GDPR
Site: | Soteria H2020 awareness training |
Course: | E-training for personal data management and privacy |
Book: | GDPR |
Printed by: | Guest user |
Date: | Saturday, 25 January 2025, 1:23 AM |
1. Rights of the data subjects (users)
The General Data Protection Regulation (GDPR) is a data protection legislation that applies in the European Union (EU) and regulates the protection of personal data. The GDPR grants data subjects various rights to maintain control over their personal information. Here is a summary of those rights:
-
Right to information: the GDPR states that data subjects have the right to receive clear and understandable information about how their personal data is processed.
-
Right of access: individuals have the right to obtain confirmation as to whether their personal data is being processed and, if so, to request access to that data. Companies must provide a copy of the data they hold about an individual.
-
Right to rectification: If personal data is inaccurate or incomplete, data subjects have the right to request that it be corrected. This also includes the right to fill in missing information.
-
Right to erasure ("right to be forgotten"): In certain circumstances, data subjects may have the right to request the deletion of their personal data. This is the case, for example, if the data is no longer necessary for the original purpose or if the processing is unlawful.
-
Right to restrict processing: data subjects have the right to restrict the processing of their personal data in certain cases. If processing is restricted, the data may only be stored and processed to a limited extent.
-
Right to data portability: individuals have the right to receive their personal data in a structured, commonly used and machine-readable format and to transfer this data to another controller without hindrance from the original controller.
-
Right to object: if personal data are processed on the basis of a legitimate interest, data subjects may object to this processing under certain circumstances. It is then the responsibility of the company to demonstrate that there are compelling legitimate grounds for the processing which override the interests, rights and freedoms of the data subject.
-
Right not to be subject to automated decisions, including profiling: individuals have the right not to be subject to a decision based solely on automated processing which produces legal effects concerning them or similarly significantly affects them. This includes the right to receive information about the logic involved in automated decision-making and its scope.
2. Duties of controllers / processors
Under the General Data Protection Regulation (GDPR), both controllers and processors have certain obligations regarding the protection of personal data. Here are some important obligations that must be met by both parties:
Obligations of Controllers:
-
Transparent information obligation: controllers must inform data subjects about the processing of their personal data. This information must be clear, precise and easy to understand.
-
Lawfulness of processing: controllers may only process personal data in a lawful manner. This includes the existence of a legal basis (e.g., consent of the data subject or performance of a contract) and compliance with the data processing principles.
-
Purpose limitation: data controllers may collect and process personal data only for specified, explicit and legitimate purposes. Further processing for incompatible purposes is only permitted in certain exceptional cases.
-
Data economy: Controllers should collect only those personal data that are necessary for the processing purpose in question. No excessive or unnecessary data should be collected.
-
Accuracy of data: Controllers are required to ensure that personal data is accurate and up to date. Inaccurate data must be corrected or deleted.
-
Storage Limitation: Controllers should only store personal data for as long as necessary for the purpose of the processing. The duration of data storage should be clearly defined.
-
Data security: Controllers must take appropriate technical and organizational measures to protect personal data from unauthorized access, loss or misuse.
Obligations of Processors:
-
Data processing contract: Processors must enter into a written contract with the controller that specifies the data protection requirements under GDPR.
-
Data processing on behalf: Processors may only process personal data in accordance with the instructions of the controller and may not use it for their own purposes or pass it on to third parties unless this is legally required.
-
Data security: Processors must take appropriate technical and organizational measures to ensure the security of personal data.
-
Support of the controller: Processors must support the controller in fulfilling its obligations under data protection law, for example, in implementing data subject rights or in conducting data protection impact assessments.
3. Further Information
This chapter provides further explanations on specific topics.
Please select from the table of contents on the right.
3.1. Definitions
For the purposes of GDPR, the term:
- "personal data" means any information relating to an identified or identifiable natural person (hereinafter "data subject"); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person;
- "controller" means the natural or legal person, public authority, agency or other body which alone or jointly with others determines the purposes and means of the processing of personal data; where the purposes and means of such processing are determined by European Union or Member State law, the controller or the specific criteria for its designation may be provided for under European Union or Member State law;
- "processor" means a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller;
- "processing" means any operation or set of operations which is performed upon personal data, whether or not by automatic means, such as collection, recording, organization, filing, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction;
- "restriction of processing" means the marking of stored personal data with the aim of limiting their future processing;
- "profiling" means any type of automated processing of personal data which consists in using such personal data to evaluate certain personal aspects relating to a natural person, in particular to analyze or predict aspects relating to that natural person's performance at work, economic situation, health, personal preferences, interests, reliability, behavior, location or change of location;
- "pseudonymization" means the processing of personal data in such a way that the personal data can no longer be attributed to a specific data subject without the use of additional information, provided that such additional information is kept separately and is subject to technical and organizational measures which ensure that the personal data are not attributed to an identified or identifiable natural person;
- "file system" means any structured collection of personal data accessible according to specified criteria, whether such collection is maintained on a centralized, decentralized or functional or geographical basis;
- "Recipient" means a natural or legal person, public authority, agency or other body to whom personal data are disclosed, whether or not a third party. However, public authorities that may receive personal data in the context of a specific investigative task under European Union or Member State law shall not be considered as recipients; the processing of such data by the aforementioned authorities shall be carried out in accordance with the applicable data protection rules in accordance with the purposes of the processing;
- "third party" means a natural or legal person, public authority, agency or other body, other than the data subject, the controller, the processor and the persons who are authorized to process the personal data under the direct responsibility of the controller or the processor;
- "Consent" of the data subject means any freely given specific, informed and unambiguous indication of his or her wishes in the form of a statement or other unambiguous affirmative act by which the data subject signifies his or her agreement to the processing of personal data relating to him or her;
- "personal data breach" means a breach of security leading, whether accidentally or unlawfully, to the destruction, loss, alteration of, or unauthorized disclosure of, or access to, personal data transmitted, stored or otherwise processed;
- "genetic data" means personal data relating to the inherited or acquired genetic characteristics of a natural person which provide unique information about the physiology or health of that natural person and which have been obtained, in particular, from the analysis of a biological sample from that natural person;
- "biometric data" means personal data on the physical, physiological or behavioral characteristics of a natural person, obtained by means of specific technical procedures, which enable or confirm the unique identification of that natural person, such as facial images or dactyloscopic data;
- "health data" means personal data relating to the physical or mental health of a natural person, including the provision of health care services, revealing information about that person's state of health;
3.2. Principles for the processing of personal data
Personal data must be
- processed lawfully, fairly and in a manner comprehensible to the data subject ("lawfulness, fair processing, transparency");
- collected for specified, explicit and legitimate purposes and not further processed in a way incompatible with those purposes; further processing for archiving, scientific or historical research purposes in the public interest or for statistical purposes shall not be considered incompatible with the original purposes pursuant to Article 89(1) ("purpose limitation");
- adequate and relevant to the purpose and limited to what is necessary for the purposes of the processing ("data minimization");
- accurate and, where necessary, kept up to date; every reasonable step must be taken to ensure that personal data which are inaccurate in relation to the purposes of their processing are erased or rectified without delay ("accuracy");
- stored in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the data are processed; personal data may be stored for longer periods insofar as the personal data are processed solely for archiving purposes in the public interest or for scientific and historical research purposes or for statistical purposes as referred to in Article 89(1), subject to the implementation of appropriate technical and organizational measures required by this Regulation to protect the rights and freedoms of the data subject ("storage limitation");
- processed in a manner that ensures appropriate security of personal data, including protection against unauthorized or unlawful processing and against accidental loss, destruction or damage by appropriate technical and organizational measures ("integrity and confidentiality");
The controller is responsible for compliance and must be able to demonstrate compliance ("accountability").
3.3. Lawfulness of processing
The processing is only lawful if at least one of the following conditions is met:
- the data subject has given his or her consent to the processing of personal data concerning him or her for one or more specific purposes;
- the processing is necessary for the performance of a contract to which the data subject is party or for the performance of pre-contractual measures taken at the data subject's request;
- the processing is necessary for compliance with a legal obligation to which the controller is subject;
- the processing is necessary in order to protect the vital interests of the data subject or another natural person;
- processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller;
- processing is necessary for the purposes of the legitimate interests of the controller or of a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require the protection of personal data, in particular where the data subject is a child.