Global Data Protection Regulation - European UnionEU Flag

Overview and Scope

The GDPR establishes rules for the protection of natural persons with regard to the processing of personal data and rules relating to the free movement of personal data.

The General Data Protection Regulation (GDPR) applies to the processing of personal data in the context of the activities of a controller or processor within the European Union (EU), as well as the processing of personal data of EU data subjects by a controller or processor not established in the EU, if the processing activities are related to the offering of goods or services to data subjects in the EU or the monitoring of their behavior within the EU. The GDPR also applies to the processing of personal data by a controller not established in the EU, but in a place where EU member state law applies by virtue of public international law.

Does it require providing a privacy notice?

According to the GDPR, organizations must provide people with a privacy notice that is:

  • In a concise, transparent, intelligible, and easily accessible form
  • Written in clear and plain language, particularly for any information addressed specifically to a child
  • Delivered in a timely manner
  • Provided free of charge

The GDPR also stipulates what information an organization must share in a privacy notice. There is a slight variation in requirements depending on whether an organization collects its data directly from an individual or receives it as a third party.

If an organization is collecting information from an individual directly, it must include the following information in its privacy notice:

  • The identity and contact details of the organization, its representative, and its Data Protection Officer
  • The purpose for the organization to process an individual’s personal data and its legal basis
  • The legitimate interests of the organization (or third party, where applicable)
  • Any recipient or categories of recipients of an individual’s data
  • The details regarding any transfer of personal data to a third country and the safeguards taken
  • The retention period or criteria used to determine the retention period of the data
  • The existence of each data subject’s rights
  • The right to withdraw consent at any time (where relevant)
  • The right to lodge a complaint with a supervisory authority
  • Whether the provision of personal data is part of a statutory or contractual requirement or obligation and the possible consequences of failing to provide the personal data
  • The existence of an automated decision-making system, including profiling, and information about how this system has been set up, the significance, and the consequences

Nature of consent under the EU GDPR

The GDPR states that the processing of personal data is only lawful if the data subject has given their consent for the processing of their personal data for specific purposes. This consent must be freely given, specific, informed, and unambiguous, and must be indicated by a statement or clear affirmative action. The data controller must be able to demonstrate that the data subject has given their consent. Consent must be presented in a clear and easily accessible manner, using plain language, and must be distinguishable from other matters. Data subjects have the right to withdraw their consent at any time, although the withdrawal of consent will not affect the lawfulness of processing that was based on the consent before it was withdrawn.

What are the categories of sensitive personal data?

Processing of personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, and the processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person’s sex life or sexual orientation shall be prohibited.

Exceptions apply as per Article 9

What exemptions, if any, are there for academic research?

Research occupies a privileged position within the Regulation. Organizations that process personal data for research purposes may avoid restrictions on secondary processing and on processing sensitive categories of data (Article 6(4); Recital 50). As long as they implement appropriate safeguards, these organizations also may override a data subject’s right to object to processing and to seek the erasure of personal data (Article 89).

Additionally, the GDPR may permit organizations to process personal data for research purposes without the data subject’s consent (Article 6(1)(f); Recitals 47, 157). In isolated cases, these organizations may be able to transfer personal data to third countries for research purposes, without any other transfer mechanism in place (Article 49(h); Recital 113).

The GDPR adopts a “broad” definition of research, encompassing the activities of public and private entities alike (Recital 159).

Does it require appointing representative in the EU?

Yes, the representative shall be established in one of the Member States where the data subjects, whose personal data are processed in relation to the offering of goods or services to them, or whose behavior is monitored, are.

How is it enforced?

Individual data protection authorities (DPAs) from the 27 EU member states enforce the GDPR. DPAs are independent of the government. They investigate complaints, provide advice on data protection issues and determine when the GDPR has been breached. They also have fining powers. 

DPAs are independent public authorities that supervise the application of the data protection law through investigative and corrective powers. They provide expert advice on data protection issues and handle complaints lodged against the General Data Protection Regulation violations and the relevant national laws. 

All DPAs work together as a group on the European Data Protection Board. The European Data Protection Supervisor leads the board. The EDPB aims to harmonize GDPR enforcement across the EU. The board is responsible for guiding member states on complicated topics or the application of the law. It also issues opinions to the European Commission when it considers data protection and privacy legislation or issues. 

What are the potential penalties?

Under the GDPR, controllers and processors may be held liable and face penalties, including the right to compensation for data subjects, for any infringements of the GDPR. Member States have the power to set additional penalties for infringements not subject to administrative fines, which must be effective, proportionate, and dissuasive. Depending on the severity of the breach, as determined by certain criteria outlined in Article 83(2) of the GDPR, infringements of certain provisions of the GDPR may be subject to administrative fines of up to €10 million or 2% of the total worldwide annual turnover of the preceding financial year (whichever is higher), or up to €20 million or 4% of the total worldwide annual turnover of the preceding financial year (whichever is higher). These provisions include the obligations of controllers and processors related to data protection, as well as the obligations of certification bodies and monitoring bodies.