Most international privacy laws \u2014 such as those in Brazil, South Africa, or China \u2014 only cover the jurisdiction of the country where they were drafted and passed. The General Data Protection Regulation, however, has covered the EU\u2019s 27 member countries and the three additional European Economic Area (EEA) countries of Iceland, Liechtenstein and Norway since it came into force in 2018.<\/p>\n
The General Data Protection Regulation (GDPR) is arguably the best known and most influential of the global privacy laws passed to date and continues to influence legislation. Other regulations passed in the EU since 2018 have also been designed to be enforced in conjunction with or defer to the GDPR\u2019s provisions.<\/p>\n
The GDPR was not the first international privacy law. Canada\u2019s Personal Information Protection and Electronic Documents Act (PIPEDA)<\/a> was passed in 2000, and South Africa\u2019s Protection of Personal Information Act (POPIA)<\/a> was passed in 2013. The world\u2019s first data protection legislation<\/a> was enacted in 1970 in the German state of Hesse.<\/p>\n\n\n The General Data Protection Regulation is a privacy law that requires organizations that offer goods and services to, or monitor the behavior of, individuals located in the EU\/EEA to uphold their privacy rights and safeguard personal data that has been collected or processed.<\/p>\n The GDPR replaced the 1995 Data Protection Directive<\/a>, which created data protection laws on a country by country basis, resulting in a less cohesive patchwork of regulations in Europe.<\/p>\n The regulation requires the implementation of seven principles of data protection and facilitates eight privacy rights for consumers. Member states have their own data protection authorities to handle enforcement; it is not handled by a central authority.<\/p>\n\n\n As noted in Art. 3<\/a>, the GDPR applies to organizations that process the personal data of \u201canyone in EU territory\u201d in the course of offering goods or services or monitoring behavior, regardless of whether or not there is payment. It doesn\u2019t matter if the company is headquartered in the EU or even has a physical presence there.<\/p>\n Further, Recital 25<\/a> outlines the applicability of the GDPR as a consequence of the applicability of international law:<\/p>\n \u201cWhere Member State law applies by virtue of public international law, this Regulation should also apply to a controller not established in the Union, such as in a Member State\u2019s diplomatic mission or consular post.\u201d<\/em><\/p><\/blockquote>\n\n\n Art. 4 GDPR<\/a> has a full list of definitions of important terms used in the regulation. We\u2019ve included some of the most relevant and frequently used to help organizations and individuals understand key GDPR requirements and provisions.<\/p>\n Any information relating to \u201can identified or identifiable natural person\u201d who can be directly or indirectly identified using it is personal data. This can include obvious information like names, ID numbers, phone numbers, or email addresses, but also IP addresses, information collected via browser cookies, or sensitive personal details like gender, religious beliefs, or political affiliation.<\/p>\n Personally Identifiable Information (PII)<\/a>, is a term commonly used in the United States to refer to information that can be used on its own or with other information to identify, contact, or locate a single person, or to identify an individual in context. There can be some differences, including in regulatory text, between what is categorized as personal data\/information and what is PII.<\/p>\n Any action performed on personal data or sets of personal data, whether automated or manual, is data processing. This can include, among other actions, \u201ccollection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction\u201d of the personal data.<\/p>\n The GDPR defines \u201cdata subject\u201d as a natural person whose personal data is being processed by a controller or processor.<\/p>\n For companies online, or businesses with a physical location that have an online presence, most commonly this would include visitors to a website, customers, or app users.<\/p>\n A data controller is the \u201cnatural or legal person, public authority, agency or other body which, alone or jointly with others,\u201d decides why and how personal data will be processed.<\/p>\n Most commonly this is a company or international organization. The controller also liaises with and directs the data processor, if that entity is a third party.<\/p>\n When two or more data controllers decide the purposes and means of data processing individually or jointly, they are joint controllers.<\/p>\n Art. 26 GDPR<\/a> provides detailed provisions for joint controllership<\/a> and requires joint controllers to have a recorded (contractual) arrangement between them. This agreement outlines respective roles and responsibilities, specifically regarding exercise of data subjects\u2019 rights and the joint controllers\u2019 duties to provide information under the GDPR.<\/p>\n Data subjects may exercise their rights against any or all controllers in a joint controllership arrangement.<\/p>\n A third party that processes personal data on behalf of a data controller is a data processor. This could include a wide variety of entities, including a natural or legal person, public authority, agency or other body.<\/p>\n Employees of a data controller acting within the scope of their employment duties are typically considered agents of the data controller, not data processors. Data processors can range from cloud-based server providers, to payment processors, , adtech or martech companies and more.<\/p>\n\n\n Art. 5 GDPR<\/a> lays out the principles of the GDPR<\/a> that organizations must uphold while processing users\u2019 personal data.<\/p>\n Organizations must have a lawful or legal basis for processing personal data, e.g. with user consent or the performance of a contract. They must manage data in a way that is not unduly detrimental, unexpected, or misleading, and must provide clear and accessible information about its data processing activities.<\/p>\n Personal data can only be collected for a specific, explicit, and legitimate purpose, and organizations cannot process it further in a manner incompatible with those purposes. If the purpose(s) for which a company has collected and processed personal data changes, they must obtain new user consent for the new processing purpose(s).<\/p>\n Organizations should only process the least amount of personal data that is necessary to achieve its processing purposes and should only share data with the fewest entities necessary to complete processing.<\/p>\n Personal data must be retained only for as long as organizations need it for processing purposes. After fulfilling these purposes, organizations are expected to return, delete, or anonymize the data to prevent unnecessary storage of personal information. Storage limitation also applies to third-party processors.<\/p>\n Personal data must be accurate and kept up to date. Inaccurate data should be corrected or deleted without delay. The right to rectification is included among data subjects\u2019 rights.<\/p>\n Organizations must process personal data in a manner that ensures appropriate security, including protection against unauthorized or unlawful access or processing and against accidental loss, destruction, or damage.<\/p>\n Organizations are responsible for complying with the GDPR and must be able to demonstrate compliance with all of these principles. Third-party processors have security and privacy compliance responsibilities as well, but ultimate responsibility belongs to the controller, so strong contracts and oversight are important.<\/p>\n\nWhat is the General Data Protection Regulation?<\/h2>\n\n\n
Extraterritoriality applications of the General Data Protection Regulation<\/h2>\n\n\n
Key definitions from the General Data Protection Regulation<\/h2>\n\n\n
GDPR definition of personal data<\/h3>\n
GDPR definition of data processing<\/h3>\n
GDPR definition of data subject<\/h3>\n
GDPR definition of data controller<\/h3>\n
GDPR definition of joint controller<\/h4>\n
GDPR definition of data processor<\/h3>\n
Seven principles for lawful processing of personal data under the GDPR<\/h2>\n\n\n
Lawfulness, fairness and transparency<\/h3>\n
Purpose limitation<\/h3>\n
Data minimization<\/h3>\n
Storage limitation<\/h3>\n
Accuracy<\/h3>\n
Integrity and confidentiality (security)<\/h3>\n
Accountability<\/h3>\n