The General Data Protection Regulation (the GDPR) is stringent data privacy and security law, considering the global dynamicity in the IT and financial sectors (among others). It was drafted and promulgated by European Union (the EU) and came into effect on 25 May 2018. It bounds organizations anywhere globally, which collect personal data and/ or provide any services to the people living in the EU. The GDPR imposes hefty fines and penalties, for whoever violates its security and data protection laws. There are two tiers of penalties under Article 83 of the GDPR, being fine up to Euros 20 million or 4% of global revenue (whichever is higher), along with a right to the Data Subjects to seek compensation for damages (Article 82). The TMT (Technology, Media and Entertainment) Practice of Fotis International Law Firm has aimed to provide our readers with a brief overview of the applicability and accountability of institutions under the GDPR.
The GDPR’s prime objective is to protect natural persons regarding their personal data. “Personal data is defined as any information that relates to an individual who can be directly or indirectly identified (the Data).” Privacy protection at the time of processing is a fundamental right to protecting personal data and its safe movement. The GDPR applies to the processing of personal data of the Data Subject, “Data Subject means the person whose data is processed by the controller (the Data Subject).” “A controller is a natural or legal person, public authority, agency, or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data (the Controller)” or processor “a natural or legal person, public authority, agency, or other body that processes personal data on behalf of the Controller (the Processor)” within the European Union regardless of the processor’s establishment.
In this revolutionary era of rapid and significant technological changes, it is vital to protect data Subject’s personal data. For this crucial purpose, the GDPR in Articles 5.1 to 5.2 has set seven major principles for the authorities’ handling personal data to safeguard data of Data Subject, which should be complied with when the Controller/processor processes any data.
Article. 12 to 23 Access to information, The Controller should take necessary steps to provide essential information to the Data Subject, wherever required for the data’s transparent processing. The information should be concise and clear for the knowledge of the Data Subject. The Controller should not conceal any fact or information intentionally from the Data Subject.
The Data Subject can keep a check on the data processing and can inquire from the Controller whether the Data collected for any specific purpose was processed or not. The Data Subject can ask for any personal data erasure and has the right to file a complaint against any problem by law. The Data Subject should be informed whenever the Data is transferred or shared with a third party or country.
The Data Subject shall have the right to request from the Controller to rectify any inaccurate and incomplete data without any delay. The Data Subject can demand the Controller to remove or erase his/her data whenever required, and the Controller is bound to do so.
It is the Data Subject’s right to receive the data regarding him/her from the Controller, which he/she has provided. The Controller is responsible for providing the Data Subject with the relevant data without creating any trouble. The Data Subject can object to the processing of his/her data used for any purpose like marketing; for example, the Data was collected for providing any service to the Data Subject and later on, the Data is being used for marketing related activities, if the act of the Controller sounds inappropriate to the Data Subject, he/she can rightfully request the Controller to restrain from processing such data.
The Controller should introduce and implement appropriate technical and organizational measures to guarantee data protection under the GDPR. Appropriate measures include data protection policies, staff training for this purpose, data protection officer appointment, etc. If any personal data breach occurs, the Controller should notify the supervisory authority “means an independent public authority which is established by a Member State pursuant to Article 51 of the GDPR” about that breach within 72 hours of that occurrence after becoming aware of the incident. If not done so, the Controller would have to give reasons for the delay.
The GDPR requires public authorities and organizations to appoint a Data Protection Officer, who should have data protection law expertise. He should be fully involved in the issues related to the Data. The Controller and the Processor should support the Data Protection Officer in performing his/her duties. The Data Subject can contact the Data Protection Officer to know about any issue related to the processing of their data and exercise any rights conferred upon him by the GDPR. The Data Protection Officer is responsible for keeping the confidentiality and secrecy of his/her duties and given tasks.
Article. 77 to 84 If any Data Subject suffers damages, whether material or immaterial, due to infringement of the GDPR, he/she has the right to get compensated by the Controller and the Processor. The Data Subject can approach the competent court for compensation. Administrative fines are also available to be imposed under GDPR; such penalties are supposed to be charged according to each case’s circumstances, nature, and gravity. The maximum amount of fine is 20 million EURO, or in the case of an undertaking, up to 4 % of the total worldwide annual turnover of the preceding financial year, whichever is higher to be paid to the Data Subject.
The GDPR is exclusively drafted and executed to protect the Data. Its objective is to guard the general public’s privacy by restraining various bodies and organizations from interfering with people’s data and privacy. Its firm stance on privacy and personal data protection safeguard the public from privacy infringements on a large scale.