The General Data Protection Regulation (‘GDPR’) is, perhaps, the most important piece of law for any international enterprise that ‘carries on business’ in the European Union. In this article, we set out the key elements of GDPR compliance for any enterprise operating in the global marketplace. We start with the definition of personal data before explaining the obligations of data controllers and processors – the key roles that your business might be performing under the GDPR. We finish by explaining the rules for transferring personal data overseas (such as to an overseas branch of your own enterprise).
The Definition of Personal Data
The focus of the GDPR is personal data, and how it is controlled and processed. Take a look at the definition of personal data in article 4(1) of the GDPR (all subsequent references to the GDPR):
“any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person”
There is no complete list of the types of information that might be classed as personal data under the GDPR. However, the definition covers a broad range of information including:
- Names, identification numbers and photographs;
- Any online identifiers (e.g., location data, IP addresses, cookies, mobile data and meta-data);
- Biometric data (e.g., eye-recognition data and fingerprints);
- Demographic data (e.g., age, profession, gender, ethnicity, sexual orientation, profession or vocation and disability);
- Health-related information.
The individual whose data is held is known as the ‘data subject’.
It’s important to recognize that context determines whether a given piece of data personally identifies an individual. For example, a very common name such as ‘John Smith’, may not, in itself be enough to constitute personal data, as it (potentially) couldn’t be used to identify anyone.
The GDPR applies to any organization which processes personal data as part of its activities in the EU, or which offers goods or services, or monitors the behavior of EU individuals. Non-compliance can result in substantial fines (up to €10 million euros or 2 percent of global turnover).
Article 5 of sets out the key principles that apply to protecting and processing personal data. This article provides that personal information must be:
- Processed lawfully, fairly and in a transparent manner;
- Collected for specified, explicit and legitimate purposes, and not further processed in a manner that is incompatible with those purposes (with a few minor exceptions);
- Adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed (‘data minimisation’);
- Accurate and, where necessary, kept up to date;
- Kept in a form which allows identification for no longer than is necessary for the purposes for which the personal data are processed (‘storage limitation’);
- Processed in a way that ensures appropriate security of the personal data, including protection against unauthorized or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organizational measures (‘integrity and confidentiality’).
Article 6 sets out in detail when the processing of personal data is permitted (the ‘lawfulness of processing’). It is permitted in a range of situations, including where:
- Consent exists;
- A contract or contractual process requires that processing, and the individual concerned agrees to it;
- It is necessary to fulfill a legal obligation of the controller (more about this role below);
- It is necessary to protect the vital interests of the data subject or of another person;
- It is necessary to carry out tasks in the public interest, or is the exercise of official authority vested in the controller;
- It is necessary for the legitimate interests pursued by the controller or a third party (that are not public authorities) and, in this case, those interests override the rights and freedoms of the data subject.
If the data is ‘sensitive’ personal data (such as ethnic origins or political opinions), there are special rules that apply to its processing.
Rights of the Data Subject
The GDPR provides individuals with a range of rights with respect to their personal data. These rights in turn correspond with obligations for data controllers and processors.
The rights for individuals within the GDPR include:
- A right to access the personal data held by the organization (article 15);
- A right to rectify mistakes or inaccuracies in the data held (article 16);
- A right to erase data under certain circumstances (commonly known as the ‘right to be forgotten’) (article 17);
- A right to restrict the processing of data (see article 18);
- A right to receive one’s own data in a portable form (article 20);
- A right to object to the processing of personal data (article 21).This means that the processing of data must stop unless the controller demonstrates compelling overriding reasons. Where the objection is to processing of data for direct marketing purposes, it must be immediately stopped on request.
Who do the GDPR Obligations Apply to?
The principles themselves only have legal significance by placing obligations and allowing rights for certain individuals. So, who do these principles apply to?
The obligations apply to two key roles: The ‘controller’ and the ‘processor’. The controller is the person (which could be a company or a natural person) that determines, whether alone or with others, the purposes and means of processing personal data. The controller has overall ‘control’ of the use and processing of personal data within the organization.
By contrast, the ‘processor’ is the person or organization that actually processes the data. Of course, the controller and the processor could be (and often are) the same organization or company.
The data controller must put in place:
- Appropriate technical and organizational measures ensuring that data processing is only performed in accordance with the data processing principles and rights of data subjects in the GDPR (see article 24(1)). In many cases, this includes developing data protection policies (see article 24(2));
- Appropriate technical and organizational measures to ensure that the collection and processing of personal information only occur as is necessary. This includes restricting access to personal data by default (article 25(2));
- Taking into account the costs of doing so, appropriate measures for the security of data, which may include pseudonymization of data, confidentiality processes, the ability to restore access to data in the case of a disruptive event, a process for regular testing, and evaluation of organizational security measures (article 32).
The controller must also ensure that any processor of the data has sufficient measures in place to protect the data.
Not only is the controller responsible for compliance with these requirements, they must be able to demonstrate their compliance (see article 5(2)).
What Are the Obligations of the Processor?
The data processor must:
- Not engage another processor without prior authorisation of the controller (article 28(2));
- Process data via a contract or other legal act, with the contract setting out in detail a range of matters relating to the role of the processor, including an obligation to support the controller in compliance, only processing on the documented instructions of the controller (including with respect to international transfers) (article 28(3));
- If sub-contracting processing, impose the same obligations that they themselves are under (article 28(4));
- Adhere to an approved code of conduct or an approved certification mechanism, if that is chosen as a way to comply with article 28(2) (article 28(5));
- Use standard contractual clauses for compliance when required to do so by supervisory authorities (Articles 28(7) and (8));
- As with the controller, put in place measures for the protection of data (see article 32).
How Does Data Transfer Overseas Work?
For international enterprises, transferring personal information across borders is often a necessity. However, the GDPR has clear rules specifying when an organization can transfer personal data overseas.
Article 44 spells out the general principle underlying international transfers of personal data. In short, transfer of personal data to third countries (i.e., outside the EU), shall take place only if one of the mechanisms set out in the GDPR are complied with. The key mechanisms (see article 46) are:
- Where the European Commission has made a determination that that third party ensures an adequate level of protection;
- Binding corporate rules (see article 47);
- Standard data protection clauses adopted by the European Commission or a supervisory authority;
- An approved code of conduct;
- An approved certification mechanism.
There are limited exceptions where even if one of these grounds do not exist, data can be transferred. For example, where the individual explicitly consents in spite being informed of the possible risks, or the transfer is required for proving or defending legal claims (article 49).
What Does the GDPR Mean for International Enterprises?
In order to ensure compliance with the GDPR, it is recommended that international enterprises consider the following questions:
- Do you possess or process any personal data of EU residents? Keep in mind the wide definition of personal data used in the GDPR;
- Do you offer goods or services to EU residents?
- If you are transferring personal data outside the EU, on what grounds are you doing so?
- Are you passing on EU personal data to a third party?
We recommend that any organization that may potentially be covered by the GDPR seek professional advice on how they can comply with that regulation throughout their international expansion.
The GDPR is a wide-ranging data protection law that may apply to any business that has dealings with individuals in the EU. International enterprises need to consider how the definition of personal data, the roles and responsibilities of controllers and processors, and the international transfer rules might apply to them.
International enterprises need to also consider the implications of other data protection laws (such as the California Consumer Privacy Act for any enterprise doing business in California), many of which are inspired by provisions contained in the GDPR.
New Horizons Global Partners are international compliance specialists who can advise on the best mechanisms for complying with the GDPR ,and any other data protection obligations you may have in your international enterprise.