EU General Data Protection Regulation – Part I

Former Guest Kat Valentina Torelli has taken a close look at the new General Data Protection Regulation. In this post and a future one, she will share her insights on what to expect and what is notable in the new Regulation.

"Regulation EU 2016/679, the General Data Protection Regulation (GDPR), was published in the Official Journal of the European Union on 4 May
2016. Although the Regulation entered into force on 25 May 2016, all companies, public authorities and natural persons (other than activities of a purely personal or household nature), which are engaged in processing personal data in the EU, will have until 2018 to review and adapt their processing activities to comply with the GDPR. Thus, on 25 May 2018, the Regulation will formally repeal the previous Directive 95/46/EC on Personal Data Protection (i.e. Data Protection Directive).

The GDPR seeks to afford technologically neutral protection, by addressing legal aspects of the processing and free movement of personal data in light of the technological developments of the past 20 years. The review of the personal data protection system that led to the GDPR derived from the central role that the Internet plays in personal and business life and the concerns of individuals about unlawful intrusions by both companies and public authorities into their personal data (e.g., see the CJEU's judgement in case C-362/14, Maximillian Schrems v Data Protection Commissioner, invalidating of the EU-US Safe Harbor).

The main changes embodied in the GDPR can be summarized as follows:
1. A new (territorial) scope of protection.

2. New types of personal data, such as genetic, biometric and so-called pseudonomized data, are recognized.

3. Establishment of a basis for the lawful processing of personal data processing, including provisions for obtaining the data subject's consent.

4. New rights for individuals, namely the right to be forgotten, the right to restriction of processing and the right to data portability.

5. A special regulation on individual automated decision-making and profiling.

6. Accountability obligations not only for controllers but also for processors with respect to data protection by design, data protection by default, records of processing activities, security of processing, data protection impact assessment and designation of the data protection officer.

7. Revised international data transfers.

8. A cooperation mechanism for the various national protection authorities.

9. A new liability scheme with respect to remedies and penalties in the event of a violation of the GDPR. In this present post and another post to follow, we will elaborate on some of these changes.
Unlike the Personal Data Directive, the GDPR applies to the jurisdiction both where either the controller or the processor is established in the EU, irrespective of where the data processing is carried out, as well as where the controller is a non-EU organization but has an establishment in a jurisdiction where Member State law applies. Notably, the GDPR also applies where the data subject is in the EU and the data processing falls within a controller's or processor's non-EU activities (e.g., the offering of goods and services to individuals in the EU or the monitoring of an individual's behaviors within the EU). Therefore, since the GDPR also focuses on an individual's place of residence, the applicability of the GDPR will require an assessment on whether an EU resident is targeted by the processing activities.

Looking at the 'definitions' applicable to GDPR, it is apparent that the introduction of pseudonomized personal data blurs the dichotomy between personal data and anonymized personal data. Pseudonomyzation allows for reducing the linkability of personal data with the data subject, and it is accordingly a useful security measure placed half-way between information related to an identified, either directly or indirectly identifiable individual (personal data), and information whereby an individual can no longer be identified (anonymized personal data) [see Recital 26 of GDPR and WP216 - Opinion 05/2014 on Anonymization Techniques]. Pseudonymization also falls within the technical and organizational measures that are designed to comply with the principles set out in the GDPR, given that controllers are now required to implement privacy by design.

Until now, the EU National Data Protection Authorities (DPAs) had taken different views of the conditions wherein personal data are considered to have become pseudonymous or anonymous, giving rise to inconsistencies between jurisdictions. For example, instead of focusing on the qualification of information as personal data, the UK and Swedish DPAs have followed a risk-based approach aimed at assessing the risk of identification and related harm to the data subject (see the UK Information Commissioner's Officer's 'Anonymization: managing data protection risk code of practice’; the Swedish Data Protection Authority's guidelines on cloud services). Also, the GDPR has included, among special categories of data, health, biometric and genetic data, whose processing on a large scale will require the data protection impact assessment to establish the risks connected with the data processing.

Controllers are now subject to the obligation to identify the risk to the rights and freedoms of individuals associated with their data processing, especially where new technologies are deployed, by carrying out a Data Protection Impact Assessment (DPIA). This process is aimed at allowing controllers to comply with their accountability obligations by performing personal data processing according to the GDPR. It is important to highlight that the GDPR now also imposes obligations on processors, which are requested to help controllers fulfill their own obligations under the GDPR. For example, processors will have to assist the controller to comply with an individual’s request for the exercise of its rights and with the obligation to notify data breaches to the DPAs, to implement adequate security measures and to ensure that if processors appoint sub-processors, the obligations included in the corresponding agreement mirror those passed on to the processor by contract with the controller.

In this regard, the controller-processor contract will now have to detail the subject-matter and duration of the processing, the nature and purpose of the processing, the type of personal data and categories of data subjects and the obligations and rights of the controller. This contract will serve to detail how the processor will carry out the data processing on behalf of the controller, who will be accountable for the processor's activities in accordance with the GDRP. The processor's new obligations under the GDPR have not been warmly welcomed by all, with some considering it too burdensome when applied to a commoditized service, such as cloud infrastructure services (for any interesting perspective on how the GDPR affects cloud computing, see Kuan Hon's 'GDPR: Killing cloud quickly?').

All the foregoing has led to the introduction of a new liability scheme through which processors may be jointly and severally liable with controllers, unless an exclusion applies. Likewise, both controllers and processors will be subject to administrative fines under the GDPR, up to a maximum of 20 million euros or 4% of the total worldwide turnover, whichever is higher."
EU General Data Protection Regulation – Part I EU General Data Protection Regulation – Part I Reviewed by Neil Wilkof on Friday, September 02, 2016 Rating: 5


  1. The EU data protection Regulation does not apply everywhere in Europe. For example, the European Patent Organisation (EPO) has its own data protection Regulation.

    The document “BREACHES OF BASIC AND FUNDAMENTAL RIGHTS AT THE EPO” by Bretton Woods Law (Specialists in Public International Law) explains (from page 17 to 23) why the EPO data protection regulation fails to meet the standards of both EU data protection law and the national data protection laws of the Contracting States.

    Summary of deficiencies in the current EPO data protection framework:

    - Fundamental rights: The reference to the respect of fundamental rights had been removed from the EPO data protection regulation (page 18).

    - Lack of independent oversight: At the EPO there is no independent supervisory authority. The EPO president supervises himself the data processing he has implemented. (page 21)

    - Change of purpose: The EPO data protection regulation allows the EPO President unilaterally to decide that data may be processed for purposes other than those for which they have been collected.(page 21)

    - Transmission to recipients outside the European Patent Organisation: The EPO President may authorise a transfer or a set of transfers of personal data to a third country or international organisation which does not ensure an adequate level of protection.(page 21)

    - Lack of any effective means of redress in circumstances where the rights of data subjects are infringed (see pages 22 and 23 - the intervention by the German data protection authorities).

    A wide range of personal data from both patent applicants and EPO staff are processed at the EPO. The situation at the EPO falls far below the standards expected and the rights enjoyed by citizens in the rest of Europe.

  2. @ OV. Thanks for the document.

    A patent is worth a lot of money.
    Personal data are the bibliographic data, payment method, communication with the EPO but also the application (claims/description).

    It is incredible that the patent processing at the EPO is not in compliance with EU standards for data protection.

  3. @Anonymous: usual problem: the EPO is not part of the EU...


All comments must be moderated by a member of the IPKat team before they appear on the blog. Comments will not be allowed if the contravene the IPKat policy that readers' comments should not be obscene or defamatory; they should not consist of ad hominem attacks on members of the blog team or other comment-posters and they should make a constructive contribution to the discussion of the post on which they purport to comment.

It is also the IPKat policy that comments should not be made completely anonymously, and users should use a consistent name or pseudonym (which should not itself be defamatory or obscene, or that of another real person), either in the "identity" field, or at the beginning of the comment. Current practice is to, however, allow a limited number of comments that contravene this policy, provided that the comment has a high degree of relevance and the comment chain does not become too difficult to follow.

Learn more here:

Powered by Blogger.