News: General News

European Data Privacy Rules and You ​

Monday, December 17, 2018  
Posted by: Nicole Wiebold
Share |


During the past few months, you’ve likely seen numerous website popup messages asking you to review updated privacy policies and check a box confirming that you agree with the terms of use. This step is occurring as a result of the General Data Protection Regulation (GDPR).


What is the GDPR?

The GDPR is a set of rules adopted by the European Union which enumerates the rights data subjects have to their personal data, establishes requirements for the processing of personal data, and standardizes the data protection laws across the countries of the EU. The GDPR came into effect on May 25, 2018. Accordingly, there are still many questions surrounding what constitutes compliance and how it will be enforced.  


What is a “data subject” and what qualifies as “personal data”?

The GDPR is intended to protect the personal data of data subjects. A “data subject” is an identified or identifiable natural person, and “personal data” is any information relating to a data subject.


Who is affected by the GDPR?

The territorial scope of the GDPR applies to the processing of personal data of data subjects in the EU:

  1. By controllers or processors established in the EU, whether processing takes place in the EU or not.
  2. By a controller or processors not established in the EU, where the processing activities are related to the offering of goods or services to data subjects in the EU or the monitoring of the behavior of data subjects where the behavior takes place within the EU. 
  3. By a controller not established in the EU, but in a place where EU law applies by virtue of public international law.


Key Provisions

  • Controller v. processor – Unlike its predecessor, the Data Protection Directive, the GDPR extends the obligations for compliance to both controllers and processors; a controller being the party that determines the purpose and means of processing and a processor being the party that processes personal data on behalf of a controller.
  • Consent – Data controllers must obtain consent from a data subject to process their personal data, unless another basis for the lawful processing of such data applies. 
  • Rights of Data Subjects – The GDPR establishes 9 rights that data subjects have in relation to their personal data, which are the right to 1) be informed about the collection of their personal data, 2) withdraw consent to processing, 3) have access to their personal data, 4) have inaccurate or incomplete personal data rectified; 5) request the erasure of their personal data; 6) request the restriction or suppression of their personal data; 7) invoke data portability; 8) object to the processing of their personal data; and 9) lodge a complaint with the relevant data protection authority. 
  • Notification of Breach – Once a controller becomes aware of a data breach, that controller generally must notify the appropriate data protection authorities within 72 hours. 


What are the penalties for non-compliance?

The penalties for a violation of the provisions of the GDPR are up to the greater of €10 million or 2 percent of global revenues for less serious violations or the greater of €20 million or 4 percent of global revenues for more serious violations. 


This is a snapshot of the most prominent aspects of GDPR. The overall regulation is much more detailed and complex. However, we hope it helps explain why so many organizations have been adding consent requirements to their websites and why it’s important for all companies to comply with the new regulations. 


Article provided by Nicole Wiebold, associate attorney with Barna, Buzy & Steffen Ltd. in Coon Rapids, Minnesota.