The European Union’s (‘EU’) new General Data Protection Regulation (‘GDPR’), regulates the processing by an individual, a company or an organization of personal data relating to individuals in the EU.
The rules don’t apply to data processed by an individual for purely personal reasons or for activities carried out in one’s home!
When an individual uses personal data outside the personal sphere, for socio-cultural or financial activities, for example, then the data protection law has to be respected!
Personal data is considered any information that relates to an identified or identifiable living individual.
But also different pieces of information, which collected together can lead to the identification of a particular person, also constitute personal data!
Personal data that has been de-identified, encrypted or pseudonymized but can be used to re-identify a person remains personal data and falls within the scope of the law!
The new law protects personal data regardless of the technology used for processing that data – it’s technology neutral and applies to both automated and manual processing, provided the data is organized in accordance with pre-defined criteria (for example alphabetical order). It also doesn’t matter how the data is stored – in an IT system, through video surveillance, or on paper; in all cases, personal data is subject to the protection requirements set out in the GDPR.
Examples of personal data:
Name and surname
Identification card number
Internet Protocol (IP) address
Advertising identifier of your phone;
This includes: data held by a hospital or doctor, which could be a symbol that uniquely identifies a person!
Processing covers all operations performed on personal data, including by manual or automated means. It includes the collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction of personal data.
The General Data Protection Regulation (GDPR) applies to the processing of personal data wholly or partly by automated means as well as to non-automated processing, if it is part of a structured filing system.
Examples of processing:
Staff management and payroll administration
Access to/consultation of a contacts database containing personal data
Sending promotional emails
Shredding documents containing personal data
Posting/putting a photo of a person on a website
Storing IP addresses or MAC addresses
Video recording (CCTV)
Generally speaking, the main contact point for questions on data protection is the DPA in the EU Member State where your company/organization is based. However, if your company/organization processes data in different EU Member States or is part of a group of companies established in different EU Member States, that main contact point may be a DPA in another EU Member State.
There are consequences for European citizens in non EU countries as well, this and other information can be found on the EU website.
The information given above is incomplete and just sets out the rough lines, specific and detailed information can be found on: https://ec.europa.eu/commission/priorities/justice-and-fundamental-rights/data-protection/2018-reform-eu-data-protection-rules_en