23 Mar 2022
Introduction
The General Data Protection Regulation (the GDPR) is stringent data privacy and security law, considering the global dynamicity in the IT and financial sectors (among others). It was drafted and promulgated by European Union (the EU) and came into effect on 25 May 2018. It bounds organizations anywhere globally, which collect personal data and/ or provide any services to the people living in the EU. The GDPR imposes hefty fines and penalties, for whoever violates its security and data protection laws. There are two tiers of penalties under Article 83 of the GDPR, being fine up to Euros 20 million or 4% of global revenue (whichever is higher), along with a right to the Data Subjects to seek compensation for damages (Article 82). The TMT (Technology, Media and Entertainment) Practice of Fotis International Law Firm has aimed to provide our readers with a brief overview of the applicability and accountability of institutions under the GDPR.
Scope and Objectives
The GDPR’s prime objective is to protect natural persons regarding their personal data. “Personal data is defined as any information that relates to an individual who can be directly or indirectly identified (the Data).” Privacy protection at the time of processing is a fundamental right to protecting personal data and its safe movement. The GDPR applies to the processing of personal data of the Data Subject, “Data Subject means the person whose data is processed by the controller (the Data Subject).” “A controller is a natural or legal person, public authority, agency, or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data (the Controller)” or processor “a natural or legal person, public authority, agency, or other body that processes personal data on behalf of the Controller (the Processor)” within the European Union regardless of the processor’s establishment.
Principles
In this revolutionary era of rapid and significant technological changes, it is vital to protect data Subject’s personal data. For this crucial purpose, the GDPR in Articles 5.1 to 5.2 has set seven major principles for the authorities’ handling personal data to safeguard data of Data Subject, which should be complied with when the Controller/processor processes any data.
- Lawfulness, Fairness, and Transparency – Personal data should be processed lawfully, impartially, and in a transparent mode in the Data Subject’s best interest.
- Purpose Limitation—The processing of personal data should be lawful and/ or used only for that specific purpose (if the Data is collected for a government survey, the Controller or the Processor should adhere to the terms and conditions of the contract to which the Data Subject had given Consent, “consent of Data Subject means any freely given, specific, informed and unambiguous indication of the Data Subject’s wishes” (the Consent).
- Data Minimization—For the Data processing, the Controller should take explicit Consent from the Data Subject. He should stick to that specific purpose for which the Data Subject with free will has given permission and agreed upon. The Data Subject has the right to withdraw his/her Consent anytime at any stage by law.
- Accuracy – The Data collected for any definite purpose should be kept accurate and precise; must be up to date; the Controller should erase unnecessary data without delay.
- Storage Limitation—Data should be retained by the Controller for the specified time mentioned in the contract for which the Data Subject had given Consent; should not use it after that limited time and purpose, which will violate the GDPR.
- Integrity and Confidentiality— Processing should be done with complete confidentiality and secrecy to protect the Data Subject’s privacy and dignity. He/she should be protected against any unlawful processing and damage while using the Data.
- Accountability – The Controller is legally responsible for fulfilling the obligations set by the GDPR; he would be accountable for any infringements if he does not comply with the GDPR. The Controller should make arrangements for data protection following the GDPR. The Controller should appoint a data protection officer, train and prepare his team and strictly direct them to comply with rules laid down by the GDPR. There should be formal written contracts for data privacy protection at the time of collection of the Data.
Rights of Data Subject
Article. 12 to 23 Access to information, The Controller should take necessary steps to provide essential information to the Data Subject, wherever required for the data’s transparent processing. The information should be concise and clear for the knowledge of the Data Subject. The Controller should not conceal any fact or information intentionally from the Data Subject.
Right to Access by the Data Subject
The Data Subject can keep a check on the data processing and can inquire from the Controller whether the Data collected for any specific purpose was processed or not. The Data Subject can ask for any personal data erasure and has the right to file a complaint against any problem by law. The Data Subject should be informed whenever the Data is transferred or shared with a third party or country.
Right to Rectification and Erasure
The Data Subject shall have the right to request from the Controller to rectify any inaccurate and incomplete data without any delay. The Data Subject can demand the Controller to remove or erase his/her data whenever required, and the Controller is bound to do so.
Right to Data portability and Objection
It is the Data Subject’s right to receive the data regarding him/her from the Controller, which he/she has provided. The Controller is responsible for providing the Data Subject with the relevant data without creating any trouble. The Data Subject can object to the processing of his/her data used for any purpose like marketing; for example, the Data was collected for providing any service to the Data Subject and later on, the Data is being used for marketing related activities, if the act of the Controller sounds inappropriate to the Data Subject, he/she can rightfully request the Controller to restrain from processing such data.
Data Protection
The Controller should introduce and implement appropriate technical and organizational measures to guarantee data protection under the GDPR. Appropriate measures include data protection policies, staff training for this purpose, data protection officer appointment, etc. If any personal data breach occurs, the Controller should notify the supervisory authority “means an independent public authority which is established by a Member State pursuant to Article 51 of the GDPR” about that breach within 72 hours of that occurrence after becoming aware of the incident. If not done so, the Controller would have to give reasons for the delay.
Appointment of Data Protection Officer
The GDPR requires public authorities and organizations to appoint a Data Protection Officer, who should have data protection law expertise. He should be fully involved in the issues related to the Data. The Controller and the Processor should support the Data Protection Officer in performing his/her duties. The Data Subject can contact the Data Protection Officer to know about any issue related to the processing of their data and exercise any rights conferred upon him by the GDPR. The Data Protection Officer is responsible for keeping the confidentiality and secrecy of his/her duties and given tasks.
Remedies, Liabilities, and Penalties
Article. 77 to 84 If any Data Subject suffers damages, whether material or immaterial, due to infringement of the GDPR, he/she has the right to get compensated by the Controller and the Processor. The Data Subject can approach the competent court for compensation. Administrative fines are also available to be imposed under GDPR; such penalties are supposed to be charged according to each case’s circumstances, nature, and gravity. The maximum amount of fine is 20 million EURO, or in the case of an undertaking, up to 4 % of the total worldwide annual turnover of the preceding financial year, whichever is higher to be paid to the Data Subject.
Conclusion
The GDPR is exclusively drafted and executed to protect the Data. Its objective is to guard the general public’s privacy by restraining various bodies and organizations from interfering with people’s data and privacy. Its firm stance on privacy and personal data protection safeguard the public from privacy infringements on a large scale.