the public or people with legitimate interests.
In such cases, only people who have a legitimate interest must be granted access to the register. The access should only extend to the relevant parts of the register to avoid exposing the personal data of too many people.
The rules around international transfers should be waived in certain public interest situations, for example between:
Third country data transfers are always legal where:
For reasons of public interest, EU Member States and the EU itself can prohibit certain types of personal data from being transferred to certain countries.
If you're a data controller, you may have a legitimate interest in making a certain third-country data transfer, so long as the transfer is non-repetitive and only affects a small number of people. However, you need to take certain things into account, for example:
Always consider whether you have some other option - such a transfer really should only occur in exceptional situations.
You should let the person whose data you're transferring know about the transfer as well as the relevant supervisory authority.
Whenever you're transferring someone's personal data to a third country whose data protection practices haven't been approved by the European Commission, you must find a way of ensuring that they can exercise their data rights once the transfer is complete.
In certain countries, there are data processing laws that supposedly apply to non-nationals. A situation might arise where an EU citizen is told to transfer personal data by a third country's court.
Where such a demand is made and the transfer would be illegal under the GDPR, it should not be considered lawful. It might even contradict international law. Therefore, the person should only comply where the rules around third-country data transfers are met.
It's particularly difficult for people to exercise their data rights in the case of cross-border data transfers. Supervisory authorities might find it difficult to investigate complaints and exercise their powers outside of their own EU Member State.
In light of this, supervisory authorities need to work together. There should be a spirit of cooperation between them, and legal and administrative mechanisms should be put in place to facilitate this cooperation.
Each EU Member State must establish and empower at least one supervisory authority that will exercise powers with complete independence.
While they should be able to act independently, supervisory authorities can have their budgets monitored and have legal claims brought against them.
If an EU Member State has established more than one supervisory authority, it must pass laws to ensure that they all comply with the GDPR's consistency mechanism. One of the supervisory authorities should be designated to take the lead on this.
A supervisory authority must have all the resources it needs to carry out its tasks. This includes money, people and premises. It should have its own annual and public budget which can be part of the overall national or state budget.
The process of appointing members of supervisory authorities should be set out in national law. It should be a transparent process that's carried out by a state institution such as a country's parliament or government.
Members of supervisory authorities must:
The supervisory authority should have its own staff team who are only to be instructed by the supervisory authority.
A supervisory authority must have the power and ability to carry out its duties under the GDPR. It needs to have the power and abilities to take effective action over:
A supervisory authority's duties include:
Supervisory authorities should be free to cooperate with each other and with the European Commission without any specific agreements on this made between Member States.
Certain personal data processing operations will take place, or affect people, across multiple EU Member States. For such operations, a lead supervisory authority is required.
The lead supervisory authority should cooperate with the other supervisory authorities involved in the operation, particularly where a complaint is lodged in an EU Member State of one of the other supervisory authorities.
The European Data Protection Board can issue guidance around how supervisory authorities should cooperate during such operations.
The GDPR grants the lead supervisory authority certain powers. It should be able to make binding decisions within the scope of these powers.
The lead supervisory authority should coordinate the other supervisory authorities involved in a data processing operation and make sure that they are all suitably involved.
Any decision to reject or partially reject a complaint ultimately falls to the supervisory authority with whom the complaint was lodged to carry out.
A group of supervisory authorities might have to deal with a complaint about a cross-border data processing operation. In such a situation, they should work together with their lead supervisory authority to come to a joint decision.
The data controller or processor who is the subject of the complaint will have their main establishment in a particular EU Member State. The joint decision will be directed there and will be binding on the data controller or processor concerned.
Non-lead supervisory authorities should be able to handle local matters, even if a data controller or processor is established across multiple EU Member States, so long as the issue only affects people in the supervisory authority's own EU Member State.
The lead supervisory authority must be informed about such cases immediately. It can then decide whether to handle the case itself. It should consider whether the data controller or processor has an establishment in the supervisory authority's EU Member State.
If the lead supervisory authority does decide to handle the case, the supervisory authority that received the complaint should submit a draft decision, which the lead supervisory authority should take into account.
This is known as the "one-stop-shop" mechanism.
The "one-stop-shop" mechanism, where a lead supervisory authority handles a complaint in another supervisory authority's Member State, should not be used when the complaint has been made against a public body acting in the public interest. Only the supervisory authority of the relevant EU Member State can handle such a complaint.
All supervisory authorities should have the same tasks and powers regarding data protection. These include powers to:
EU Member States should be able to specify other tasks for supervisory authorities, within the scope of the GDPR.
Supervisory authorities should be diligent in their investigations and consider the unique context of every complaint. Access to personal data or a company's premises may be necessary in the course of an investigation. This power of access is still subject to national law and may need to be authorized by a court.
A supervisory authority's powers should be clearly set out and justified. A supervisory authority should still be subject to legal claims like any other public body.
Other public authorities still have the right to prosecute data protection crimes.
Where a complaint has been lodged with a supervisory authority other than the lead supervisory authority, the lead supervisory authority should operate in-line with the GDPR's cooperation and consistency mechanisms.
The opinion of the other supervisory authority with whom the complaint has been lodged is extremely important, particularly when it comes to issuing sanctions and fines.
Some issues concerning cross-border data processing operations are entirely, or almost entirely, regarding matters that are contained within one EU Member State. A supervisory authority other than the lead supervisory authority might become aware of an issue of this sort within its own territory.
In such a situation, the supervisory authority should try to resolve the issue through good-natured dialogue with the data controller or processor concerned. If coming to a settlement in this way doesn't work, the supervisory authority can exercise its full range of powers.
Supervisory authorities should raise awareness about good data protection practices. Campaigns to raise awareness can be used to promote sector-specific practices among small and medium-sized organizations and to promote general education among the public.
Supervisory authorities should help each other wherever possible. If one supervisory authority has asked another for help and has not received it within a month, it can pass a provisional measure - a temporary order with legal effect.
Supervisory authorities should work together in joint operations where appropriate. If one supervisory authority requests this of another, the supervisory authority receiving the request must respond within a specified time period.
The GDPR calls for the establishment of a consistency mechanism to help supervisory authorities cooperate. It's particularly important to apply this mechanism where a supervisory authority intends to take action that will have legal effects on people across more than one Member State.
The European Commission can require that a matter is dealt with via the consistency mechanism. This doesn't prevent the Commission from exercising any of its other powers.
If there is some dispute during the application of the consistency mechanism, supervisory authorities and the European Commission can ask the European Data Protection Board for an opinion. It can also give such an opinion following a majority vote of its members.
The Board can also make legally binding decisions about such disputes. These must be passed by a two-thirds majority vote among its members.
In an urgent situation where the rights and freedoms of data subjects may be impeded, a supervisory authority can pass provisional measures. These are temporary orders with legal effect and specified timeframes that should not exceed three months.
In an emergency that is relevant across more than one Member State, joint operations can take place between supervisory authorities without the need to trigger the GDPR's consistency mechanism.
The GDPR establishes the European Data Protection Board - an EU body with legal rights and obligations. It replaces the Article 29 Working Party. Its jobs are to:
The Board consists of the head of one supervisory authority from each EU Member State, plus the European Data Protection Supervisor.
The Board should act independently. The Commission can attend its meetings but cannot vote.
The European Data Protection Supervisor provides the European Data Protection Board with a secretariat. The Secretariat works exclusively under the instruction of the Chair of the European Data Protection Board.
Everyone in the EU has the right to lodge a complaint with their supervisory authority if they feel that their data rights have been infringed. They also have a right to take their case to court - including if the supervisory authority rejects their complaint or fails to properly deal with it.
Investigations about the way a supervisory authority has handled a complaint are conducted by judicial review. The supervisory authority should keep the person who has made the complaint informed about:
Each supervisory authority should take measures such as providing complaint submission forms that can be completed electronically.
When an individual brings a court case against a supervisory authority, data controller or processor, they have the right to be supported by a not-for-profit organization. This organization should be involved in data protection and have objectives that serve the public interest.
EU Member States must also allow this organization to lodge complaints with supervisory authorities on behalf of individuals. The organization may not claim compensation for itself.
People in the EU can request a judicial review (known in EU law as an "action for annulment") of decisions made by the European Data Protection Board. The review will be carried out by the Court of Justice of the European Union. This right also extends to supervisory authorities.
There are restrictions on the right to bring an action for annulment. The decision of the Board must be of "direct and individual concern" to the person or organization making the request.
In addition to this right to request an action for annulment before the Court of Justice, it's possible to take a supervisory authority to a national court. The case should be brought in the supervisory authority's own EU Member State. The case might concern:
Opinions that have been given or advice that has been offered by the supervisory authority cannot be taken up in court.
Where a court case relates to how the GDPR has been implemented, EU Member States' courts should request a ruling from the Court of Justice. Under certain conditions, they are required to do this.
If the court is dealing with a case about a decision of the Board, it can't declare the decision invalid without requesting a ruling from the Court of Justice. However, it can't make such a request if the plaintiff had the opportunity to request an action for annulment and failed to do so.
The following situation might occur: a national court is dealing with a case brought against a data controller or processor. It becomes aware that in a different EU Member State, another related case is pending.
In such a situation, the first court should contact the second court to confirm this. The second court can then choose to suspend proceedings. The first court can take up the court on the second court's behalf.
Proceedings are considered to be related when they are so closely connected that hearing and determining them together leads to greater efficiency and avoids the risks that two different judgments result for the same issue.
When taking a data controller or processor to court, a person can choose whether to take them to court in the EU Member State that they reside in or the EU Member State in which the data controller or processor is based.
This doesn't apply where the defendant is a public body.
If you're a data controller or processor, you must pay damages to people you harm by breaching the GDPR unless you can prove the damage wasn't your fault in any way.
If more than one data controller and/or processor is involved in the same data processing operation, any damages that they have to pay may be divided between them by a court. However, they're all liable for the total damage caused. This means that it might be necessary for one member of the operation to pay the total amount of damages. It can then take the others to court to retrieve their share.
The GDPR gives specific rules about where court cases concerning data protection can take place. Another EU regulation, known as the Recast Brussels Regulation also sets out some rules about where court cases should take place within the EU. The GDPR's rules take priority in this context.
Fines can be issued to anyone who infringes the GDPR. Reprimands can also be issued for minor infringements.
Several factors can be into account when deciding whether to impose a fine and how much a fine should be. For example,
The character of the data controller or processor who committed the infringement should also be considered. For example, whether it:
Any fines or reprimands issued are subject to EU law.
EU Member States can make national criminal laws which punish infringements of the GDPR. For example, the confiscation of profits earned by breaking data protection law.
However, no-one should be punished for the same crime twice.
Supervisory authorities have the power to issue fines, and the GDPR sets out the upper limit of such fines. They should take all relevant circumstances into consideration. The consistency mechanism can be used in relation to fines.
If the recipient of the fine is an individual, a supervisory authority can take their financial position into account and adjust the fine accordingly.
EU Member States can individually decide whether public authorities should receive fines.
Denmark and Estonia's national legal systems mean that GDPR fines have to be administered somewhat differently than elsewhere.
In Denmark, the fines are issued in a court as a criminal penalty. Estonia has a framework for punishing misdemeanors and the fines are issued that way.
The effect is the same - infringements of the GDPR are subject to a fine in all EU Member States.
EU Member States can have their own systems of fines, established by law, for where the system set out in the GDPR falls short.
Because of the need to balance data protection and freedom of expression, allowances should be made for certain professions, including:
EU Member States should provide legal exemptions to certain rules in the GDPR for these professions or people engaged in these activities.
This means that such laws might vary between Member States. However, such laws should be broad enough to ensure that the GDPR doesn't fetter freedom of expression.
The GDPR shouldn't prohibit public access to official documents - even if they contain personal data.
Another EU law known as the Public Sector Information Directive remains in force and is not affected by the GDPR.
EU Member States can make specific rules when it comes to the processing of personal data in the context of employment. Certain situations where there might be exceptions to the GDPR include:
There are certain workplace obligations that also might require exceptions to the GDPR such as:
Technical measures and safeguards are required to ensure data minimization where personal data is processed for archiving in the public interest, scientific or historical research, and statistical purposes.
EU Member States can require particular conditions under which people can exercise their data rights in relation to these types of data processing. People might have to go through a process in order to be able to exercise their rights.
Personal data can be processed for these purposes even where it wasn't obtained for these purposes so long as the person from whom the data was collected is no longer identifiable.
Significant health and social benefits can result from processing personal data in the context of scientific research. Where researchers need to process personal data from registries in pursuit of such benefits, this should be allowed. Appropriate safeguards should be set out in national law.
The GDPR applies to the processing of personal data for archiving purposes. Public authorities, public bodies and private bodies that hold archived records of public interest must abide by Union and Member State law and are obligated to acquire, preserve, arrange, communicate and provide access to these records for the general public interest.
EU Member States are allowed to archive personal data in order to provide information about former dictatorships and war crimes, even where the personal data was not collected for this purpose.
The GDPR applies to scientific research, and this term should be interpreted broadly to encompass:
The GDPR applies to historical research - but bear in mind that it doesn't apply to deceased people.
Clinical trials are covered by the another EU regulation known as the Clinical Trials Regulation.
The GDPR applies to the processing of personal data for statistical purposes. EU Member States can regulate processing for statistical purposes in their national laws in order to safeguard people's confidentiality.
Statistical processing of personal data produces non-personal data from which no individual person can be identified. That data can then be used for further processing, including for scientific research.
Personal data is collected to produce statistics on a European and national level. This data is confidential and should be protected. Another EU regulation, known as the European Statistics Regulation, and the Treaty of the European Union provide specific rules on statistics that should be adhered to.
Supervisory authorities are empowered to gain access to personal data in the course of their investigations. However, some professions have rules about confidentiality.
Because of this, EU Member States can make laws that prevent supervisory authorities from gaining access to personal data stored under these circumstances.
Certain churches and religious associations have a special position in the constitutional law of certain EU Member States. The GDPR doesn't affect this.
The European Commission has the power to pass particular delegated acts. Delegated acts are used to make non-essential changes to existing laws.
The Commission has the power to adopt delegated acts in relation to:
The Commission must consult experts when preparing to pass delegated acts. It should communicate with the European Council and the European Parliament in an efficient way.
The European Commission has the power to implement certain parts of the GDPR. It can do this by passing implementing acts.
Where the European Commission is exercising its power to pass implementing acts, the examination procedure should be used in relation to particular issues, including:
The examination procedure is a method by which the EU Member States can control the way the Commission implements EU law. It's set out in another EU regulation known as the Comitology Regulation.
The European Commission can immediately pass implementing acts where it urgently needs to indicate that a third country is not a suitable place to which to transfer data from the EU.
The GDPR is enacted in accordance with the principles of subsidiarity and proportionality.
Subsidiarity is a key principle of EU law. The idea is that some objectives (such as a protected but free flow of personal data throughout the Union) can't be achieved at a national level and are better tackled at an EU-wide level. The EU can only act in relation to such objectives. This is supposed to protect the power of Member State governments.
Since the objective of the GDPR is to equalize standard data protection across all of the EU Member States and this can only be achieved at EU level, the GDPR is consistent with the principle of subsidiarity.
Proportionality is another key principle of EU law. It states that the EU should only act as far as necessary to achieve a given objective.
Because it does not go further than necessary to achieve its main objectives, the GDPR is consistent with the principle of proportionality.
The GDPR replaces the Data Protection Directive. There was a two year adjustment period from 25 May 2016 to 25 May 2018 to allow individuals and organizations to adapt to the new law.
One key difference between the two laws is the requirements around gaining consent. If you obtained consent under the Data Protection Directive, you don't necessarily need to obtain it again, so long as you obtained it in such a way that it was GDPR-compliant. If the way you obtained consent was not GDPR-compliant, you may need to re-obtain this consent.
The European Data Protection Supervisor was consulted in relation to the drafting of the GDPR and delivered an opinion on it on 7 March 2012.
The GDPR covers all aspects of data protection that aren't covered by another EU law known as the ePrivacy Directive. This directive is under review following the adoption of the GDPR and should be amended to remain consistent with the GDPR.
*Please note that the Recital titles used here are not official
This article is not a substitute for professional legal advice. This article does not create an attorney-client relationship, nor is it a solicitation to offer legal advice.