Out-Law Guide 6 min. read
25 May 2023, 10:32 am
The entry into force of the General Data Protection Regulation (GDPR) on 25 May 2018 brought about the biggest overhaul of EU data protection law in more than 20 years and represented an attempt by EU policy makers to ensure the law on the collection, use, sharing and protection of personal data was fit for the digital age.
The GDPR accompanies its cousin in law enforcement data protection matters, the Police and Criminal Justice Data Protection Directive, and, unlike that Directive or the previous Data Protection Directive of 1995, is directly applicable in all EU member states.
While the GDPR is designed to enhance individuals' data protection rights, the necessary corollary of stronger rights for data subjects is onerous obligations for controllers and processors.
In addition, the GDPR introduced stronger potential sanctions for organisations that breach their obligations under the framework, as well as a new system of regulation. The 'one-stop-shop' regime is designed to account for the increasingly cross-border nature of business operations and allows companies to deal with just one supervisory authority of an EU member state.
At the end of the Brexit transition period, the GDPR was incorporated into UK law under the European Union (Withdrawal) Act 2018 and amended to facilitate its application to the UK by the Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations 2019 (SI 2019/419). Since 1 January 2021, the UK GDPR has sat side by side with the EU GDPR.
The UK GDPR, Data Protection Act 2018, and Privacy and Electronic Communications (EC Directive) Regulations 2003 form the UK’s data protection framework.
The Data Protection and Digital Information (No 2) Bill has been proposed by the UK government and, if enacted as drafted, would make amendments to this data protection framework. Amendments proposed are designed to create a pro-innovation environment and reduce the burdens on businesses while maintaining the UK’s EU adequacy status.
In addition to the GDPR being applicable to EU-based organisations, non-EU controllers and processors are caught where the processing activities are related to the offering of goods or services to data subjects in the EU, or the monitoring of their behaviour.
The rules on territorial scope also apply in the same way under the UK GDPR, with organisations based in the UK offering goods or services to data subjects in the UK being caught by the UK GDPR.
Organisations can be caught by the EU GDPR, the UK GDPR, or both sets of rules.
The concept of 'personal data' covers any information related to identified or identifiable living individuals, and there are specific definitions for genetic data and biometric data. The GDPR also provides a definition for 'anonymous information' and the concept of 'pseudonymisation' – this being data that can no longer be attributed to a specific data subject without additional information that is held separately and securely.
The GDPR defines separate roles for ‘controllers’ who decide why and how data is processed, and ‘processors’, who process data on behalf of controllers.
Controllers are subject to more stringent obligations, reflecting their level of responsibility for the data being processed. However, some statutory obligations under the GDPR apply directly to processors, in addition to those they face under contract.
The statutory obligations are wide-ranging but include a duty to implement appropriate security measures when processing personal data on behalf of a controller, and an express obligation to notify the controller of personal data breaches. The obligations to protect personal data transferred internationally also fall on processors as well as controllers.
Processors may also be exposed to claims for financial damage or distress by individuals affected by a personal data breach, as those individuals are free to sue any organisation involved in the supply chain. The GDPR leaves it open to the contracting businesses to remedy the position between them in the event claims are successful.
The GDPR sets out principles that must be followed when processing personal data. The Regulation then sets out specific obligations around how these principles must be put into practice, but the overarching principles must be followed for all processing of personal data.
Personal data must be:
In addition, controllers must be able to demonstrate compliance with these principles – the so-called accountability principle.
Personal data can only be processed on specific grounds, each of which the GDPR refers to as a ‘lawful basis’.
Consent is one possible lawful basis, but the GDPR sets a high bar for valid consent. The request must be clear and in plain language. The data subject has the right to withdraw their consent at any time, it must be as easy to withdraw consent as to give it, and the controller must notify the data subject of their right to withdraw their consent. The controller must also be able to demonstrate that the data subject has consent. All of these conditions must be satisfied for the consent to be valid for GDPR purposes, and controllers purporting to rely on consent without meeting all of these conditions could be liable for the maximum penalty of 4% of worldwide annual turnover.
Alternatively, controllers may choose to rely on other lawful bases, such as that the processing is necessary for the performance of a contract to which the data subject is party or processing is necessary for compliance with a legal obligation. Controllers can also process data on the basis that the processing is necessary for their or a third party’s legitimate interests, provided those interests are not overridden by the interests or fundamental rights and freedoms of the data subject.
Certain personal data receives additional protections under the GDPR.
There is a default prohibition on processing ‘special categories of personal data’. This default prohibition applies to personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership. It also applies to genetic data, biometric data, data relating to health, or data about an individual’s sex life or sexual orientation.
This special category data can only be processed if a controller satisfies a specific condition, in addition to the ‘lawful basis’ for the processing. These conditions include explicit consent, processing of data that the data subject has manifestly made public, and processing that is necessary for the establishment, exercise or defence of legal claims.
Separately, data relating to criminal convictions and offences can only be processed where the processing is authorised by EU or member state law, or domestic law, under the UK GDPR, or “under the control of official authority”.
Transparency around data processing
Controllers must provide individuals with information about what personal data is being collected, for what purpose, how long it will be retained for, to whom it will be disclosed and to where it is being transferred.
The GDPR creates a number of rights for data subjects.
Data subjects can make a data subject access request or ‘DSAR’ to request information about the data the controller is processing. The Court of Justice of the EU (CJEU) has clarified that data subjects in the EU have the right to a copy of documents containing their personal data where these documents are indispensable for exercising their rights under the GDPR. This aligned with the approach already taken in the UK.
An individuals can request that their personal data be deleted in specified circumstances and, where the personal data has been made public, that other controllers processing the personal data also erase links to, or copy or replication of, such personal data.
This right entitles a data subject to obtain from the controller a copy of their data in a structured, commonly used, and machine-readable format. The data subject can also request that the personal data is sent directly to another controller, where technically feasible.
The GDPR introduced a right to object to processing relying on certain lawful bases, including legitimate interests. Where an objection is raised, controllers must stop processing unless they can demonstrate “compelling legitimate grounds for the processing which override the interests, rights and freedoms of the data subject” or the processing is for the establishment, exercise or defence of legal claims.
Data subjects can also object to direct marketing. Controllers must stop processing personal data for direct marketing purposes on receiving an objection.
The GDPR creates a default prohibition on automated decision-making which produces legal effects or significantly similar affects. There are exceptions for processing necessary for entering into or performing a contract between the data subject and controller, authorised by EU or member state, or, for the UK GDPR, domestic, law which includes safeguards, or is based on the data subject’s consent. The right also imposes safeguards where these exceptions apply and additional restrictions where processing special category data.
Minimum mandatory contractual provisions for contracts with data processors are outlined in the GDPR. The Regulation requires that these prescriptive obligations are included in data processing clauses, and that the requirements flow-down to any sub-contractors used by processors. This raises potential tensions in the context of cloud computing where some service providers may have difficulty agreeing to flow-down requirements.
A general, mandatory system for notification of personal data breaches also applies under the GDPR.
Under the GDPR, controllers must notify their supervisory authority of personal data breaches they have experienced "without undue delay and, where feasible, not later than 72 hours after having become aware of it ... unless the personal data breach is unlikely to result in a risk to the rights and freedoms of natural persons".
In addition, where there is a high risk of damage arising to the data subject then the data subjects must be informed directly without undue delay.
A processor has to notify controllers it contracts with of personal data breaches it identifies "without undue delay".
Chapter V of the GDPR sets restrictions on transfer of personal data internationally, outside of the European Economic Area (EEA) or UK. These are designed “to ensure that the level of protection of natural persons guaranteed by this Regulation is not undermined”.
Several mechanisms exist for international transfers to proceed lawfully. The European Commission and UK government consider a number of jurisdictions to provide adequate protection for personal data, and personal data can be transferred to these jurisdictions without additional safeguards.
In the absence of an adequacy decision, transfers can be made by putting ‘Standard Contractual Clauses’ or ‘Binding Corporate Rules’ in place. However, exporters must carry out a data transfer impact assessment and conclude that the data will receive the required standard of protection. See our guide on International Data Transfers and Schrems II: GDPR obligations for further information on this area.
Organisations with 250 or more employees must keep records of their processing activities with information on the data processed. This sits alongside the principle requiring controllers to demonstrate accountability.
Controllers are also obliged to implement "data protection by design and default", including data minimisation and security by default.
Public authorities and private companies whose core activities involve large-scale monitoring or large-scale processing of sensitive data or data on criminal convictions must appoint a data protection officer (DPO). Processors engaged by such controllers may also have to appoint DPOs.
A DPO must operate independently and must not take instructions from his employer.
Before commencing any processing likely to result in a high risk to individuals, such as profiling activities, controllers have to carry out a review of that envisaged processing to assess the privacy risks to individuals and identify measures to address these risks and demonstrate the processing operation is compliant with the GDPR. This is called a data protection impact assessment (DPIA).
Where the DPIA indicates that the processing would be high risk, in the absence of measures by the controller to mitigate that risk, the controller will be required to consult with their supervisory authority before being able to process that personal data under the GDPR. The supervisory authority has the power to suspend or even ban the processing.
Administrative fines up to a maximum of, €20 million in the EU, £17.5 million in the UK, or 4% of a business's worldwide annual turnover are possible under the GDPR.
The GDPR addresses administrative sanctions in two tiers. For infringements falling under the lower tier, the potential maximum administrative fine that can be issued in the EU is the greater of €10 million or 2% of a business's worldwide annual turnover of the preceding financial year. In the UK, the equivalent figure is £8.7 million or 2% of a business’ worldwide annual turnover of the preceding financial year. For infringements falling under the higher tier, the potential maximum administrative fine that can be issued in the EU is the greater of €20 million or 4% of a business's worldwide annual turnover of the preceding financial year. In the UK, the equivalent fine is the greater of £17.5 million or 4% of a business's worldwide annual turnover of the preceding financial year.
In addition to administrative fines, the GDPR provides for a number of other powers available to supervisory authorities. The implementation of these powers is based on national laws.