Adopted on April 27, 2016, this ambitious and future oriented Regulation will be directly applicable in each of the European Union Member State as of May 25, 2018.

It contains 99 articles and is structured in ten large chapters, which include general provisions, applicable principles, the rights of the data subject, the question of the controller and the processor, the issues of transfer of personal data to third countries or international organizations, the independent supervisory authorities, the cooperation and coherence rules, the ways of appeal, the liabilities and penalties, the provisions regarding specific data-processing situations, delegated and implementing acts, and lastly, final provisions.

This article presents the summarized essence of this Regulation, as it is described in the introductory part of the document which precedes the articles themselves. To complete, reference to the full regulation is made.

The objective of this Regulation is to strengthen the rights of individuals regarding data protection and to facilitate the free flow of personal data in a single digital market, in particular by decreasing the administrative burdens.

Its foundation is based on the compliance with all the fundamental rights and principles documented in the Charter of Fundamental Rights of the European Union, recognized in the Treaties, and in particular the respect for private and family life, the right for residence and communications, the right to the protection of personal data, the right to freedom of thought, conscience and religion, the right to freedom of expression and information, the freedom to conduct a business, the right to an effective remedy and to a fair trial, as well as respecting the cultural, religious and linguistic diversity.

The Regulation starts from a finding: the technological developments and globalization “require a strong and more coherent data protection framework in the Union, backed by strong enforcement, given the importance of creating the trust that will allow the digital economy to develop across the internal market”. It is stated that the individuals should have control over their own personal data, and the legal and concrete security of individuals, economic operators and public authorities should be strengthened.

For its application, the Regulation allows Member States a maneuver margin in specifying its procedures, also in regard with the processing of sensitive data. The effective protection of the personal data in the whole Union requires not only the consolidation and the establishment in detail of the rights of the data subject and the obligations of those who process and decide the processing of personal data, but also the equivalent competent authorities for monitoring and compliance ensuring with the rules for the protection of personal data and equivalent sanctions for such offenses in the Member States.

Adopted on April 27, 2016, this ambitious and future oriented Regulation will be directly applicable in each of the European Union Member State as of May 25, 2018.

The Regulation should ensure an identical protection standard for the individuals throughout the territory of the Union. There may be some exceptions for micro- enterprises and SMEs.

The field of application is also established. Thus, the Regulation will be applicable:

  • to natural persons, whatever their nationality or residence, with regard to the processing of their personal data;
  • regardless of the technology used;
  • to the processing of personal data by automated means, as well as manual processing, in if the personal data are contained or intended to be contained in a filing system;
  • in the case of personal data processing by a state agency, the Regulation 45/2001 is applicable, to which necessary amendments should be made;
  • it will not be applicable to the processing of personal data by a natural person in the course of a purely personal or household activity and thus with no connection to a professional or commercial activity, but will be applicable to controllers or processors which provide the means for processing personal data for such personal or household activities;
  • it will not be applicable to the processing of personal data by the competent authorities for the purposes the prevention, investigation, detection or prosecution of criminal offenses or execution of criminal penalties, including the safeguarding against and the prevention of threats to public security, which is the subject of a specific Union legal act;
  • to any processing of personal data in the context of the activities of an establishment of a controller or a processor in the Union, regardless of whether the processing itself takes place within the Union. Establishment implies the effective and real exercise of activity through stable arrangements.
  • to the processing of personal data, of data subjects who are in the Union by a controller or a processor not established in the Union, where the processing activities are related to offering goods or services to such data subjects irrespective of whether connected to a payment;
  • to the processing of personal data when it is related to the monitoring of the behavior of such data subjects so far as their behavior takes place within the Union;
  • to a controller not established in the Union, such as in a Member State’s diplomatic mission or consular post, where Member State law applies by virtue of public international law;
  • to any information concerning an identified or identifiable natural person, including personal data which have undergone pseudonymisation, which could be attributed to a natural person by the use of additional information, by the means reasonably likely to be used, either by the controller or by another person to identify the natural person, but not to anonymous information, including for statistical or research purposes. Pseudonymisation is encouraged.
  • to the personal data of deceased persons. Member States may provide for rules regarding the processing of personal data of deceased persons.

Then the definitions and specific characteristics are described. Consent should have the following characteristics:

  • should be given by a clear affirmative act establishing a freely given, specific, informed and unambiguous indication of the data subject’s agreement to the processing of personal data relating to him or her (such statement should be proved); the “opt in” concept is promoted, as opposed to the “opt out”;
  • for consent to be informed, the data subject should be aware at least of the identity of the controller or the processor and the purposes of the processing for which the personal data are intended;
  • consent should not be regarded as freely given if the data subject has no genuine or free choice or is unable to refuse or withdraw consent without detriment. No clear imbalance between the data subject and the controller should exist (as a matter of fact, also between a person and a public authority);
  • data subjects should be allowed to give their consent to the extent allowed by the intended purpose, except from data processing for scientific research, in which case, their consent only to certain areas of research or parts of research projects will suffice.

Personal data concerning health is also defined as “all data pertaining to the health status of a data subject which reveal information relating to the past, current or future physical or mental health status of the data subject. This includes information about the natural person collected in the course of the registration for, or the provision of, health care services; a number, symbol or particular assigned to a natural person to uniquely identify the natural person for health purposes; information derived from the testing or examination of a body part or bodily substance, including from genetic data and biological samples; and any information on, for example, a disease, disability, disease risk, medical history, clinical treatment or the physiological or biomedical state of the data subject independent of its source, for example from a physician or other health professional, a hospital, a medical device or an in vitro diagnostic test”.

The principles are then detailed:

  • any processing of personal data should be lawful and fair;
  • it should be transparent to natural persons that personal data concerning them are collected, used, consulted or otherwise processed and to what extent the personal data are or will be processed. The information can be easily accessible and easy to understand, and clear and plain language is used. That principle concerns, in particular, information to the data subjects on the identity of the controller and the purposes of the processing; the rights in relation to the processing of personal data, as well as the risks and rules
  • and further information to ensure fair and transparent processing in respect of the natural persons concerned and their right to obtain confirmation and communication of personal data concerning them which are being processed.
  • the specific purposes for which personal data are processed should be explicit and legitimate and determined at the time of the collection of the personal data. Data processing for another purpose is admissible if compatible with the purpose for which the personal data are initially collected (i.e. archiving);
  • the personal data should be adequate, relevant and limited to what is necessary for the purposes for which they are processed. The period for which the personal data are stored is limited to a strict minimum; time limits should be established by the controller. Personal data should be processed only if the purpose of the processing could not reasonably be fulfilled by other means.
  • personal data which are inaccurate are rectified or deleted;
  • personal data should be processed in a manner that ensures appropriate security and confidentiality of the personal data, including for preventing unauthorized access to or use of personal data and the equipment used for the processing;

It can be easily seen that, by this Regulation, several rights are being reinforced: the right of access of the data subject, including the “right to be forgotten”, the determination that the data subject can regain possession of personal data, the responsibilities of the controller and the processor, the role of the data protection officer and that of the supervisory authorities and the penalties applicable to the offenders. dvanced&lang=fr&andText0=R%C3%88GLEMENT%20(UE)%202016/679&SUBDOM_INIT=LEGISLATION&DTS_ SUBDOM=LEGISLATION
Infographic of the European Union © European Union

Isabelle Dubois | Expert on data protection, member of the CLUSIS Committee

Other Magazines