The GDPR defines personal data as

“… any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier …”.

Processing is defined as

“…any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction”.

Any party controlling or processing personal data as defined above will need to show positively that the processing is lawful.  Article 6.1 of the GDPR states:

Processing shall be lawful only if and to the extent that at least one of the following applies:

1. the data subject has given consent to the processing of his or her personal data for one or more specific purposes;
2. processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract;
3. processing is necessary for compliance with a legal obligation to which the controller is subject;
4. processing is necessary in order to protect the vital interests of the data subject or of another natural person;
5. processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller;
6. processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child.

Where processing is based on the consent of the data subject (see (a) above) the controller should be able to demonstrate that the data subject has given consent to the processing operation¹. It is clear that consent needs to be positive. Silence, pre-ticked boxes or inactivity would not constitute consent.
Under the GDPR:

• For consent to be informed, the data subject should be aware at least of the identity of the controller and the purposes of the processing for which the personal data are intended.
• The data subject should have the right to withdraw his or her consent at any time². Consent should not be regarded as freely given if the data subject has no genuine or free choice or is unable to refuse or withdraw consent without detriment.
• Consent is presumed not to be freely given if it does not allow separate consent to be given to different personal data processing operations.³
• Consent is presumed not to be freely given if the performance of a contract, including the provision of a service, is dependent on the consent despite such consent not being necessary for such performance.

Comment

Any party to whom the GDPR applies is recommended to review what personal data it might control or process and to establish what grounds listed in Article 6.1 above would apply to make any such processing lawful.

If consent of the data subject if to be relied upon then such consent should be recorded. Consent given in the past may not satisfy the requirements of the GDPR and if in doubt should be refreshed by obtaining further consent from the data subject.

¹ GDPR Recital 42

² GDPR Article 7(3)

³ GDPR Recital 43

The post Complying with GDPR: Lawful processing of personal data appeared first on Pitman.

How will it apply? The territorial jurisdiction of the GDPR is set out in Article 3.

Article 3(1) – Establishments within the EU

This applies to the activities of establishments located within the EU and as such effectively continues where the earlier Directive left off.

Article 3(1) states:

“This Regulation applies to the processing of personal data in the context of the activities of an establishment of a controller or a processor in the Union, regardless of whether the processing takes place in the Union or not.”

It might be noted in passing that the words “…in the Union” could (at least in English) be read as applying to the location of the activities as well as to the location of the establishment itself.
Unlike the earlier Directive, this Article applies to establishments that are data controllers or data processors.

Any presence within the EU risks being treated as an establishment for the purposes of this Article. In an earlier case¹, the presence of a single representative has been considered as an establishment.

It should also be noted that the application of Article 3(1) is not affected if the actual processing of data takes place outside the EU.

Article 3(2) – Establishments outside the EU

This Article potentially applies the GDPR to establishments outside the EU that process personal data of persons within the EU.

Article 3(2) states:

“This Regulation applies to the processing of personal data of data subjects who are in the Union by a controller or processor not established in the Union, where the processing activities are related to:

1. the offering of goods or services, irrespective of whether a payment of the data subject is required, to such data subjects in the Union; or
2. the monitoring of their behaviour as far as their behaviour takes place within the Union.”

This Article applies to the processing of the personal data of data subjects who are within the EU. Note that in the absence of qualification (e.g. by reference to citizenship or residence) this could extend to any data subjects within the EU including tourists or temporary visitors.

What is offering goods and services?

The GDPR offers some guidance in its Recital (i.e. preamble paragraph) 23 which states that whilst the mere accessibility of website or of other contact details is insufficient to ascertain such intention to offer goods or services to data subjects in the EU:

“… factors such as the use of a language or a currency generally used in one or more Member States with the possibility of ordering goods and services in that other language, or the mentioning of customers or users who are in the Union, may make it apparent that the controller envisages offering goods or services to data subjects in the Union.”

A non-EU party with a website with content apparently directed at consumers within the EU may thus be considered as being within the scope of the GDPR.

What is the monitoring of the behaviour of data subjects?

The GDPR offers some guidance in its Recital 24 which states that in order to determine whether a processing activity can be considered as monitoring the behaviour of data subjects, it should be ascertained:

“… whether natural persons are tracked on the internet including potential subsequent use of personal data processing techniques which consist of profiling a natural person, particularly in order to take decisions concerning her or him or for analysing or predicting her or his personal preferences, behaviours and attitudes.”

Comment

Potentially the GDPR could have a very wide application outside the EU. Any non-EU establishment that processes the personal data of persons who are in the EU – even persons present on a temporary basis – may be subject to the GDPR. Establishments in this situation should be alert to this risk and are recommended to give consideration as to whether their activities could be considered offering goods or services or monitoring behaviour as detailed in the GDPR.

¹Weltimmo Case C-230/14

The post General Data Protection Regulation: Does it apply to you? appeared first on Pitman.