GDPR

What is the GDPR?

The General Data Protection Regulation (EU 2016/679) is the European Union's cornerstone data protection legislation, replacing the 1995 Data Protection Directive. It harmonises data privacy laws across all EU member states and extends protections to any organisation worldwide that processes the personal data of individuals located in the EU. The regulation is enforced by Data Protection Authorities (DPAs) in each member state, with supervisory authority coordination handled by the European Data Protection Board (EDPB).

What are the 6 lawful bases for processing under GDPR?

Article 6 requires that every processing activity has a valid lawful basis. Organisations must identify and document the appropriate basis before processing begins:

1. Consent: The data subject has given clear, specific, informed, and unambiguous consent. Must be freely given and as easy to withdraw as to give.
2. Contract: Processing is necessary for the performance of a contract with the data subject or to take pre-contractual steps at their request.
3. Legal Obligation: Processing is necessary to comply with a legal obligation to which the controller is subject (e.g., tax reporting, employment law).
4. Vital Interests: Processing is necessary to protect the vital interests of the data subject or another natural person. Rarely applicable; typically limited to medical emergencies.
5. Public Task: Processing is necessary for a task carried out in the public interest or in the exercise of official authority vested in the controller.
6. Legitimate Interests: Processing is necessary for legitimate interests pursued by the controller or a third party, provided those interests are not overridden by the rights of the data subject. Requires a Legitimate Interests Assessment (LIA).

What rights do data subjects have under GDPR?

The GDPR grants individuals eight core rights that organisations must be prepared to fulfil within specific timeframes (generally one month):

• Right of Access (Article 15): Individuals can request a copy of all personal data held about them
• Right to Rectification (Article 16): Inaccurate personal data must be corrected without undue delay
• Right to Erasure (Article 17): Also known as the 'right to be forgotten'; data must be deleted when no longer necessary
• Right to Restrict Processing (Article 18): Individuals can request that processing is limited in certain circumstances
• Right to Data Portability (Article 20): Individuals can receive their data in a structured, machine-readable format
• Right to Object (Article 21): Individuals can object to processing based on legitimate interests or direct marketing
• Rights Related to Automated Decision-Making (Article 22): Individuals have the right not to be subject to decisions based solely on automated processing
• Right to be Informed (Articles 13 and 14): Organisations must provide clear privacy notices at the point of data collection

What are the GDPR breach notification requirements?

Under Articles 33 and 34, organisations must notify their supervisory authority within 72 hours of becoming aware of a personal data breach that is likely to result in a risk to individuals' rights and freedoms. If the breach is likely to result in a high risk, affected individuals must also be notified without undue delay. Organisations must maintain a breach register documenting all breaches regardless of whether notification to the authority was required.