General Data Protection Regulation
Summary of the basics of GDPR
According to the GDPR, personal data is data that can either directly or indirectly be linked to a natural person who is identifiable and alive. If a company processes personal data of individuals within the EU/EEA area, they are obliged to comply with the GDPR. GDPR is an abbreviation of the EU General Data Protection Regulation.
Examples of common types of personal data:
- Identification data: First name, last name, social security number, passport number, profile picture.
- Contact details: Email address, home address, phone number.
Sensitive personal data according to GDPR
The general rule in Article 9(1) of the GDPR prohibits the processing of special categories of personal data, also known as “sensitive personal data”. However, it may be allowed in some cases.
Please note that the requirements are higher when processing sensitive personal data and require, for example, higher security when transferring and storing. If there is a personal data breach involving sensitive personal data, it is worse than if the personal data is “ordinary personal data”. It is important to take this into account in the risk assessment, as well as in the assessment of whether it is necessary to notify the personal data breach to the national or responsible data protection authority.
Examples of Sensitive Personal Data
Sensitive personal data are those that reveal information about a persons:
- Health
- Ethnic origin
- Political views
- Religious or philosophical beliefs
- Trade union membership
- Genetic or biometric data
- Sexual life or sexual orientation
Penalty for processing sensitive personal data in violation of GDPR
A company was fined €230,000 for processing sensitive personal data in violation of the GDPR. The company had been storing information on the health data of its staff for a very long time after the end of the employment relationship. In addition, the company had saved data on staff sick leave together with diagnostic data, which some employees even informed were incorrect. The company had also failed in its obligations to inform employees about the processing of these sensitive personal data. For these reasons, the company was told to change its behaviour. In addition to the fine, the company also received a reprimand.
Privacy-sensitive personal data
In addition to the sensitive personal data that requires a higher level of protection under the GDPR, there are also other personal data that are important and need it. They are commonly referred to as “privacy-sensitive personal data”. For example, bank account information, payment card information, information about a person’s social circumstances and information about violations of the law.
Deepen your understanding of personal data
The definition of personal data also includes more complexity, in addition to that described above in this compilation. Especially in the case of so-called direct and indirect personal data. Re-identification is also an important aspect that can lead to certain data being considered personal data under the GDPR. For example, the registration number of a privately owned vehicle.
Principles of data protection to follow when processing personal data
There are seven (7) data protection principles that permeate the entire GDPR. Companies that are subject to the GDPR must also comply with these principles in all their processing of personal data. Companies need to understand the principles, whether they are controllers or processors, as they form the core of the GDPR. In addition, the company should always take them into account when improving its data protection. Here you can read a brief summary of the seven (7) basic data protection principles that are regulated in Article 5 of the GDPR.
Data protection principle 1: Lawfulness, fairness and transparency
Legality, regularity and transparency is a principle that is divided into three parts.
- Lawfulness: Companies must have a legal basis to process personal data. For example, “performace of a contract with the data subject” pursuant to Article 6(1)(b) of the GDPR.
- Fairness: When the company processes personal data, it must be reasonable in relation to the purpose. The processing shall be reasonable, equitable, fair and proportionate. In short, this means that the treatment must not be disproportionate to its benefits.
- Transparency: Companies must provide information about the processing and be transparent about what they do with the personal data. In addition, they must provide information on the rights of data subjects, etc.
First decision of the European Data Protection Board on the lawfulness of the processing of personal data
The European Data Protection Board (EDPB) had to consider whether a large international company had a legal basis for the way they processed children’s personal data. It was the Irish DPA that requested a preliminary ruling from the EDPB, as several of the DPAs involved in the supervision did not agree with the decision of the Irish DPA. The fine imposed by the Irish Data Protection Authority following the preliminary ruling was EUR 405 million.
Data protection principle 2: Purpose limitation
Companies must always have a purpose for their processing of personal data. That is, an answer to why the personal data is being processed. In addition, it must be an explicit and specific objective compatible with the legislation in force. Unclear purposes are usually not valid. The same applies if they are too broad, such as “improving the user experience”. Please note that the company must document the purpose of each individual processing.
Data protection principle 3: Data minimization
It is not allowed to process more personal data than necessary to achieve the purpose. Therefore, the company first needs to analyze what the purpose of the processing is. That is, in order to know what personal data is necessary to process to achieve the purpose. A company may not process personal data for future needs that it has not determined yet. In other words, the GDPR does not allow the processing of personal data “just because it may be good for the future”.
Data protection principle 4: Accuracy
Companies shall ensure that the personal data they process is accurate. In addition, the company shall keep the personal data updated over time. If processed personal data is incorrect, the company must correct it. Alternatively, delete it. This shall be done without undue delay. Personal data that is not complete shall also be corrected by supplementing or deleting it. Please note that this is especially important, the more important the personal data is. The consequences of processing incorrect personal data can in some cases be devastating. For example, if a person receives a type diagnosis, but the doctor accidentally registers the incorrect diagnosis in the patient register.
Data protection principle 5: Storage limitation
It is not allowed to process personal data longer than necessary for the purpose for which they were collected. In addition, companies shall determine a retention period for the personal data. However, in some cases a company may need to continue processing, even if it is no longer necessary for the purpose, if required by law or regulation. For example, companies often need to store their accounting records for a certain number of years under the National Accounting Act.
Companies that processed personal data for an indefinite period
One company had to pay a fine for not having set a retention period. In order to have their personal data deleted, customers had to delete their user account. If the customer did not do so, the company continued to process the customer’s personal data for an indefinite period of time. In addition, the Finnish data protection authority stated in the case that obliging people to create an account on the website in order to make a purchase was not compatible with the GDPR. Creating a user account in an online shop shall be voluntary. It must not be a mandatory requirement in order to be able to make purchases.
Data protection principle 6: Integrity and confidentiality
Companies must protect the personal data they process by taking appropriate technical and organizational measures. The more important the personal data is, the higher the security requirements. Examples of technical security measures are encryption and backup. Examples of organizational security measures that companies can take are education of their employees and provision of written instructions.
Data protection principle 7: Accountability
Companies must be able to demonstrate that they comply with GDPR. It is therefore not a data subject or data protection authority that needs to prove the contrary. For example, companies can do this by:
- Record or processing activities: Establish a register list in which the company documents all processes of personal data, and any personal data breaches that have occurred.
- Impact assessments: Establish an impact assessment before a specific processing operation is carried out, in which the company, among other things, motivates and analyses the processing operation.
- Guidelines: Draw up written instructions and guidelines to employees on how to work in accordance with GDPR in practice. For example, a routine on how to act in the event of a personal data breach.
Legal bases for lawful processing of personal data
Companies must have a legal basis to process personal data, and there are a total of six (6) legal bases in the GDPR. Unless the company has a legal basis, the processing is unlawful. Violation of the GDPR can lead to major financial consequences for the company. Below you can read a summary of the legal bases governed by Article 6 of the GDPR.
Legal basis 1: Consent
Consent means that a person accepts that the company processes their personal data for a specific purpose. The consent must be active and voluntarily given, in order to be valid. In addition, it should be as easy to withdraw consent as it is to give it. If not, the consent is invalid. Please note that companies must also be able to demonstrate that they have obtained valid consent in the event of supervision. Therefore, it is best to have written and up-to-date consents.
Consent is a common legal basis for companies to use, but it is not always allowed or appropriate. For example, it is not appropriate where there is an unequal power relationship between the parties, such as between an employer and an employee. In such cases, contracts with data subjects (employment contracts) are usually used as a legal basis. There is also no requirement to obtain consent in order to process personal data, as some believe.
Online platforms with Consent or pay-models do not always meet the requirements for valid consent according to the European Data Protection Board
The European Data Protection Board (EDPB) took a position on whether “consent or pay-models” meet the requirements for valid consents under the GDPR. In other words, a company targets behavioral marketing to data subjects who don't pay for a service. According to the EDPB, companies should have a free alternative, but without targeted marketing.
Legal basis 2: Performance of a contract with the data subject
Companies may process personal data that is necessary for the conclusion or performance of a contract with the data subject. However, the company may not process more personal data than is necessary for the conclusion or performance of the agreement. For example, if the company wants to process personal data to analyse customer behaviour, the company needs another legal basis for that purpose, such as consent.
A practical example of where this legal basis is appropriate, is where a company engages in an e-commerce activity. In order for the company to be able to send the sold products home to the customer, they need to process certain personal data such as the customer’s name and home address.
Legal basis 3: Legal obligation
Where a company has an obligation to process personal data under any other legislation or regulation, the legal basis for the processing is “legal obligation”. For example, the company must keep receipts and other accounting information for a certain number of years in accordance with the National Accounting Act. The data subject must understand why the company needs to carry out the processing and therefore it is important to be clear when informing.
Legal basis 4: Protection of vital interests
Processing of personal data on the basis of the legal basis “protection of vital interest” is not common practice for most companies. It may only be used when the processing is necessary to save lives. In addition, it is not allowed to use this legal basis, if the data subject in question is aware and can make its own decision, for example, by giving consent.
On the other hand, in the emergency services, it is more common to support the processing of personal data on this legal basis. For example, if a person is left unconscious in the hospital and loses large amounts of blood, and the hospital needs to know what blood group the person has to save their life.
Legal basis 5: Exercise of official authority and tasks of public interest
The legal basis “Exercise of official authority and tasks of public interest” means that it is allowed to process personal data as part of the exercise of official authority, or if it is done in the public interest. If the state entrusts an actor with the task of determining citizens, this is the appropriate legal basis for the processing. It is a legal basis that can primarily be used by official authorities, but also by certain private actors, such as schools and healthcare.
There must be support in a law, administration or similar to be allowed to support a processing on the basis of tasks of public interest. For example, when a school or hospital processes personal data.
Legal basis 6: Legitimate interest
Companies can carry out a balancing of interests before processing and conclude that they have a legitimate interest in the processing. In other words, their interest in the processing outweighs that of the data subjects. However, the processing must be necessary in relation to the purpose of the processing. A balance of interests shall be documented in writing. Here are two examples of when it is common to use “legitimate interest” as the legal basis:
Direct marketing
When a company performs direct marketing, such as sending emails to data subjects with advertising. Please note that the company must immediately cease processing the email address for this purpose if the data subject so requests.
Safety of employees
It may be necessary for an employer to process certain types of personal data to ensure the safety of employees, and is considered to have a legitimate interest in doing so.
Rights of data subjects under the GDPR
Data subjects have several rights under the GDPR. Companies are responsible for ensuring that they are able to accommodate them. For example, by establishing internal procedures for employees so that they know how to handle a request correctly.
Identification of data subjects when requesting a right
Companies need to be able to identify individuals who request to have a right granted under the GDPR. In this way, the company can minimize the risk of someone unauthorized gaining access to the personal data. If the company doubts the identity of the person making the request, the company may ask for more information. For example, if a person requests to have their personal data deleted from an email address other than the one they have registered in their user account with the company. Please note that it is not allowed to process more personal data than necessary and that the identification must be proportionate.
Time limits for dealing with data subjects requests to have a right fulfilled under the GDPR
When a data subject requests to have a right fulfilled under the GDPR, the company shall handle the request as soon as possible, but no later than one month after receipt. However, it is possible in some cases to extend the time limit by a further two months. In such cases, the company must be able to justify the decision and inform about it within the first month. For example, an extension may be justified if the company has received an unusual number of requests and therefore does not have time to handle the case within a month.
Summary of the eight (8) fundamental rights that data subjects have under the GDPR
Companies shall inform data subjects about the processing of their personal data. This should preferably be done in conjunction with the company collecting the personal data. In addition, the information shall be provided when requested by the data subject. The information shall be easily understandable and free of charge. Furthermore, there are other occasions where companies need to inform data subjects about the processing, for example in certain types of personal data breaches or if the processing changes.
If a data subject wants to know if a company is processing personal data about them, they can contact the company. In such cases, the company shall provide information regarding the processing such as what personal data they process, the purpose, storage period and where they have collected them from. In addition, the company shall provide a copy of the processed personal data. Please note that there are exceptions to the right of access. In some cases, companies may refuse a request for access to the processed personal data. For example, if it may put other data subjects at a disadvantage.
If a data subject believes that personal data about them that a company processes is incorrect or incomplete, they can ask the company to correct them. The correction shall be made without undue delay. The company shall also inform the recipients of the personal data concerned of the rectification. This applies if it is possible and not too burdensome for the company. In addition, the data subject has the right to be informed of the recipients.
Companies shall delete personal data when it is no longer necessary for the purpose for which it was collected. In addition, they need to delete personal data at the request of a data subject. However, there are exceptions. For example, a company may have a legal obligation to process certain personal data in accordance with some other legislation. In such cases, they shall not delete the personal data, even if the data subject so requests. If the company deletes personal data following a request by the data subject, the company shall inform the recipients of the personal data concerned of the deletion. This applies if it is possible and not too burdensome for the company. In addition, the data subject has the right to be informed of the recipients.
In some cases, data subjects have the right to have the processing of their personal data limited. For example, if a person informs a company that the personal data is incorrect and wants to have the processing limited until the company has investigated whether it is correct or not. When the limitation ceases, the company shall inform the data subject thereof.
In some cases, a data subject may have the right to have his or her personal data transferred to another controller. For example, if the person creates an account on a social media service and wants to use the same data to create an account on another similar service. Companies shall facilitate the transfer of personal data. However, data subjects can only have the right to data portability if the legal basis for the processing is consent or performance of a contract with the data subject, as well as if it is technically possible.
If a company processes personal data based on the legal basis “legitimate interest”, data subjects have the right to object to the processing. The same applies if the purpose is to perform a task in the public interest, as part of the exercise of official authority. The company may continue the processing only if they conclude that their interest still weighs heavier after they have carried out a new balancing of interests. Please note that the company must be able to justify the decision.
If an automated decision can have serious consequences for a data subject, such as legal consequences, the person has the right not to be subject to such an automated decision. For example, if a person applies for a job and is denied without having had personal contact, because it was done through an automatic e-recruitment.
- Situations in which automated decisions may be permitted:
- Explicit consent: When the company obtains the explicit consent of the data subject to conduct automated decisions;
- Fulfilling agreements: If the company needs to take an automated decision in order to enter into, or alternatively perform, a contract with the data subject.
A company provided incorrect information that personal data had been deleted at the request of a data subject
In addition to the fact that the company in this case had not deleted personal data upon request without undue delay, they also gave the wrong information that they had actually deleted them. The company said that they did not understand that it was a request to delete the personal data, but the Swedish data protection authority thought otherwise. They considered it to be clear and concluded that the company had therefore not performed its obligations in accordance with the GDPR. The consequence for the company was a reprimand.
A company did not comply with the requirement of transparency regarding data portability
The Swedish data protection authority found that a company had violated several rules of the GDPR. Among other things, by providing inadequate information regarding the rights of data subjects. One of those rights was the right to data portability. The company received a fine of SEK 7.5 million for their infringements of the GDPR.
Companies that did not respect the rights of data subjects
A company had to pay a fine of around EUR 900 000 for, inter alia, failing to comply with the rights of data subjects. They had also not applied the same legal basis in practice as they had informed the data subjects.
Penalties and other consequences for breaching the GDPR
If a company does not comply with GDPR, they can face major financial consequences. In the worst case, they may have to pay penalties in millions of euros. The maximum sanction for serious infringements can be EUR 20 million or 4% of the annual turnover (the highest of the options). Some companies have had to pay fines of several hundred million euros.
Please note that data subjects are not allowed to take part in the fine, as it is a fine that is paid to the state. On the other hand, data subjects can claim damages in certain cases, but then they must bring the action separately in their own legal process. In other words, this is not something that the supervisory data protection authority claims for the data subject in a court of law.
The European Court of Justice gave a position on liability in the event of personal data breaches that would lead to future misuse of personal data. They noted that data subjects may be entitled to damages in case of a justified fear of future misuse of their personal data.
Other data protection principles
Measures that companies may need to take under the GDPR
GDPR requires companies to, among other things, be able to show that they comply with GDPR, meet the rights of data subjects, protect the personal data they process, etc. The more important the personal data is, the higher the security requirements. Examples of measures include writing necessary GDPR-related agreements and documents. For example, a privacy notice and documenting impact assessments carried out. Please note that the financial consequences for companies that violate GDPR can be devastating for the company.