Skip to main content
Compliance

EU General Data Protection Regulation (GDPR)

I. PURPOSE

The purpose of the General Data Protection Regulation (GDPR) is to protect individuals “with regard to the processing of personal data.” The GDPR declares such protection a “fundamental right.” This regulation also protects the flow of personal data leaving the European Union (EU) and supervises the free flow of personal data within the EU. The GDPR is meant to foster freedom, security, justice, “economic and social progress,” strengthen economies, and “contribute to the . . . well-being” of individuals.

II. HISTORY

The GDPR repeals and replaces the previous EU personal data privacy legislation, Directive 95/46/EC. The GDPR states that the “objectives and principles of Directive 95/46/EC remain sound,” but that the previous law’s implementation led to a fragmented EU with each country having its own approach to personal data privacy. Along with such fragmentation, personal data collection by nation states and large technological advances signified a need for personal data protection reform. The GDPR began as a draft proposal published in January 2012 by the European Commission. After the European Parliament proposed amendments to the draft in 2014, it was handed over to the Council of the EU. The Commission, Parliament, and Council began discussions about the GDPR in June 2015, and the law was finalized by the end of that year. The EU Parliament and Council issued the GDPR on April 27, 2016, and it will take effect on May 25, 2018. In connection with the GDPR, the EU Parliament and Council also issued Directive 2016/680 on April 27, 2016. Directive 2016/680 has applied since May 5, 2016, and each country in the EU has until May 6, 2018 to “incorporate [the Directive] into [its] national law.”

III. APPLICABILITY TO BYU–HAWAII

The GDPR’s protection of the processing and collection of personal data is broad, providing data protection for any person in the EU. Because BYU–Hawaii collects and uses the personal data of individuals in the EU (students, applicants, alumni, faculty, etc.), the GDPR applies to BYU–Hawaii.

IV. REQUIREMENTS

A. Key Definitions

The GDPR defines personal data as “any information relating to an . . . identifiable [individual] (‘data subject’).” A data subject “is one who can be identified, directly or indirectly . . . by reference to an identifier such as name, an identification number, location data, . . . genetic, mental, economic, cultural or social identity.”

Processing is defined as “any operation . . . performed on personal data.” The GDPR lists “collection, recording, structuring, storage, . . . retrieval, consultation, use, . . . restriction, erasure or destruction” of personal data as examples of processing.

The GDPR divides organizations dealing with personal data into two main categories: controllers and processors. A controller is the “person, public authority, agency or other body which, alone or jointly. . . determines the purposes and means of the processing of personal data.” A processor is the “person, public authority, agency or other body which processes personal data on behalf of the controller.” Throughout the GDPR, controllers are typically charged with more responsibility and subject to more thorough regulatory requirements than processors.

B. Scope of the GDPR

The GDPR protects the personal data of all data subjects in the EU; there is no citizenship requirement for the protection listed in the GDPR. Additionally, personal data protection is provided regardless if the processing is “wholly or partly” done by automated means. Even if the organization processing the personal data is based outside the EU, the GDPR applies if the organization processes personal data in relation to offering goods or services to individuals in the EU, or in relation to monitoring the behavior of individuals in the EU. Also, if an organization established in the EU processes personal data, the GDPR applies, even if the processing takes place in or out of the EU.

“[P]urely personal or household” activities are not covered by the GDPR. Also, under certain conditions, the GDPR allows the EU (or countries in it) to make specific exceptions from the rights covered by the law for personal data used in “scientific or historical research purposes or statistical purposes.” However, such personal data is still subject to “appropriate safeguards” specified in the GDPR.

C. Principles for Lawfully Processing Personal Data

The GDPR states that personal data must be (1) “processed lawfully, fairly, and in a transparent manner;” (2) used only for specified purposes (and limited to what is necessary for those purposes); (3) accurate; (4) kept only as long as needed; and (5) secured by “technical or organizational measures.”

Personal data may be lawfully processed only if at least one of the following applies: (1) the data subject gives consent; (2) processing is necessary for a contract; (3) processing is necessary for a legal obligation (4) processing is in the vital interest of an individual; (5) processing is in the best interest of the public; or (6) the processing is in the legitimate interest of the organization, unless such interest is “overridden by the interests or fundamental rights . . . of the data subject.”

According to official guidance, the lawful bases related to each purpose in a processing activity must be identified “in advance.” Also, organizations cannot change the lawful basis they are using during “the course of processing.” In other words, organizations “cannot swap between lawful bases.”

i. Consent

If an individual gives consent to an organization to process their personal data “for one or more specific purposes,” that processing is lawful; if that is the case, the organization must “be able to demonstrate” that the individual has consented. When consent is given, it must be “a clear affirmative act” that shows a “freely given, specific, informed and unambiguous . . . agreement to the processing.” Consent may be given by a written statement, oral statement, or by electronic means. If the request for consent is given in writing, the request must be “clearly distinguishable from . . . other matters.”

Certain things do not count as a legal basis for consent, such as if consent was given by “silence, pre-ticked boxes or inactivity.” Also, if a child is under sixteen, a “holder of parental responsibility” will be required to give consent for any personal data transfer in relation to “contracts and other services that are concluded or transmitted on-line” (countries in the EU may independently decide to lower the age to thirteen).

Consent may be withdrawn at any time, and revoking consent must be as easy as granting consent.

ii. Contract

An organization may process an individual’s personal data if it is “necessary for the performance of a contract” with the individual or, to take steps at the request of the individual, prior to entering into a contract. Examples might include a credit card purchase or a car rental agreement.

iii. Legal Obligations

It is lawful for an organization to process an individual’s personal data “for compliance with a legal obligation” under EU law (or an EU member state’s law).

iv. Vital Interest

Processing personal data is legal if it is to protect the individual or another person.

v. Public Interest

Processing is legal if it is “carried out in the public interest.” Similar to a legal obligation, if processing is based on public interest, that processing “should have a basis in [EU] or Member State law.”

vi. Legitimate Interests

If an organization has a “legitimate interest” in processing the personal data, and the individual’s “interests or fundamental rights and freedoms” do not “require the protection of personal data,” the personal data may be processed lawfully. The GDPR itself does not define “legitimate interest,” but an administrative opinion from the EU provides guidance on the issue. Specifically, a legitimate interest must be lawful, “sufficiently specific,” real, and present (i.e. not “speculative”). Examples of legitimate interest include freedom of expression in the arts, direct marketing, political or charitable messages, prevention of fraud, monitoring employees, and various types of research (“including marketing research”).

A “balancing test” is used to determine if an organization’s processing of personal data is based on legitimate interest. The test is based primarily on assessing (1) the organization’s legitimate interest, and (2) the “impact on the data subjects.” This comparison leads to a “provisional balance.” The provisional balance determines if additional safeguards protecting the data subject are needed to “tip the balance in a way that would legitimize processing.”

D. Sensitive Data

Personal data that is “particularly sensitive . . . merit[s] specific protection.” Personal data is “sensitive” if it relates to: (1) racial or ethnic origin, (2) political opinions, (3) religious or philosophical beliefs, (4) trade union membership, (5) biometrics or genetics, (6) health, (7) or sexual orientation.

The processing of sensitive data is prohibited, unless one of the following exceptions applies:

  • The processing is based on explicit consent given by the individual.
  • The processing is necessary for employment under law.
  • The processing is in the vital interests of an individual who is incapable of giving consent.
  • The personal data is processed as part of activities of groups that deal specifically with a certain type of sensitive information (trade unions, not-for-profits, religious groups, etc.), relating to membership, and it is done securely and not disclosed outside the organization.
  • The personal data has been made public by the individual.
  • The personal data is associated with legal obligations.
  • The processing falls within specific public interests in the area of public health.
  • The processing is associated with certain valid healthcare activities.

E. Information Collection and Notice of Privacy Practice

A privacy notice must be “provided free of charge” at the time personal data is collected. The notice must “use clear and plain language,” and be given in writing, or “where appropriate, by electronic means.” The notice must contain all of the following information71:

  • “Identity and contact details” of the organization using the personal data
  • “Contact details of the data protection officer, where applicable”
  • The purpose for processing, and the legal basis of it
  • What the legitimate interest in the personal data is
  • Who will receive the personal data
  • Whether or not the personal data will be transferred outside of the EU
  • How long their personal data will be stored
  • The “existence of the right” to request their personal data to be corrected, deleted, restricted, or no longer processed, and the “right to data portability”
  • That subjects may withdraw their consent72 at any time if consent was the lawful basis
  • That subjects may “lodge a complaint with a supervisory authority.”
  • If collecting the personal data is in relation to a law requirement or a contract, and any consequences for not supplying the personal data
  • If the personal data will be subject to “automated decision making”
  • In certain cases, if the organization will transfer the data internationally

If the initial purpose of the personal data collection changes from the time it was first collected, the organization using the personal data must inform the individual of the changes before they happen.

F. Rights Related to Personal Data

i. Right to Access

Individuals have the right “to obtain . . . confirmation” if their personal data is being processed. If their personal data is being processed, individuals have the right to access their personal data and request the following information:

  • The “purposes of the processing”
  • What categories of personal data are being processed
  • Who will receive the personal data
  • How long the personal data will be stored
  • heir rights associated with the processing of their personal data
  • If the data was not collected directly from the individual, “any available information as to [the] source [of the data]”
  • Information about “automated decision-making,” and any consequences of such processing

ii. Right to Correct

Individuals have the right to have incorrect personal data corrected “without undue delay” by the organization using their personal data, and the right to supplement any incomplete personal data.

iii. Right of Erasure (i.e., the Right to Be Forgotten)

Individuals have the right to have the organization using their personal data to erase it “without undue delay” only if any one of the following conditions are met:

  • The personal data is no longer needed for the purposes it was processed.
  • “The [individual] withdraws consent.”
  • The individual objects to processing, and there are no overriding “legitimate grounds.”
  • The personal data was processed illegally.
  • The personal data needs to be deleted to comply with an EU legal obligation.
  • The individual is a child, and consent for the online services was given by their parental authority. The GDPR is not clear if the request must be made by the child or the adult.

If the personal data was made public, and an organization must delete it for one of the reasons listed above, the organization must “take reasonable steps” to inform other organizations using the personal data that the individual has requested for that personal data to be deleted.

An individual’s right to have their data deleted does not apply if “processing is necessary” for:

  • “Exercising the right of freedom of expression and information”
  • Complying with a legal obligation by the EU or a country in the EU
  • “Reasons of public interest in the area of public health”
  • “For the establishment, exercise or defense of legal claims”

iv. Right to Restrict

Individuals may prevent the processing of their personal data if any one of the follow apply:

  • They contest the accuracy of the information.
  • “The processing is unlawful,” and the individual prefers restriction over deletion.
  • The organization using the personal data no longer needs it, but the individual has legal claims that require that personal data.
  • The individual questions the “legitimate grounds” claimed for using the personal data.

While a claim of inaccuracy or lack of legitimate grounds is being investigated, the individual’s personal data may not be processed. Once the personal data is restricted, it can “only be processed” by the individual’s consent, for the “exercise or defense of legal claims,” to protect the rights of another person, or for “important public interest” of the EU or a country in the EU.

Also, the organization dealing with the restricted personal data must inform the individual whose personal data it is before any restriction on processing that personal data is lifted.

v. Notification Obligation

The organization must communicate any correction, deletion, or restriction of personal data to “each recipient” the personal data was disclosed to. Additionally, the organization must “inform the data subject about those recipients if the data subject requests it.”

vi. Right to Personal Data Portability

Individuals may receive their personal data in an electronic format if their personal data is based on consent or contract, and is processed by “automated means,” and it does not negatively impact “the rights and freedoms of others.” Individuals may also request an organization to send their personal data to another organization. Even though individuals have the right to personal data portability, they still retain the right to have their personal data deleted (unless processing is necessary out of public interest, or part of exercising “official authority” given to the organization).

vii. Right to Object

If personal data is being processed based on public or legitimate interests, individuals may object to such processing. In addition, an individual may object to direct marketing at any time. Also, the right to object must be presented to the individual “clearly and separately from any other information” at the time the personal data is collected.

viii. Automated Personal Data Processing

Individuals have the “right to not be subject to a decision . . . based solely on automated processing” that may legally or “significantly” affect them in some way. This right does not apply if such processing is necessary for a contract, required by law, or is based on consent given by the individual.

G. Organizations’ Responsibilities Concerning Personal data

An organization that deals with personal data protected by the GDPR must “be able to demonstrate” that it follows the requirements of the law. Also, organizations outside the EU who process personal data must “designate in writing a representative” to be in the EU (the representative should be “established in . . . [the EU country] where the data subjects” live). A representative is not needed if processing is (1) only casual, does not deal with sensitive or criminal data on a large scale, will not “result in a risk to the rights” of the individuals, or (2) the organization is a public body.

When an organization uses a third party to process personal data protected by the GDPR, the organization may only use third party processors who agree to follow the GDPR. Any processing by a third party processor must be subject to specific contractual requirements. In addition, if multiple controllers will use an individual’s personal data, they must be transparent in the roles each will play, and still provide all of the information required for the privacy notice.

i. Personal Data Security

All organizations must “implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk.” This includes appropriate security measures, such as “pseudonymisation” and “data minimization.” Also, the organization must be capable of ensuring the “confidentiality, integrity, availability, and resilience” of their personal data processing systems.

ii. International Personal data Transfers

To transfer personal data from inside to outside the EU, one of the following conditions must be met:

  • The European Commission has declared the country, a certain part of the country, or the international organization as having “an adequate level of protection." If this is the case, the transfer will “not require any specific authorization.”
  • If, among other reasons, the individual gives consent, or the transfer is part of a contract.
  • If personal data safeguards are included in one of the following108: (1) a legally binding agreement between public authorities; (2) corporate rules established by a supervisory authority; (c) personal data protection clauses from the European Commission or a supervisory authority; or (d) a legal code of conduct or certification.

iii. Record Keeping

Organizations dealing with personal data protected by the GDPR must keep a record of the following110:

  • Contact details of the organization and their personal data protection officer
  • Purposes of the processing
  • What categories of individuals and personal data are being used
  • Categories of recipients
  • If the personal data will go outside of the EU
  • Time limits until the personal data is deleted
  • A description of security measures

Third-party personal data processors must keep record of the following:

  • Their own contact information (including their personal data protection officer), as well as that of the organization they are working with
  • What categories of personal data they are processing
  • If the personal data will be transferred outside of the EU
  • A description of security measures

All records are to be kept electronically in writing, and when requested, made available to supervisory authorities; cooperation with authorities is also a general rule laid out in the GDPR.

iv. Personal Data Breaches

If a personal data breach occurs, and could pose a risk to those affected by it, the organization has seventy-two hours to notify the supervisory authority over them. Any third-party processor must notify the organization with whom they are working. These notifications should include information such as the nature of the breach, number of individuals affected by the breach, the personal data protection officer’s information, “likely consequences,” and measures taken to correct the breach.

Without “undue delay,” the organization must communicate information of the breach in “clear and plain language” to the affected individuals. This notification need not occur if the personal data is protected or encrypted well enough that it will not be usable by any unauthorized person, or the organization has taken steps to eliminate any danger from the breach. Also, if the notification would involve “disproportionate effort,” a public communication of the breach would suffice.

v. Data Protection Officer

Organizations that deal with personal data must appoint a data protection officer if they are a public authority, their operations involve “systematic monitoring of [individuals] on a large scale,” or if the organization deals with sensitive information on a large scale. The data protection officer must be selected based on professional and expert knowledge of “data protection law and practices.” The data protection officer may be contacted by individuals about their personal data, and must “inform and advise” the organization they work for, as well as monitor compliance and provide advice. In addition, the data protection officer is required to cooperate with the supervisory authority.

V. PENALTIES

Monetary penalties are decided using many factors, including “the nature, gravity, and duration of the infringement,” whether the infringement was intentional or not, any previous infringements, and level of cooperation with the authorities.

A fine will be 10 million Euros or 2% of the offender’s previous year’s budget (whichever is higher) for infringements based on certain aspects of the GDPR, including: (1) the conditions around a child’s consent; (2) processing data that does not require identification; (3) “data protection by design and by default;” or (4) the data protection officer.

The fine will be 20 million Euros or 4% of the offender’s previous year’s budget (whichever is higher) for infringements of the rules concerning: (1) “basic principles for processing, including conditions of consent;” (2) “the data subjects’ rights;” (3) international data transfers; (4) a legal obligation from an EU country; or (5) not complying with an order from a supervisory authority.

Also, any individual who has “suffered material or non-material damage” because of an infringement of the GDPR has the right to receive compensation from the offending organization.

VI. DIRECTIVE (EU) 2016/680

This Directive was passed in conjunction with the GDPR, and is also called the Data Protection Directive for Police and Criminal Justice Authorities. The Directive is intended to improve cooperation in fighting terrorism and cross-border crime in the EU by making it easier for police and criminal justice authorities in different countries in the EU to work together. At the same time, this Directive also protects individuals’ personal data while it is being processed for such reasons.