GDPR: General Provisions of the Regulation (1-4)

Good day and welcome to this installment of the GDPR series where we are covering a few articles each post! For those of you who are new to DPP, we take a look at a segment of a relevant privacy or security regulation, or recent event, and determine how it applies to our lives. Below is the detail for each article within the regulation.

Article 1: Subject Matter and Objectives

  1. This Regulation lays down rules relating to the protection of natural persons with regard to the processing of personal data and rules relating to the free movement of personal data.
  2. This Regulation protects fundamental rights and freedoms of natural persons and in particular their right to the protection of personal data.
  3. The free movement of personal data within the Union shall be neither restricted nor prohibited for reasons connected with the protection of natural persons with regard to the processing of personal data.

Article 2: Materiality Scope

  1. This Regulation applies to the processing of personal data wholly or partly by automated means and to the processing other than by automated means of personal data which form part of a filing system or are intended to form part of a filing system.
  2. This Regulation does not apply to the processing of personal data:
    • in the course of an activity that falls outside the scope of Union law;
    • by the Member States when carrying out activities that fall within the scope of Chapter 2 of Title V of the TEU;
    • by a natural person in the course of a purely personal or household activity;
    • by competent authorities for the purposes of the prevention, investigation, detection, or prosecution of criminal offenses or the execution of criminal penalties, including the safeguarding against and the prevention of threats to public security.
  3. For the processing of personal data by the Union institutions, bodies, offices, and agencies, Regulation (EC) No 45/2001 applies. Regulation (EC) No 45/2001 and other Union legal acts applicable to such processing of personal data shall be adapted to the principles and rules of this Regulation in accordance with Article 98.
  4. This Regulation shall be without prejudice to the application of Directive 2000/31/EC, in particular of the liability rules of intermediary service providers in Articles 12 to 15 of that Directive.

Article 3: Territorial Scope

  1. This Regulation applies to the processing of personal data in the context of the activities of an establishment of a controller or a processor in the Union, regardless of whether the processing takes place in the Union or not.
  2. This Regulation applies to the processing of personal data of data subjects who are in the Union by a controller or processor not established in the Union, where the processing activities are related to:
    • the offering of goods or services, irrespective of whether a payment of the data subject is required, to such data subjects in the Union; or
    • the monitoring of their behavior as far as their behavior takes place within the Union.
  3. This Regulation applies to the processing of personal data by a controller not established in the Union, but in a place where Member State law applies by virtue of public international law.

Article 4: Definitions

  1. This defines all different criteria and definitions of terms in the regulation. See the table below for the terms and definitions in this article.
  2. This article will help the reader understand what the terms are in the other 95 articles.
KEY TERMDEFINITION
Personal DataAny information relating to an identified or identifiable natural person. A “natural person” is any individual who can be identified, directly or indirectly, through personal references such as name, location, economic, or health-related data.
ProcessingAny operation or set of operations which is performed on personal data or on sets of personal data. This can be done manually or automatically and includes collection, recording, storage, use, erasure, or other related actions.
Restriction of ProcessingMarking data so that the processing of it is limited in the future.
ProfilingAny form of automated processing of personal data to evaluate certain personal aspects relating to a natural person, in particular to analyze or predict aspects concerning performance at work, economic situation, health, personal preferences, and behavior.
PseudonymizationThe personal data can no longer be attributed to an individual person, or data subject, because it has been modified with pseudonyms replacing the identifiable information. Profiling an individual is not possible unless additional data is collected.
Filing SystemAny structured set of personal data which are accessible according to specific criteria, centralized, decentralized, or dispersed on a functional geographical basis.
ControllerNatural or legal person, public authority, agency or other body which, alone or jointly, determines the purposes and means of the processing of personal data. If the purposes of such processing are determined by the Union or Member State, the Union or Member State will provide specific criteria.
ProcessorA natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller.
RecipientA natural or legal person, public authority, agency or another body, to which the personal data are disclosed, third-party or not. Public authorities receiving personal data in accordance with Union or Member State law shall not be considered a “recipient.”
Third PartyA natural or legal person, public authority, agency or body other than the data subject, controller, processor and person who are authorized to process data.
ConsentFreely given, specific, informed and unambiguous indication of the data subject, through a statement or clear affirmative action, signifies their agreement to the processing and collection of personal data.
Personal Data BreachA breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, personal data transmitted, stored or otherwise processed.
Genetic DataPersonal data relating to the inherited or acquired genetic characteristics of a natural person which give unique physiology or health of that person and which result from an analysis of that natural person.
Biometric DataPersonal data resulting from specific, technical processing relating to the physical, physiological or behavioral characteristics of a natural person that would allow or confirm the identity of that natural person.
Data Concerning HealthPersonal data related to the physical or mental health of a natural person, including the provision of health care services, which reveal information about their health status.
Main EstablishmentThis can be one of two definitions:
a) The place of the controller’s centrally, domiciled business operations within the Union, or the centrally located establishment where the decisions regarding the processing of personal data are established and implemented.
b) The centrally established Member State of a processor if data processing occurs in multiple Member States

Note: Refer to Article 4 in the Regulation for additional detail
RepresentativeA natural or legal person established in the Union who, designated by the controller or processor in writing pursuant to Article 27, represents the controller or processor with respect to their obligations under this Regulation.
EnterpriseA natural or legal person engaged in an economic activity, including partnerships or associations regularly engaged in an economic activity.
Group of UndertakingsControlling undertaking and its controlled undertakings.
Binding Corporate RulesPersonal data protection policies which are adhered to by a controller or processor established on the territory of a Member State for transfers or a set of transfers of personal data to a controller or processor in one or more third countries within a group of undertakings, or group of enterprises engaged in a joint economic activity.
Supervisory AuthorityAn independent public authority which is established by a Member State pursuant to Article 51.
Supervisory Authority ConcernedA supervisory authority which is concerned by the processing of personal data because:
a) the controller or processor is domiciled in a specific Member State
b) data subjects domiciled in the Member State of the supervisory authority are substantially affected or likely affected by the processing of
c) a complaint has been lodged with that supervisory authority

Note: Refer to Article 4 in the Regulation for additional detail
Cross-Border ProcessingThis can be one of two definitions:
a) Processing of personal data in more than one Member State
b) Processing of data in a single Member State that affects data subjects in multiple other Member States

Note: Refer to Article 4 in the Regulation for additional detail
Relevant and Reasoned ObjectionObjection of processing in the event the processing and/or collection of personal data is not in compliance with this Regulation.
Information Society ServiceAny service normally provided for compensation, usually monetary, by electronic means and at the request of an individual or recipient of that service.

Note: See here for more details.
International OrganizationAn organization and its subordinate bodies governed by public international law, or any other body which is set up by, or on the basis of, an agreement between two or more countries.
Definitions were taken directly from the Regulation

How does this apply to you and me?

Article 1 (The WHAT): This doesn’t apply to you and me because it outlines the purpose of the Regulation. The other articles would pertain to natural persons.

Article 2 (The WHEN and HOW): This article explicitly pertains to the scope of the Regulation and the materiality of the scope and, basically, when and how this Regulation would apply. This also outlines when the processing of data doesn’t apply to this Regulation and would be more suited to a practicing lawyer or privacy officer.

Scope of the Rgulation

Article 3 (The WHERE): Of the four articles seen here, this one pertains to you and me the most because it outlines the territory by which the Regulation applies. Any individual who is a Union citizen, processes data of a Union citizen, or is employed or associated with an organization and processes personal data of a Union citizen on behalf of the organization, or a Member State by which the law applies, would be considered within the territory scope of this Regulation.

Article 4 (The TERMS): Although this article doesn’t explicitly apply to us, especially since I’m not a Union citizen, the definitions are important to understand, or at least know, if you’re affected by this regulation and it affects your job. Some important terms are:

Data Subjects come in all shapes and sizes
  1. Anyone who is a customer and provides any kind of data to a company, like a subscription, would be considered a Data Subject.
  2. Anyone collecting and maintaining data would be considered a Controller.
  3. Anyone manipulating data, or using it to make decisions, would be considered a Processor.
  4. Any data that can be attributed to you, such as your name, would be considered Personal data.

BACK TO HARVEY AND ROSS

If we take a look back at the example from the first article we wrote, we can see that this case occurs within the Union, and therefore, GDPR would apply (Article 3). The processing and collection of Harvey’s data by Ross (Article 2) would be subject to the articles listed in the Regulation. Harvey would be considered the “Data Subject” while Ross would be considered the “Data Controller” since he is primarily responsible for the collection and maintenance of Harvey’s data (Article 4). The partner-lab used by Ross’s clinic would be considered a “Data Processor” since they are, in some way, using and manipulating personal information. All data collected provided by Harvey for the study that could identify him, such as name, health conditions, etc. would be considered “Personal Data.” Harvey gave his consent to the collection and processing of his data, which was used to create a file system by Ross’s clinic.

In the next newsletter, we will see what different processing criteria are required by Ross to ensure compliance with Article 5, as well as the lawful considerations, of which are defined in Article 6, around the collection and processing of our personal information.

See the Newsletters page for the latest content and to subscribe to the regular update, see the About page for information around who DPP is, and check out the Contact page to reach out to DPP with any questions or concerns. These are my thoughts and should not be taken as professional advice simply because you are not paying me for my opinion.

Once you understand how valuable your information is, then you can begin taking steps to keep it private.