In Part I of this series, we provided information about whether the GDPR applies to your U.S.-based business. In this article, we will explain the key privacy requirements of the GDPR. The GDPR is, at its heart, a regulation to control the collection and use of an EU data subject’s personal information by limiting the processing of personal information to the specific purposes for which it was collected, and giving the data subject control over the collection, use, and deletion of his or her personal information.
The GDPR consists of 94 articles organized into 11 chapters that set out the principles and requirements of the law. A good resource for reading these articles and chapters is EUGDPR.org. Chapters 2 and 3 of the GDPR predominantly house the requirements related to the collection and privacy of a data subject’s information that a U.S.-based business must understand in order to be in compliance. Understanding these rules is essential to drafting a legally compliant privacy statement or consent form and to implementing GDPR-compliant procedures.
Collection and Processing of Personal Data. Chapter 2 of the GDPR provides key concepts regarding collecting and processing of personal data.
|
Collecting Data
|
Processing Data
|
-
Data collection must be lawful, fair and transparent;
-
Data must be collected only for specific and legitimate purposes; and
-
Data collection must be limited to what is necessary to achieve the purpose for which it was collected.
|
-
The data collected must also be accurate, with reasonable steps and processes to ensure the erasure or correction of inaccurate data;
-
There must be procedures in place to limit the storage of personal data only for as long as necessary for the purposes for which the personal data is being processed; and
-
The data must be processed in a manner that ensures its security, with plans in place to respond to data breaches or other accidental loss or destruction; and
-
Companies must have data security and privacy measures in place, and must be prepared to demonstrate compliance with this requirement.
|
There is a heightened standard for processing personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, genetic data, biometric data for purposes of identifying the person, health data, or data concerning a person’s sex life or sexual orientation. As a general rule, processing this type of personal data is prohibited, except where the data subject has provided explicit consent, or the data is required by law, for employment, for medical or public health and safety reasons, to protect the vital interests of the data subject where the data subject is physically or legally incapable of giving consent, or where the data is for a non-profit or member-driven organization and the processing relates to members or former members who have regular contact with the organization.
Consent of the Data Subject. The consent of the data subject is a key concept of the GDPR regulations. First, the controller must be able to demonstrate that the data subject has provided personal consent to the processing of personal data. The form requesting consent must be in clear, easy to understand language, and presented in a manner distinguishable from other information being presented. Second, the consent must be “informed,” which means that the data subject is aware of the identity of the controller, the categories of personal data being collected, the intended use of his or her personal data, and to whom the personal data will be disclosed, particularly if disclosure is to recipients in third countries. Third, the form must contain information about the time periods that the data will be stored, and how the data subject can easily withdraw consent at any time.
Rights of the Data Subject. Chapter 3 provides a list of specific rights that the data subject has related to consent, collection, storage, correction, and deletion of personal data, which include:
-
Data subjects have a right to know why their personal information is being collected.
At the time that the controller, or another on the controller’s behalf, collects personal data from the data subject, the controller must provide the data subject with the identity and contact details of the controller, details regarding the data protection officer, if there is one, the purposes intended for processing the data, the legal basis for processing, the recipients of the personal data, and reference to safeguards in place if transferring to a third country. The controller must also provide information about how long the data will be stored, the right to lodge a complaint with the supervisory authority, and information about rights to correct, erase, or delete personal data.
-
Data subjects have a right to correct their information.
The data subject has the right to provide a supplementary statement requesting correction of any inaccurate or incomplete information. The controller must inform the data subject that this has been done, unless this is impossible or involves a disproportionate effort.
-
Data subjects have a right to demand their information be erased, also called “the right to be forgotten.”
Except in limited circumstances, the data subject has the right to request that a controller delete personal data without undue delay (usually within a month), and the controller has the obligation to do so, and to inform the data subject of the erasure where the data is no longer necessary for the purposes for which it was collected. The controller must then take reasonable steps to inform controllers who are processing the personal data that the data subject has made a request for erasure.
-
Data subjects have a right to restrict the processing of their personal information.
If the data subject has objected to the processing of the personal data, lodged a complaint related to the processing, or contested the accuracy of the personal data, then the data subject has the right to ask the controller to restrict the processing of the data.
Even if the data subject initially consented to the collection and processing of personal data, the data subject has the right to later object to the continued processing of data. If this happens, the controller must stop processing the data unless it can establish compelling legitimate grounds to continue that override the dates subject’s interests, rights and freedoms or for the defense of legal claims.
-
Data subjects have a right to request a copy of their personal information.
The data subject has a right to request a copy of the personal data concerning him or her, in an easy to read format, and to transmit that data to another controller.
-
Data subjects have a right to restrict profiling and other automated decision-making.
With limited exceptions, including if the decision-making is necessary for entering into or performance of a contract between the data subject and the data controller, the data subject has the right not to be subject to automated decision-making, which includes profiling.
It is imperative that a U.S.-based company that is a processor or controller of personal information of an EU data subject understand these key privacy concepts. Understanding this information is necessary to draft a compliant privacy statement or consent form and implement other GDPR-compliant processes. In Part III of our series on the GDPR, we will explain the steps that U.S.-based companies should be taking to comply with the GDPR. Part IV will discuss special issues related to the processing of employment records for those companies that have employees in the EU, or who have U.S.-based employees that are EU citizens. Part IV will also discuss the new April 19, 2018 position paper issued by the Article 29 Working Party regarding the requirement of large and small employers that employee EU employees to comply with Article 30 of the GDPR and maintain a record of processing activities.
