GDPR – The Regulation
The General Data Protection Regulation (GDPR) is a new European Union regulation on the protection of personal data. It provides for more sophisticated protection measures in company systems, more nuanced data protection agreements, a more consumer-friendly approach and more transparency on companies’ personal data protection practices.
The GDPR replaces the current EU data protection regulatory framework, which was established in 1995 (and is commonly known as the “Data Protection Directive”). The Data Protection Directive has been incorporated into the domestic law of EU Member States, which has led to a problem of consistency between the data protection laws of different EU Member States. As the GDPR is a European regulation with direct legal effects in all Member States, it is not necessary to transpose it into the national law of the EU Member States in order for it to be legally binding. This therefore helps to strengthen the coherence and smooth application of regulations within the EU.
The GDPR also applies outside the European Union
Unlike the Data Protection Directive, the GDPR applies to all companies operating worldwide, not just those domiciled in Europe. A company may fall within the scope of the GDPR if (i) it is domiciled in the EU, or (ii) it is not domiciled in the EU but processes data relating to the supply of goods and services to nationals of EU Member States or to the analysis of their behaviour.
The processing of personal data is an extended concept within the framework of the GDPR
The GDPR regulates how companies may process the personal data of EU Member State nationals. Personal data” and “processing” are terms frequently used in legislation, and a clear understanding of their meaning in the context of the GDPR is essential to an understanding of the scope of this Regulation:
- Personal data are information concerning an identified or identifiable individual. This is a very broad concept as it includes any information that can be used individually or in combination with other information to identify a person. Personal data does not only include the name or e-mail address of a person. It also includes other information such as financial information and, in some cases, an IP address. In addition, certain categories of personal data are subject to a higher level of protection because of their sensitive nature. These categories of data are information on an individual’s racial or ethnic origin, political opinions, religious or philosophical beliefs, membership of trade unions, genetic or biometric data, medical history, sex life or sexual orientation and criminal record.
- The processing of personal data is the main activity that triggers the obligations imposed by the GDPR. Processing refers to any operation or set of operations carried out on personal data or sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or modification, retrieval, consultation, use, disclosure by transmission, dissemination or any other form of making available, matching or combination, limitation, erasure or destruction. In practice, this means that any process allowing the storage or consultation of personal data is considered as processing.