12.1 Definition and Scope

The General Data Protection Regulation (GDPR) is meant to ensure that data protection does not create an impediment to the free movement of data within the EU (Art 1). One of its main purposes is to define the rules that protect a natural person's data. This person is referred to as data subject. Other key actors are the data controller, ie the entity collecting and owning the data, and the data processor, ie the entity analysing the data, which might or might not be the same as the controller (Art 4).

The regulation applies mostly to electronically held personal data, with some exceptions (Art 2), and where either controller or processor is established in the EU, regardless of whether the processing takes place in the EU or not. It also applies to controllers or processors not established in the EU where it relates to (a) offering paid or unpaid goods or services in the EU or (b) monitoring data subjects' behaviour to the extent that behaviour takes place in the EU (Art 3).

12.2 Definition of Data

For the purpose of this regulation, personal data is defined as (Art 4):

any information relating to an identified or identifiable natural person

where the definition of ‘identifiable natural person’ is very broad (Art 4):

one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.

The regulation also defines ‘special personal data’ as (Art 9):

personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, and the processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person's sex life or sexual orientation.

12.3 Pre‐requisites of Data Collection—Purpose and Consent

Personal data must be (Art 5):

• processed lawfully, fairly and in a transparent manner in relation to the data subject (‘data lawfulness, fairness, and transparency’)
• for specified, explicit and legitimate purposes, and not further processed in a manner that is incompatible with those purposes (‘purpose limitation’)
• adequate, relevant and limited to what is necessary in relation to the purposes for which it is processed (‘data minimisation’)
• accurate and, where necessary, kept up to date (‘data accuracy’)
• kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed (‘storage limitation’)
• processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage (‘data integrity and confidentiality’).

Compliance with the above rules is the responsibility of the controller (‘data accountability’).

Data processing is only lawful if at least one of the following conditions applies (Art 6):

1. the data subject has given consent
2. for performing a contract
3. to comply with the controller's legal obligations
4. to protect vital interests of data subject or another natural person
5. to perform a task in the public interest/under official authority
6. where there is a legitimate interest by the controller that is not overridden by the interests of the data subject.

The conditions 3–5 above are clarified in EU or Member State law, and may be subject to additional provisions (Art 6). If a controller wants to process data for other reasons than those for which it was originally collected he has to take into account a number of specific provisions (Art 6.4).

The term ‘consent’ in this context is defined as (Art 4):

any freely given, specific, informed and unambiguous indication of the data subject's wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her.

Where processing is based on consent, the controller must be able to prove that consent was given. If consent is requested in a communication that also concerns other matters, eg other terms and conditions, then it must be presented in a manner that is clearly distinguishable, in an intelligible and easily accessible form, using clear and plain language. Data subjects cannot consent to terms that infringe this Regulation. They have the right to withdraw consent at any time, and it shall be as easy to withdraw as to give consent. Finally, when assessing whether content was freely given, it is important to consider whether the data requested is necessary for the performance of the contract (Art 7). Children can only consent from the age of 16; below that, parental consent is necessary (Art 8).

By default, processing of special personal data as defined above is by default prohibited. There are, however, a number of exceptions to this, for example when the data subject has given explicit consent to this and was allowed to give such consent under applicable local law, when the data subject has already made such data manifestly public, or for other specified public interest reasons (Art 9). Similarly, processing of data relating to criminal convictions is subject to specific rules (Art 10).

Communication by the data controller to their customers in this context must be in a concise, transparent, intelligible and easily accessible form, and it must use clear and plain language, in particular for any information addressed specifically to a child. Information must be provided without undue delay and in any case within one month of a request. If the controller decides to not take action upon receipt of a request, he has inform the person making the request within the same time frame of the reason for doing so. Where requests are unfounded or excessive—in particular because of their repetitive character—the controller can either charge a reasonable fee, or deny the request. The burden of demonstrating that a request is excessive rests with the data controller. Where a data controller has doubts regarding the identity of the person making the request, he may request additional information necessary. If icons are used to identify eg data categories, those icons must be machine‐readable (Art 12).

12.4 Information Requirements

Where personal data is collected directly from the data subject, they have to be provided with specific information at the time the information is requested (Art 13). A similar slightly different information has to be provided—subject to certain exclusions—to the data subject if the data has been collected from third‐party sources. In this case, the information must be provided at the latest in the first communication with the data subject, when the data is disclosed to a third party, or one month after the data has been collected, whichever of those is earlier (Art 14).

Any data subject has the right to know whether a controller holds their personal data, and—if this is the case—obtain specific information about the data held, as well as a copy of the data itself (Art 15). Where data is incorrect or incomplete, the data subject has a right to have it amended (Art 16). Under certain circumstances a data subject has the right to be forgotten, ie the right that a controller erases all their personal data (Art 17). Under certain circumstances the data subject can also require the controller to restrict processing of the subject's data, usually until certain conditions are fulfilled (Art 18). Controllers must forward those requests to processors as appropriate and feasible (Art 19).

12.5 Rights of the Data Subject

Where a data subject has provided data to a controller, they are entitled to receive it back in a structured, commonly used and machine‐readable format and they have the right to transmit the data to another controller, without hindrance by the controller from whom the data has been received.

Data subjects have, in situations where the data processing is based on points 5 or 6 above, the right to object to such processing, with the burden of proof of legitimacy falling on the data controller. In cases where data processing is used for direct marketing, it must cease when the data subject complains. Those rights must be brought to the data subject's attention (Art 21).

Data subjects usually have the right to object to fully automated decision making in cases where the decision has significant impact, one important exception being if it is necessary for entering into, or performance of, a contract between the data subject and a data controller (Art 22). There are a number of specific public policy reasons that—if enshrined in local law—restrict the rights of data subjects vis‐à‐vis processing of their personal data (Art 23).

12.6 Data Controller Requirements

Data controllers must implement and document measures to fulfil their specific responsibilities under this regulation. Those measures must be updated regularly (Art 24). In particular, they must implement appropriate technical and organisational measures—examples mentioned are data minimisation and pseudonymisation to fulfil those responsibilities. An approved certification mechanism can be used to demonstrate compliance (Arts 25, 42). Joint controllers must all implement the necessary measures. In addition, they must have an explicit arrangement in place which defines their respective responsibilities. Data subjects can choose against which controller to exercise their rights (Art 26). Generally, controllers and processors not resident within the EU must appoint a local representative, located in one of the Member States where the data subjects reside (Art 27). Every controller must keep a specified log of all data processing activities under their responsibility (Art 30).

Processors can only engage subprocessors after explicit consent by the controller, and it is subject to similar requirements to those for engaging processors. In any case, the ultimate master processor retains full liability vis‐à‐vis the controller and the data subject (Art 28). A processor can only process data under specific instruction from the controller (Art 29). A processor must take appropriate steps—eg encryption, pseudonymisation, regular back‐ups—to ensure a level of data security and availability that is appropriate considering risks and their possible impact (Art 30). Data breaches must always be reported to the regulator, and usually to the impacted customers (Art 31).

In particular where new technologies are used, and the impact is possibly large—eg large‐scale processing of special data as defined above, or systematic monitoring of a publicly accessible area on a large scale—an impact assessment must be performed prior to processing (Art 35). If the assessment indicates that the processing would result in high risk unless special measures are taken, the controller must consult with their supervisor prior to processing, inter alia to discuss the appropriateness and effectiveness of such measures (Art 36).

Both controllers and processors can—and in some cases must—designate a data protection officer whose role and responsibilities are described in the regulation (Arts 37–39). Member States and supervisors must encourage the drawing up of codes of conduct, the implementation of which is monitored by appropriate institutions (Arts 40, 41). Member States, supervisors and the Commission encourage the establishment of data protection certification mechanisms and of data protection seals and marks for the purpose of demonstrating compliance with this regulation. Those certificates are voluntary and available via a transparent process (Arts 42, 43).

12.7 Transfer to Third Countries

Data can only be transferred to third countries if specific conditions are fulfilled (Art 44). If data is transferred to a third country that has been subject to an adequacy decision by the Commission then no additional steps have been taken—such transfers are always lawful (Art 45). Where such a decision is not available, data may only be transferred if certain specific safeguards are fulfilled (Arts 46, 47). Third‐country court orders are only recognised or enforceable if they are based on an international agreement, eg a mutual legal assistance treaty (Art 48). There are a number of derogations that allow third‐country data transfer even if the above conditions are not fulfilled, eg explicit consent by the data subject, it being necessary for the performance of a contract with the data subject, or public interest reasons (Art 49).

On a technical note, if a data processor no longer requires the identification of a data subject they are not obliged to maintain, acquire or process additional information in order to identify the data subject for the sole purpose of complying with this Regulation (Art 11).

12.8 Role of Supervisors

Controllers and processors must cooperate with the supervisors when asked to do so (Art 31). Supervisors must cooperate internationally (Art 51). Member States establish one more multiple supervisors according to a specific set of criteria (Arts 52–59). Where multiple supervisors are involved they operate under the direction of a lead supervisor (Arts 60–62).

The EU establishes the European Data Protection Board (Arts 68–76) that ensures the consistent application of this regulation throughout the EU (Arts 63, 67, 70). It does this inter alia by issuing opinions (Art 64), and by putting in place a dispute resolution mechanism between national supervisors (Art 65).

Data subjects have the right to lodge complaints with a supervisory authority. It is their choice whether they want to lodge at the place of their habitual residence, their place of work, or place of the alleged infringement (Art 77). Every legal or natural person—data subjects or others—have a right to appeal supervisory decisions in the court of the country where the supervisor is established. Data subjects also have the right to appeal to a court if the supervisor does not handle a complaint within three months (Art 78).

Notwithstanding other settlement mechanisms, data subjects have a right to bring proceedings against controllers and processors in court, either in a country where said controller or processor has an establishment, or—unless it is against a public authority—the country of the data subject's habitual residence (Art 79). Data subjects have the right to mandate certain not‐for‐profit organisations to represent them in court (Art 80). If there are proceedings against the same controller or processor because of the same issue in multiple Member States then every court except the first court contacted can either suspend its proceedings for the duration of that first trial, or can order those proceedings to be consolidated in cases where this is possible (Art 81).

12.9 Liability

Controllers and processors are liable for damages that flow from an infringement of this regulation, and have to compensate data subjects and others for material damages caused. If controllers and processors are jointly responsible for an infringement they are jointly and severally liable vis‐à‐vis a data subject, ie the data subject can demand compensation for the full amount from each of the controllers and processors involved, who then apportion the payment among themselves as they see fit (Art 82). Controllers and processors are also subject to substantial fines and penalties, the amount of which depends on a number of specific criteria such as previous fines, whether negligence was involved, whether the impact was mitigated, etc. Depending on the breach, administrative fines can be up to 4% of worldwide revenues or €20m, whichever is larger (Arts 83, 84).

12.10 Specific Situations

The regulation deals with the protection of data in a number of specific situations, notably in relation to freedom of expression and information (Art 85), public access to official documents (Art 86), national identification numbers (Art 87), and in the context of employment (Art 88). Finally there are some safeguards and derogations relating to processing for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes (Art 89). The remainder of the regulation deals with technical details (Art 90–99).