The 2016/679 European regulation (most known as GDPR) came into force in the end of May 2018. In this easy guide we will try to explain the key points of the regulation, in a simple way and without too many complicated details.
The name “General Data Protection Regulation” tells us it is a Regulation. It means that on the 25th of May 2018 it became de facto a law in all member states of the European Union.This clarification is significant, because unlike the Directive, which asks member states to write a law in a certain direction, a regulation does not need any further passage to be enforced.
The GDPR establishes the rules to protect the personal data of European citizens, so it should not be confused with company’s data like prototypes, projects, patents, financial statements or whatever. In practice, all subjects (companies, entities as well as other citizens), including those from outside the EU, who process personal data of the European citizens, must comply with the regulation.
GDPR definitions
Before getting to the heart of what the GDPR says, let us clarify some definitions:
Personal data
Article 4 of the GDPR defines it as “any information concerning an individual identified directly or indirectly by reference to any other information”. It means that a name, an address as well as car plate numbers are all personal data. It does not matter that the data is visible to everyone (think of the car plate numbers for example), as it is the combination of the plate number and the person that form the personal data.
Processing
Another important word to know is Processing. By this we mean “any operation or set of operations, carried out with or without the aid of automated processes and applied to personal data or sets of personal data, such as the collection, registration, organization, structuring, conservation, adaptation or modification, extraction, consultation, use, communication by transmission, diffusion or any other form of making available, comparison or interconnection, limitation, cancellation or destruction”.
Data subject
The interested party is the owner of the data, i.e. every person is the interested party of his or her personal data.
Data controller
The data controller is the person, company or entity that asks for personal data to be able to process it and decides how and why to process it. Attention is not to those who manages the data, but who makes decisions on data processing.
Processor
It is the natural, legal, public administration or body that processes personal data on behalf of the data controller.
Data Protection Officer
Also known as DPO, an acronym for the English definition, this figure is designated by the owner and the person in charge of the treatment, to act as an expert on the subject (usually he is a lawyer). In practice, it deals with helping those who must process personal data, respecting the GDPR, providing opinions, informing, and supervising.
Special categories of personal data
Before the GDPR this type of data was called sensitive and included racial or ethnic origin, political opinions, religious or philosophical beliefs, or union membership, as well as genetic data, biometric data intended to identify a unique individual, data relating to the health or sexual life or sexual orientation of a person.
Personal data breach
The security breach that accidentally or unlawfully involves the destruction, loss, modification, unauthorized disclosure, or access to personal data transmitted, stored, or otherwise treated.
Pseudonymisation
The word that may awaken fear but is simple. The processing of personal data so that it can no longer be attributed to a specific interested party without the use of additional information. Imagine having two registers, one with two columns: the first column contains the names of the people and the second a numerical code associated with each of them. The other register contains the numerical code in the first column and in the second column, the personal data to be protected. To understand who the data belongs to, it is necessary to correlate the information on the two registers. The personal data in the second register is “pseudonymized”.
Rights of European citizens
After this long but necessary introduction, let us find out what the rights of European citizens are regarding personal data.
The most important article (there are 99 of them in total) is of course the first one. Point 2 is the heart of the regulation saying: “This Regulation protects fundamental rights and freedoms of natural persons and in particular their right to the protection of personal data”. But what exactly does that mean? What are the rights and freedoms it protects? An entire chapter of the regulation is dedicated to the “Rights of the data subject”, that is divided into five sections. Let us quickly analyze them.
Transparency and modalities
This section includes a single article (the 12th) entitled: “Transparent information, communication and modalities for the exercise of the rights of the data subject”. Basically, the article says that the data controller (the one collecting the data) must communicate with the data subject in a clear manner and must facilitate him in his requests (in relation to the personal data processed by the owner) and in general in exercising the rights provided by the regulation.
Information and access to personal data
Here we get to the main part: before processing the data, the owner must tell you who and why processes the data, and how long the data is kept. He also says that you can ask to view, modify, or delete our personal data in his possession anytime.
Rectification and erasure
It is your right to ask to change your data (rectification) or to request cancellation, the famous “right to be forgotten”. In fact, at any time you can withdraw consent to the processing and ask to be forgotten (useful for defending against some very aggressive marketing campaigns).
Right to data portability (article 20) is an interesting one, that allows the interested party to request the owner to provide all personal data referring to him “in a structured, commonly used and machine-readable format”. This article, in fact, is what forced Google, Facebook and the other web giants to provide their users with a link to request all data about an individual in their possession. It works, and we recommend you try it at least once: Google Takeout or Facebook personal data management.
Right to object and automated individual decision-making
This goes hand in hand with the article on the right to be forgotten but applies when it is not necessary to ask for permission to process personal data because “processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party” (art. 6, par.1, letter f).
Restrictions
Obviously, the EU can limit the rights and obligations established by the regulation to safeguard more important interests, such as national security, independence of the judiciary and judicial proceedings, public safety, protection of the data subject or the rights and freedoms of others, and other critical issues.
Responsibility of the data controller and the data processor
Chapter four describes the obligations of the owner and manager of the processing of personal data. In particular, they overview the compliance responsibilities of these two figures, including the obligation to protect the personal data they process (by encrypting them or applying pseudonymization), to keep a register of treatments, and to evaluate the impact of the treatments before proceeding.
The last aspect that deserves your attention is that of personal data breaches. Section 2 of Chapter 4 is dedicated to the security of the data processing, where Article 33 is certainly one of the most important and is dedicated to the “notification of a personal data breach to the supervisory authority”. Its first paragraph is the famous communication to the “Garante” (in Italy the supervisory authority is called “Garante per la protezione dei dati personali”) in case of data breach:
“In the event of a personal data breach, the data controller notifies the competent supervisory authority pursuant to Article 55 of the violation without undue delay and, where possible, within 72 hours from the time when it became aware of it, to unless the breach of personal data is unlikely to present a risk to the rights and freedoms of individuals. If the notification to the supervisory authority is not made within 72 hours, it shall be accompanied by the reasons for the delay “.
Conclusion
Heavy administrative and pecuniary sanctions applied to the owners, who do not respect the regulation, certainly made it famous. Fines can vary depending on the violations but are still very relevant. They start from fines of up to 10 million euros or (for companies) to 2% of their turnover, for example, for not having a data controller appointed. The fine can reach € 20 million or 4% of the company turnover in case of more serious violations like failure to notify a data breach.
According to a study by DLA PIPER published in January 2023, in 2022, there was yet another milestone achieved as GDPR fines totalling EUR 1.64 billion were reported across Europe. This marked a remarkable 50% increase in the total fines issued compared to the fines reported in 2021Germany leads the rankings with 29 795 personal data breach notifications, followed by Netherlands (24 777), Poland (12 748), United Kingdom (10281) and Denmark (7882).
What about Italy? According to the same report, between 25 May 2018 and 27 January 2023, the Guarantor was notified of 7008 personal data violation cases (ranked 11) and imposed fines with a total value of more than 63 million euros (ranked 6).