Under the General Data Protection Regulation (GDPR), the controllers must determine the legal basis for each purpose of data processing operations carried out under its responsibility (i.e. data processing carried out either by itself or by its processor).
The different legal bases for processing personal data are laid down in article 6 GDPR and include, among others, consent, legitimate interest, the performance of a contract and compliance with a legal obligation.
However, where special categories of data and/or data about criminal convictions are processed, controllers must pick an additoinal legal basis among those laid down in articles 9 or 10 GDPR.
Not considering the legal basis of processing beforehand may lead to various breaches of the GPDR and in particular, breach of individuals’ rights.
Data Protection by design and by default are principles defined in article 25 of the General Data Protection Regulation (GDPR).
Data protection by design requires the controller to take technical and organisational measures to implement the data protection principles effectively and to integrate adequate safeguards to protect the rights and freedoms of data subjects.
Data protection by default requires that, by default, appropriate technical and organisational measures be implemented to ensure that only personal data that are necessary for each purpose of the processing are processed.
Under the EU general data protection regulation (GDPR), any data processing activities must be compliant with six privacy principles, which are the cornerstone of the european privacy regulation and most international privacy laws.
The privacy principles are set out in article 5 GDPR and are as follows :
Lawfulness, fairness and transparency
Under the General Data Protection Regulation (GDPR), any person (including organisations) handling personal data is subject to a different level of obligations and responsibilities with regard to the personal data processing operations they carry out depending on whether they are acting as a processor, a controller or a joint controller.
Indeed, all their GDPR obligations and responsibilities stem from their role and may, as a result, differ greatly. In broad words, controllers bear most responsibilities while processors must only act under the instructions of the controller and therefore, bear much less responsibility on its shoulders.
The territorial scope of the new data protection regulation applicable from May 2018 (GDPR) is much wider than the one of the current directive 95/46/CE.
As a consequence, the new data protection rules may apply to any business whether or not it is located within the EU if certain conditions are met.
Below a questionnaire/guidance that should help consider whether or not the GDPR applies to a specific activity. However, given the complexity of some definitions, a detailed analysis of the activities might be necessary to answer accurately some of the questions.