GDPR an Overview: Applicability and Principles
Previously we noted that the General Data Protection Regulation (GDPR) addressed the inadequacies of EU law Directive 95/46/EC, so formally it is a comprehensive and complex law that regulates how personal data of individuals in the European Union (EU) and the European Economic Area (EEA) is collected, processed, stored, and transferred. We now continue with its applicability, as markedly, it grants individuals certain rights and protections regarding their data. Also, it aims to harmonize data protection rules across the EU, enhance the privacy and security of personal data, and foster trust and accountability among data controllers and processors.
The GDPR applies to any organization, whether located inside or outside the EU, that offers goods or services to individuals in the EU or EEA, or that monitors their behaviour. The GDPR defines personal data as any information relating to an identified or identifiable natural person, such as name, email, location, health records, biometric data, or online identifiers. The GDPR also recognizes special categories of personal data that are more sensitive and require a higher level of protection, such as data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, genetic data, biometric data, data concerning health, or data concerning a natural person’s sex life or sexual orientation.
The GDPR can be said to be an inspiration, being a precursor, having comparable aims, and using similar terminology, to US state legislation, (in the absence of US federal GDPR-like law states individually have taken the initiative,) e.g., the California Consumer Privacy Act (CCPA) of 2018, which took effect in 2020 (as the California Privacy Rights Act (CAPRA/CPRA,) which is a ballot initiative that was approved by California voters and amends and expands the existing CCPA,) or the Virginia Consumer Data Protection Act (VCDPA), which was signed into law in 2021 and took effect in 2023, or the Colorado Privacy Act (CPA,) of 2021, aiming to protect the privacy and rights of individuals about their data. However, there are some key differences between them relating to scope and applicability, the definition of personal data, the legal basis for processing, the rights of data subjects and consumers, and data transfers to third countries or international organizations. Note that there is no federal legislation of this type.
The GDPR establishes six principles that govern the processing of personal data:
· Lawfulness, fairness, and transparency: Personal data must be processed lawfully, fairly, and in a transparent manner about the data subject.
· Purpose limitation: Personal data must be collected for specified, explicit, and legitimate purposes and not further processed in a manner that is incompatible with those purposes.
· Data minimization: Personal data must be adequate, relevant, and limited to what is necessary for the purposes for which they are processed.
· Accuracy: Personal data must be accurate and, where necessary, kept up to date; every reasonable step must be taken to ensure that inaccurate personal data, having regard to the purposes for which they are processed, are erased or rectified without delay.
· Storage limitation: Personal data must be kept in a form that permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed.
· Integrity and confidentiality: Personal data must be processed in a manner that ensures appropriate security of the personal data, including protection against unauthorized or unlawful processing and accidental loss, destruction, or damage, using appropriate technical or organizational measures.
· The GDPR also introduces the concept of accountability, which requires data controllers and processors to demonstrate compliance with the GDPR by implementing appropriate policies and procedures, conducting data protection impact assessments, maintaining records of processing activities, appointing data protection officers, and cooperating with supervisory authorities.it
The General Data Protection Regulation (GDPR) addressed the inadequacies of EU law Directive 95/46/EC that sought to regulate how personal data of individuals in the European Union (EU) and the European Economic Area (EEA) was collected, processed, stored, and transferred. The regulation applies to any organization, whether located inside or outside the EU, that offers goods or services to individuals in the EU or EEA. It has become an inspiration, being a precursor, having universal aims, and adaptable terminology, to legislators contemplating data protection legislation in other political jurisdictions. Next time, continuing this overview, we look at data subject rights and GDPR terminology.
–Richard Thomas
Previous, Part I
Next, Part III
