The GDPR stipulates that the processing of personal data must be treated with careful consideration. To attain compliance, organisations must value personal data and allow European citizens to control their own destinies concerning how their data is handled. More specifically, data subjects should be able to choose whether or not to provide detailed information and withdraw consent at any given time. Withdrawing consent applies only to the future processing of personal data.
Processing means using personal data in any manner, such as collecting, storing, retrieving, consulting, disclosing, or sharing. Simply put, any activity that affects personal data represents processing. Personal data is central to the GDPR, and it refers to information about a living person, like name, date of birth, phone number, email address, location data, or physical characteristics.
It would be best for organisations to protect all information obtained, supposing some of it is personal under specific circumstances. They should have adequate technical and organisational measures in place, such as encryption, pseudonyms, and tokenisation. Moreover, organisations controlling personal data must notify the supervisory authority about any data breaches without delay.
There are exceptions to the GDPR
The GDPR affects countless businesses and has far-reaching effects. Due to the fact that the GDPR opens up a broad application area, there is some confusion about where it doesn’t apply. Just to be clear, there are exceptions to the law. More precisely, there are a small number of built-in exceptions to this obligation.
The GDPR Doesn’t Apply If a Business Doesn’t Operate in the EU
An organisation that doesn’t operate in the EU doesn’t have to comply with the GDPR. The GDPR only applies to organisations that offer goods and services in the EU or keep track of the behaviour of people in the EU. If an EU citizen lives in the US and an organisation collects the data of such a person, the GDPR doesn’t pertain to them. The location of the data subject, not their citizenship, determines if the GDPR applies or not.
Attention must be paid to the fact that the GDPR protects anyone within the EU. For instance, an American living in France is protected per the GDPR requirements, meaning they have the same rights as an EU citizen. The GDPR applies to people and recognises their specific rights and freedoms. The GDPR covers anyone who’s based or visiting an EU country.
The GDPR Doesn’t Apply If Personal Data Is Processed for Domestic Purposes
The GDPR applies exclusively to organisations that are engaged in professional or commercial activity. If you’re collecting personal data to, say, invite family members to a private event, the GDPR doesn’t apply in this case. Let’s take another example. If you’re collecting email addresses to fundraise a business project, the data protection law doesn’t hold. Personal data that is processed in the course of domestic purposes (individual or household activity) is outside the scope of the GDPR.
The principles of data protection don’t apply to anonymous data, which can be used more freely. By anonymous data, it’s understood data that doesn’t relate to an identifiable natural person. Pseudonymised and encrypted data must be treated as personal data because there’s additional information or a key that can be deployed to re-identify the data, so it’s not exactly anonymous. It’s, therefore, possible to identify the person to whom the information relates.
The GDPR Doesn’t Apply to The Processing of Unstructured Paper Records
More than half of the information stored by organisations is unstructured, which can pose legal and operational risks. Under the GDPR, there’s no difference between structured and unstructured electronic data as far as the regulation’s scope is concerned. Large data sets make it difficult, if not impossible, for an organisation to meet its obligations, and there are no excuses whatsoever for disregarding these obligations. Since the bulk of data is unstructured, it’s crucial to manage and analyse it to make business decisions.
The GDPR is technologically neutral. This translates into the fact that an organisation that processes unstructured paper records isn’t required to comply with the GDPR. Essentially, unstructured records are loose documents on a printer or papers on a desk. Paper records are still required in the HR department. Needless to say, paper records shouldn’t contain unnecessary personal data, they shouldn’t be kept for longer than necessary, and access to the data should be limited.
What Can an EU Citizen Do If Their Personal Data Rights Have Been Breached?
A security breach can result in accidental or illicit destruction, loss, alteration, or unauthorised disclosure of personal data. If you have reason to believe that the processing of your personal data has been carried out unlawfully, you have the right to lodge a complaint with your national Data Protection Authority. They’ll conduct an investigation to determine who was at fault for what happened. The DPA will most likely impose a fine upon their findings.
As highlighted by the specialists at Data Breach Claims, most GDPR breaches have legal consequences. If an organisation has fallen victim to a cybersecurity incident, it’s likely that it will be investigated by the national Data Protection Authority. Additionally, the victim can bring a claim for a data breach if they believe their rights have been violated. An organisation may be held liable for an unlawful data breach even if it wasn’t at fault and could do little to prevent such an occurrence.
Depending on the type of breach the person was subject to, they can claim substantial compensation. Damages they may be eligible for include but aren’t limited to the cost of replacing their debit/credit cards, out-of-pocket expenses, service fees for protecting and monitoring their personal information, and emotional harm. It’s possible to claim compensation for material damages and non-material damages.
As a last resort, an EU citizen can bring legal action against the national Data Protection Authority if it didn’t handle the complaint correctly. It may be liable for a lack of ability to fulfil its obligations. It’s necessary to file a lawsuit to get compensation.