The General Data Protection Regulation (“GDPR” or “Regulation”) is the privacy and security law of the European Union (“EU”). The European Parliament passed the GDPR and it came into force in 2016, and as of May 25, 2018, all organizations which target or collect data related to people in the EU were required to be compliant. A key objective of this Regulation is to protect the fundamental rights and freedoms of natural persons and in particular their right to the protection of personal data. The Regulation lays down rules relating to the protection of natural persons with regard to the processing of personal data and rules relating to the free movement of personal data.

Scope-

As per Article 2 of GDPR, the Regulation applies to the processing of personal data wholly or partly by automated means and to the processing other than by automated means of personal data which form part of a filing system or are intended to form part of a filing system.

The Regulation applies if the data controller (an organisation that collects data from EU residents), or processor (an organisation that processes data on behalf of a data controller), or the data subject (person) is based in the EU. The Regulation also applies to organisations based outside the EU if they collect or process personal data of individuals located inside the EU. The regulation, however, does not apply to the processing of data by a person for a purely personal or household activity.

Keys terms and definitions-

Data subject-

The person whose data is processed.

Data controller —

The person who decides why and how personal data will be processed.

Data processor-

A third party that processes personal data on behalf of a data controller.

Personal data-

any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.

Processing-

any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.

The data controller shall be responsible for, and be able to demonstrate compliance with the principles stated above.

Article 6 of the Regulation states that for the processing of data to be lawful, at least one of the following should apply:

• The data subject has given consent to the processing of his or her personal data for one or more specific purposes;
• processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract;
• processing is necessary for compliance with a legal obligation to which the controller is subject;
• processing is necessary in order to protect the vital interests of the data subject or of another natural person;
• processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller;
• processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child.

Articles 15-22 of the Regulation sets out the various rights of the data subject. They are as follows-

• Right to access (Article 15)- The data subject shall have the right to obtain from the controller, confirmation as to whether or not personal data concerning him or her are being processed, and, where it is being processed, access to the personal data and other information such as purpose of processing, source of information, period for which personal data will be stored, etc.
• Right to Rectification (Article 16)- The data subject shall have the right to obtain from the controller, the rectification of inaccurate personal data concerning him or her.
• Right to erasure (Article 17)- The data subject shall have the right to obtain from the controller, the erasure of personal data in certain circumstances such as: when the personal data are no longer necessary in relation to the purposes for which they were collected or otherwise processed, the personal data have been unlawfully processed etc.
• Right to restriction of processing (Article 18)- The data subject shall have the right to obtain from the controller, restriction of processing in certain circumstances such as: when the accuracy of the personal data is contested by the data subject, the processing is unlawful and the data subject opposes the erasure of the personal data and requests the restriction of their use, etc.
• Notification obligation regarding rectification or erasure of personal data or restriction of processing (Article 19)- The controller shall communicate any rectification or erasure of personal data or restriction of processing carried out in accordance with the aforesaid Articles to each recipient to whom the personal data have been disclosed, unless this proves impossible or involves disproportionate effort.
• Right to data portability (Article 20)- The data subject shall have the right to receive the personal data concerning him or her, which he or she has provided to a controller and have the right to transmit those data to another controller without hindrance from the controller to which the personal data have been provided.
• Right to object (Article 21)- The data subject shall have the right to object, at any time to processing of personal data concerning him or her. The controller shall no longer process the personal data unless the controller demonstrates compelling legitimate grounds for the processing which override the interests, rights and freedoms of the data subject or for the establishment, exercise or defence of legal claims.
• Automated individual decision-making, including profiling (Article 22)- The data subject shall have the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning him or her or similarly significantly affects him or her.

Remedies, liabilities and penalties-

Articles 77-84 of the Regulation provides for remedies, liabilities and penalties. For any alleged infringement, the data subject shall have the right to lodge a complaint with a supervisory authority, in the state of his or her residence, in the state where the data subject works or where the place where the alleged infringement has taken place.

Any person who has suffered material or non-material damage as a result of an infringement of this Regulation shall have the right to receive compensation from the controller or processor for the damage suffered. Further, fines may also be imposed on the data collector or processor. The quantum of the fine shall be contingent on the severity of the infringement. The less severe infringements could result in a fine of up to €10 million, or 2% of the firm’s worldwide annual revenue from the preceding financial year, whichever amount is higher. However, more serious infringements could result in a fine of up to €20 million, or 4% of the firm’s worldwide annual revenue from the preceding financial year, whichever amount is higher.

Considering the scope of the Regulation, and keeping in mind the quantum of fines that may be levied for the infringement of GDPR provisions, it is imperative that Indian entities that process personal data of persons in the EU put in place appropriate mechanisms for complying with the Regulation.