Good day and welcome to this installment of the GDPR series where we are covering a few articles each post! For those of you who are new to DPP, we take a look at a segment of a relevant privacy or security regulation, or recent event, and determine how it applies to our lives. Below is the detail for each article within the regulation.
Article 1: Subject Matter and Objectives
- This Regulation lays down rules relating to the protection of natural persons with regard to the processing of personal data and rules relating to the free movement of personal data.
- This Regulation protects fundamental rights and freedoms of natural persons and in particular their right to the protection of personal data.
- The free movement of personal data within the Union shall be neither restricted nor prohibited for reasons connected with the protection of natural persons with regard to the processing of personal data.
Article 2: Materiality Scope
- This Regulation applies to the processing of personal data wholly or partly by automated means and to the processing other than by automated means of personal data which form part of a filing system or are intended to form part of a filing system.
- This Regulation does not apply to the processing of personal data:
- in the course of an activity that falls outside the scope of Union law;
- by the Member States when carrying out activities that fall within the scope of Chapter 2 of Title V of the TEU;
- by a natural person in the course of a purely personal or household activity;
- by competent authorities for the purposes of the prevention, investigation, detection, or prosecution of criminal offenses or the execution of criminal penalties, including the safeguarding against and the prevention of threats to public security.
- For the processing of personal data by the Union institutions, bodies, offices, and agencies, Regulation (EC) No 45/2001 applies. Regulation (EC) No 45/2001 and other Union legal acts applicable to such processing of personal data shall be adapted to the principles and rules of this Regulation in accordance with Article 98.
- This Regulation shall be without prejudice to the application of Directive 2000/31/EC, in particular of the liability rules of intermediary service providers in Articles 12 to 15 of that Directive.
Article 3: Territorial Scope
- This Regulation applies to the processing of personal data in the context of the activities of an establishment of a controller or a processor in the Union, regardless of whether the processing takes place in the Union or not.
- This Regulation applies to the processing of personal data of data subjects who are in the Union by a controller or processor not established in the Union, where the processing activities are related to:
- the offering of goods or services, irrespective of whether a payment of the data subject is required, to such data subjects in the Union; or
- the monitoring of their behavior as far as their behavior takes place within the Union.
- This Regulation applies to the processing of personal data by a controller not established in the Union, but in a place where Member State law applies by virtue of public international law.
Article 4: Definitions
- This defines all different criteria and definitions of terms in the regulation. See the table below for the terms and definitions in this article.
- This article will help the reader understand what the terms are in the other 95 articles.
KEY TERM | DEFINITION |
---|---|
Personal Data | Any information relating to an identified or identifiable natural person. A “natural person” is any individual who can be identified, directly or indirectly, through personal references such as name, location, economic, or health-related data. |
Processing | Any operation or set of operations which is performed on personal data or on sets of personal data. This can be done manually or automatically and includes collection, recording, storage, use, erasure, or other related actions. |
Restriction of Processing | Marking data so that the processing of it is limited in the future. |
Profiling | Any form of automated processing of personal data to evaluate certain personal aspects relating to a natural person, in particular to analyze or predict aspects concerning performance at work, economic situation, health, personal preferences, and behavior. |
Pseudonymization | The personal data can no longer be attributed to an individual person, or data subject, because it has been modified with pseudonyms replacing the identifiable information. Profiling an individual is not possible unless additional data is collected. |
Filing System | Any structured set of personal data which are accessible according to specific criteria, centralized, decentralized, or dispersed on a functional geographical basis. |
Controller | Natural or legal person, public authority, agency or other body which, alone or jointly, determines the purposes and means of the processing of personal data. If the purposes of such processing are determined by the Union or Member State, the Union or Member State will provide specific criteria. |
Processor | A natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller. |
Recipient | A natural or legal person, public authority, agency or another body, to which the personal data are disclosed, third-party or not. Public authorities receiving personal data in accordance with Union or Member State law shall not be considered a “recipient.” |
Third Party | A natural or legal person, public authority, agency or body other than the data subject, controller, processor and person who are authorized to process data. |
Consent | Freely given, specific, informed and unambiguous indication of the data subject, through a statement or clear affirmative action, signifies their agreement to the processing and collection of personal data. |
Personal Data Breach | A breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, personal data transmitted, stored or otherwise processed. |
Genetic Data | Personal data relating to the inherited or acquired genetic characteristics of a natural person which give unique physiology or health of that person and which result from an analysis of that natural person. |
Biometric Data | Personal data resulting from specific, technical processing relating to the physical, physiological or behavioral characteristics of a natural person that would allow or confirm the identity of that natural person. |
Data Concerning Health | Personal data related to the physical or mental health of a natural person, including the provision of health care services, which reveal information about their health status. |
Main Establishment | This can be one of two definitions: a) The place of the controller’s centrally, domiciled business operations within the Union, or the centrally located establishment where the decisions regarding the processing of personal data are established and implemented. b) The centrally established Member State of a processor if data processing occurs in multiple Member States Note: Refer to Article 4 in the Regulation for additional detail |
Representative | A natural or legal person established in the Union who, designated by the controller or processor in writing pursuant to Article 27, represents the controller or processor with respect to their obligations under this Regulation. |
Enterprise | A natural or legal person engaged in an economic activity, including partnerships or associations regularly engaged in an economic activity. |
Group of Undertakings | Controlling undertaking and its controlled undertakings. |
Binding Corporate Rules | Personal data protection policies which are adhered to by a controller or processor established on the territory of a Member State for transfers or a set of transfers of personal data to a controller or processor in one or more third countries within a group of undertakings, or group of enterprises engaged in a joint economic activity. |
Supervisory Authority | An independent public authority which is established by a Member State pursuant to Article 51. |
Supervisory Authority Concerned | A supervisory authority which is concerned by the processing of personal data because: a) the controller or processor is domiciled in a specific Member State b) data subjects domiciled in the Member State of the supervisory authority are substantially affected or likely affected by the processing of c) a complaint has been lodged with that supervisory authority Note: Refer to Article 4 in the Regulation for additional detail |
Cross-Border Processing | This can be one of two definitions: a) Processing of personal data in more than one Member State b) Processing of data in a single Member State that affects data subjects in multiple other Member States Note: Refer to Article 4 in the Regulation for additional detail |
Relevant and Reasoned Objection | Objection of processing in the event the processing and/or collection of personal data is not in compliance with this Regulation. |
Information Society Service | Any service normally provided for compensation, usually monetary, by electronic means and at the request of an individual or recipient of that service. Note: See here for more details. |
International Organization | An organization and its subordinate bodies governed by public international law, or any other body which is set up by, or on the basis of, an agreement between two or more countries. |
How does this apply to you and me?
Article 1 (The WHAT): This doesn’t apply to you and me because it outlines the purpose of the Regulation. The other articles would pertain to natural persons.
Article 2 (The WHEN and HOW): This article explicitly pertains to the scope of the Regulation and the materiality of the scope and, basically, when and how this Regulation would apply. This also outlines when the processing of data doesn’t apply to this Regulation and would be more suited to a practicing lawyer or privacy officer.
Article 3 (The WHERE): Of the four articles seen here, this one pertains to you and me the most because it outlines the territory by which the Regulation applies. Any individual who is a Union citizen, processes data of a Union citizen, or is employed or associated with an organization and processes personal data of a Union citizen on behalf of the organization, or a Member State by which the law applies, would be considered within the territory scope of this Regulation.
Article 4 (The TERMS): Although this article doesn’t explicitly apply to us, especially since I’m not a Union citizen, the definitions are important to understand, or at least know, if you’re affected by this regulation and it affects your job. Some important terms are:
- Anyone who is a customer and provides any kind of data to a company, like a subscription, would be considered a Data Subject.
- Anyone collecting and maintaining data would be considered a Controller.
- Anyone manipulating data, or using it to make decisions, would be considered a Processor.
- Any data that can be attributed to you, such as your name, would be considered Personal data.
BACK TO HARVEY AND ROSS
If we take a look back at the example from the first article we wrote, we can see that this case occurs within the Union, and therefore, GDPR would apply (Article 3). The processing and collection of Harvey’s data by Ross (Article 2) would be subject to the articles listed in the Regulation. Harvey would be considered the “Data Subject” while Ross would be considered the “Data Controller” since he is primarily responsible for the collection and maintenance of Harvey’s data (Article 4). The partner-lab used by Ross’s clinic would be considered a “Data Processor” since they are, in some way, using and manipulating personal information. All data collected provided by Harvey for the study that could identify him, such as name, health conditions, etc. would be considered “Personal Data.” Harvey gave his consent to the collection and processing of his data, which was used to create a file system by Ross’s clinic.
In the next newsletter, we will see what different processing criteria are required by Ross to ensure compliance with Article 5, as well as the lawful considerations, of which are defined in Article 6, around the collection and processing of our personal information.
See the Newsletters page for the latest content and to subscribe to the regular update, see the About page for information around who DPP is, and check out the Contact page to reach out to DPP with any questions or concerns. These are my thoughts and should not be taken as professional advice simply because you are not paying me for my opinion.
Once you understand how valuable your information is, then you can begin taking steps to keep it private.