Did you Know?
After four years of deliberation, the European Union (EU) has finalised and will put in force, on May 25 2018, a strict legislation (Regulation 2016/679) for protecting EU citizens against misuse of their personal data and privacy rights.
EDC News: EU General Data Protection Regulation (GDPR)
Statistics (2016) have shown that over a quarter (28%) of EU-28 internet users refused to provide personal information over the internet. EU citizens, regardless the EU Data Protection Directive 95/46/EC, are still wary about the personal data companies are collecting about them and how it is being used (EC Fact sheet – GDPR). In consideration of these concerns, the EU enhanced the 1995 Data Protection Directive, which is now the General Data Protection Regulation (GDPR). The GDPR is designed to harmonize data privacy laws across Europe, to protect and empower all EU citizens’ data privacy and to reshape the way organizations across the region approach data privacy. The GDPR will automatically bind all Member States once it is enforced on 25 May 2108.
An important feature of the GDPR is the provision of rights aimed at giving EU citizens more control over their personal data:
- Right to be informed about what is been done to your data (Article 13 & 14)
- Right to access your data (Article 15)
- Right of rectification (Article 16) allows citizens to modify already submitted data where they deem fit
- Right to Erasure aka Right to be forgotten (Article 17) allows EU citizens to ask for the removal or erasure of their data, subject to exceptions of data, e.g. criminal records, police reports etc.
- Right to data portability (Article 20) allows citizens to transfer their data from one enterprise to another in a readable format
- Right to restrict processing (Article 18) allows customers to restrict the processing of data if it is incorrect, there is no need for the data, and the processing is unlawful (GDPR specifies when this is so)
- Right to object (Article 21) to the data that is being held or the way it is being used
- Right related to Automated Decision Making and Profiling (Article 22) protects customers to not being subjected to decisions that are based solely on automated processing
- Right related to Data Breach Notification (Article 34), which ensures the data controller reports breaches that are likely to result in a high risk to the rights and freedoms of the data subjects
Similarly, the GDPR states that companies must adhere to data protection legislation, “privacy by design”, when designing their systems. Failure to implement these rules will lead to heavy fines.
For more information:
- Handbook on European data protection law - 2018 edition, European Union Agency for Fundamental Rights (FRA)
- Summary of key components in the GDPR, EU GDPR portal
- New laws under GDPR and how they differ from the previous data protection law (DIR 95/46/EC), EU GDPR portal
- Frequently asked questions about GDPR, EU GDPR portal
- Data protection: Rules for the protection of personal data inside and outside the EU, European Commission
- 2018 reform of EU data protection rules, European Commission
- What does the General Data Protection Regulation (GDPR) govern?, European Commission
- Rights for citizens: Find out how your personal data is protected, the rights that help you take back control of your data and what to do if things go wrong in GDPR, European Commission
- Data transfers outside the EU, European Commission
- What are Data Protection Authorities (DPAs)?, European Commission
- Rules for business and organisations, European Commission
- Data protection and privacy information on how your personal data can be collected and processed, EUROPA
- Data protection reform: Parliament approves new rules fit for the digital era, European Parliament Press room
- EU statistics on internet usage and concerns relating to data protection, Eurostat Statistics Explained