Professional Documents
Culture Documents
The Complete Guide To GDPR PDF
The Complete Guide To GDPR PDF
The Complete Guide To GDPR PDF
Complete
GDPR
Guide
2019 Edition
www.truevault.com
Table of Contents
Table of Contents 2
Introduction 3
CHAPTER 4 - What are the Grounds for Processing Personal Data under GDPR? 19
Glossary 57
2
Introduction
Introduction
In May 2018, the European Union passed the This e-book will cover several key topics:
General Data Protection Regulation (GDPR), and
it’s not a breezy beach read, to say the least. We 1. What is GDPR?
know first-hand. When we started reading the 2. What types of organizations does GDPR apply
legislation we couldn’t help but wish there was a to?
GDPR cliff notes. A resource that condensed the 3. What does GDPR compliance look like?
extraneous details, translated the legalese and 4. How can my business comply with the law?
simply answered one key question: What does 5. What happens if we don’t comply?
GDPR mean for my business?
If you have more questions about compliance
After a careful read (and a few rereads) we ex- after reading our e-book, then don’t hesitate to
tracted the essence of the Regulation and sum- reach out to our team at GDPR@truevault.com
marized it into a user-friendly format. So, if you’re and say: I loved the e-book, now help me do it.
thinking about the business impacts of GDPR and
want some guidance on the Regulation and have
questions about compliance, then you’re reading
the right book.
Introduction 3
About the Author
About TrueVault
TrueVault is the first data security company This book was a labor of love and could not have
completely focused on protecting personal been done without the heavy lifting of Peter
data. The company helps businesses manage Orr with assistance from Sara Kassabian and
compliance risk by giving them unprecedented the TrueVault team. If you enjoy this book and
insight into, and control over the personal data stumble across their path — a high five would be
they are storing. appreciated.
As organizations collect and store more data Learn more about TrueVault at www.truevault.
to drive their businesses forward, they are also com or follow us on Twitter @TrueVault.
increasing their risk and liability. TrueVault can
remove that liability and ensures compliance
with regulations such as HIPAA, GDPR, and the
California Consumer Privacy Act (CCPA) while
also simplifying tedious tasks like fulfilling Data
Subject Requests.
What is GDPR?
What is Although created by the EU, GDPR applies to any
GDPR?
organization (or person) with a European pres-
ence, or which deals with the personal data of
data subjects within the EU (Article 3). It applies
to organizations which act as data controllers
and/or data processors:
If a data breach does occur, data processors only be sent outside of the EU under certain cir-
are required to notify data controllers, and data cumstances, to ensure that it remains safe (Arti-
In certain circumstances, data controllers and If you are concerned about GDPR and want to
processors must appoint data protection officers know what we can do to help you stay compliant,
to advise on GDPR and other data protection re- please get in touch.
Do I Need To Be GDPR
Compliant?
Do I Need Data controllers decide the
To Be GDPR
purposes and methods of
processing personal data – they
Compliant?
coordinate processing.
are within its scope. GDPR was created by the European Union
To start with, GDPR applies to people and According to Article 3, you will be affected if you
organizations which act as data controllers and are a data controller or data processor and any of
This will covers any organization which keeps • You are established in the EU (or
Establishment in the European Union If you control or process data relating to people
in the EU, in the context of offering them goods
If you are established in the EU, then all and services, then this will be covered by GDPR.
processing related to that establishment is This is true even if the goods and services are
covered, even if it takes place elsewhere. offered for free.
Being established is a broad concept in EU law. Note the word offering: it appears that this will
It could apply to you if you have (for example) a only apply where there is some element of
branch, representative, address or bank account targeting your goods at EU countries. Targeting
is likely to include providing a version of your
website in a local language (which is not your
SIDE NOTE
own country’s language), allowing purchases in
If you are covered by GDPR but the local currency, or mentioning EU customers
you are not established in the or countries on the website. It is possible that
EU, you will need to designate merely delivering to EU countries will be enough
If you are not established in the EU, but a small purely personal or household activities
proportion of your revenue comes from people (such as keeping an address book).
Penalties for
GDPR is enforced by supervisory authorities,
Breaching
within the EU (for example, the Information
GDPR?
organization processes the data of data subjects
main establishment:
As previously explained, GDPR is a new law
• Your main establishment is usually the
governing the collection and use of personal
place of central administration in the EU.
data. It will affect people or organizations
• However, for data controllers it may be
which are established in the European Union or
another location if that is where decisions
which offer goods or services to or monitor the
are made on the means and purposes of
behavior of people living in the EU. It came into
processing, and if it has the power to have
force May 2018.
those decisions implemented.
In this article we will go into how GDPR is within the EU (see our article about who
enforced, the enforcement actions that can be GDPR applies to), then presumably this will
taken if there is a breach and examples of the two count as your main establishment.
nature, gravity and duration of the infringement, • Failing to appoint a representative within
any action taken to mitigate the damage, the EU (if you are not established in an EU
and higher-level breaches, which will be • Data processors acting outside of the
processes, the fine is still capped at the maximum • Data controllers engaging data processors
without the appropriate safeguards in
for the gravest infringement.
the contract, or without getting sufficient
guarantees that they can and will process
Lower level breaches
the data according to GDPR.
of the main types of breach which fall into this For higher level breaches, the maximum fine is
category include: €20,000,000 or 4% of your global turnover in the
previous financial year, whichever is higher. Some
• Failing to keep adequate records of
of the main types of breach which fall into this
processing activities.
category include:
• Failing to cooperate with a supervisory
authority. • Processing personal data without a lawful
• Failing to notify data subjects or a ground, such as by failing to obtain
supervisory authority of a personal data adequate consent.
breach. • Collecting data beyond the minimum
• Failing to take steps to get a parent or level needed, or keeping it for longer than
guardian’s consent or authorization to necessary, for the explicit and legitimate
are the
contract (such as preparing a quote).
3. The processing is necessary to comply with
Grounds for
a legal obligation.
4. The processing is necessary to protect the
data subject’s (or another person’s) vital
Processing interests.
5. The processing is necessary to perform a
Data under
6. The processing is necessary to protect the
organization’s (or a third party’s) legitimate
GDPR?
interests.
1. The data subject has given their consent to purpose (unless the new ground is consent or
CHAPTER 4 - What are the Grounds for Processing Personal Data under GDPR? 20
purposes. steps
2. The context in which the data was
In order for the second ground to hold, one of
collected, such as the relationship between
the following must apply:
the parties.
3. The nature of the data. • You have entered into a contract with the
4. The possible consequences of the further data subject. In this case processing is valid
processing for the data subjects. if it is that necessary in order to perform
5. The existence of safeguards to protect the this contract.
data subjects. • The data subject has requested that you
take steps (such as providing a quote) prior
to entering into such a contract. In this case
Finally, note that for both special categories
processing is valid if it is necessary in order
of data (along with criminal convictions and
to take those steps.
offences) and automated decision-making, the
requirements are stricter — we will consider these
towards the end of this article. First, we will look Take care when relying on this ground, as it will
at the basic grounds in a bit more detail. only cover types of information and processing
which are genuinely necessary for these
purposes. For example, say that you require
The six grounds people to provide contact details when they
purchase goods or services from you. This is
CHAPTER 4 - What are the Grounds for Processing Personal Data under GDPR? 21
and organizations to which official tasks are
delegated. This processing has to be authorized
KEY POINT
by EU or national law, so it is not generally
available to organizations to argue that they
A contractual obligation is are covered as their activities are “in the public
not enough to satisfy this interest”. Note that data subjects have the right
to object to processing carried out under this
requirement. Also note that
ground, under Article 21.
as written, this does not cover
CHAPTER 4 - What are the Grounds for Processing Personal Data under GDPR? 22
Of the other grounds, consent is the broadest,
allowing you to catch anything not otherwise
• The prevention of fraud.
covered. You can refer to the next article for
• Ensuring network and
details on how to make sure that the consent
data security.
collected is sufficient to make processing lawful.
• The administrative
transfer of data between However, consent can be refused, or it can be
organizations within a group. withdrawn at any time. The other grounds can
therefore allow you to ensure that you are able
to collect and process the data you need in
What is clear from the text is that these legitimate order to perform a contract, comply with any
interests only give a lawful ground if they are not legal obligations, and otherwise pursue your
overridden by the interests, rights and freedoms legitimate interests (although remember that
of the data subjects. As such, a balancing act data subjects can object to this last type of
must take place. processing).
Also note that data subjects have the right to To see how this might work in practice, the
object to processing under this ground, under following is likely to be the best approach when
Article 21. If they do so, such processing must entering into a contract with a client (for example
stop unless the data controller can demonstrate through an online submission form):
compelling legitimate grounds for the processing
• Only require them to supply information
which override the data subject’s rights. If
that satisfies a non-consent ground (for
data subjects object to processing for direct
example, data that will genuinely be
marketing (including profiling for this purpose),
necessary for the performance of the
then you cannot refuse to stop the processing.
contract or for your legitimate interests, or
which you are required to collect by law).
• Clearly ask for consent to take any other
The grounds in practice
data and to use the collected data for any
The “vital interests” and “official authority” other purpose.
grounds are unlikely to have much impact on the • If a customer or other data subject refuses
operations of most commercial organizations, to give this consent, and provides only
most of the time. the information required, you will have to
exclude this data from any other types of
CHAPTER 4 - What are the Grounds for Processing Personal Data under GDPR? 23
processing. To do this, you will probably legitimate activities and with appropriate
need to flag the different sets of data safeguards. The processing must only
according the processing permitted for relate to its members or former members,
each. or people regularly in contact with it, and
it must not disclose the data externally
without consent.
Special categories of data
• The processing is of personal data
In Article 9, there are stricter rules for processing manifestly made public by the data
the following special categories of personal data: subject.
• The processing is necessary to establish or
• Racial or ethnic origin.
exercise legal claims or defenses, or is by
• Sexual orientation.
courts in their judicial capacity.
• Political opinions.
• Religious or philosophical beliefs.
• Trade union membership. Alternatively, there are other potential grounds
• Genetic data. which will first have to be established by specific
• Biometric data. EU or national laws before they can be relied on:
• Health data.
• The processing is in the field of
• Information about a person’s sex life.
employment, social security or social
protection.
For these categories, you will still need to have
• The processing is necessary for reasons of
one of the six grounds considered above.
substantial public interest.
However, you will also need one of the following
• The processing is necessary for medical
grounds for processing (although there is
purposes.
considerable overlap):
• The processing is necessary for public
• The data subject has given their explicit health purposes.
consent to the processing. • The processing is necessary for archiving
• The processing is necessary to protect the purposes.
data subject’s (or another person’s) vital
interests, and the data subject is incapable
Of this second category, the most important one
of giving consent.
for most organizations is likely to be the one
• The processing is carried out by a not-
covering employment, as governments attempt
for-profit organization, in the course of its
CHAPTER 4 - What are the Grounds for Processing Personal Data under GDPR? 24
to strike a balance between employee rights over • The processing is authorized by EU or
their data and the needs of employers to keep national law.
the above grounds applies, as well as one of the safeguard the data subject’s rights, freedoms
is unable to consent) and most cases of legal on the special categories of data (above) if the
obligations and official authority. However, data subject has given explicit consent, or if it is
neither the performance of a contract nor an authorized by law and necessary for reasons of
by itself.
Conclusion
Note that while information about criminal
convictions and offenses is not a special category, Getting familiar with the various lawful grounds
Article 10 states that it should only be processed is a vital part of preparation for, and compliance
under the control of official authority or where with, GDPR. You will need to document the
specifically authorized by law. grounds under which processing is done (along
with the additional grounds for special categories
of data) and communicate this to data subjects.
Automated decision-making
A number of your processing operations are
In Article 22, there are also stricter rules where
likely to be covered by performance of a contract
decisions are made based solely on automated
(or preliminary steps), legal obligations or your
processing (including profiling). This is only
legitimate interests. However, outside of these
justified under one of the following grounds:
categories you will need to get the consent of
• The processing is necessary to enter into data subjects to processing. That is the next area
CHAPTER 4 - What are the Grounds for Processing Personal Data under GDPR? 25
CHAPTER 5
GDPR’s
the main principles.
Rules on
Consent must be clear
Your request for consent should be clear,
Consent must be freely given consent entirely verbally — instead, make sure
that it is backed up in writing.
Consent is unlikely to be seen as freely given
where there is a significant power imbalance
between parties. GDPR specifically suggests Consent for children
that there is likely to be an imbalance between In Article 8, there are specific requirements for
individuals and public authorities. Similarly, consent to be valid where a service is offered
consent to an employer processing their online to an individual under 16 years old
employees’ data is unlikely to be considered to (although EU countries may legislate to reduce
be freely given. As a result, it will be better for HR that age to a minimum of 13). In these cases,
data to be processed under a different ground. consent must be given or authorized by the
holder of parental responsibility over the child.
More generally, consent will not be free if the
data subject is unable to refuse or withdraw It is your responsibility to take “reasonable
consent without suffering detriment. This would steps” to verify that this has happened, given
appear to rule out, for example, incentive the technology available. You will need to think
schemes for giving consent. about children who might use your services
and decide the best way to ensure that they get
GDPR makes clear that consent is unlikely to be
permission before providing their consent.
free if it is required as a condition of entering
a contract. This means that to the extent that
collecting and processing the personal data of Withdrawing consent
customers really is vital (whether to performing
Data subjects have a right to withdraw their
“Explicit” consent
There are three situations in which GDPR states
that consent must be “explicit” in order to
justify processing. Two were mentioned in the
previous article: in the case of special categories
of data, and when the processing involves
automated decision-making. The third is when
the processing involves transfers of data to a
country outside of the EU, or to an international
organization.
the Rules on
collected. Note that this applies even if you will
not be relying on their consent. The information
Processing
provided must include:
Data under
contact details (as well as those of
GDPR?
representative).
The Regulation sets out a number of principles be stored (or how this period will be
data, following the overall philosophy of “data • The data subject’s rights to access
protection by design and by default”. The main their data, have it rectified, erased
principles (in Articles 5 unless otherwise stated) or transferred, or restrict or object to
are as follow: processing (all of which will be considered
• Whether the data will be used for any You must do so within a reasonable period,
automated processing (including profiling) and in any case by the earliest of (i) your first
and if so, the logic of the processing and communication with them, (ii) any further transfer
its significance and consequences for the to another party or (iii) a month after receipt of
the data.
data subject.
restate the information listed above. You must keep the minimum data
necessary
Clearly, it will be possible to set out most of the
You should collect and keep only the data
above in a standard privacy notice, although
necessary for the specified purposes of the
some of it will vary with the circumstances of
processing. You will need to think through each
collection. The information must be given in a
piece of data you collect and consider how it
manner which is clear, concise, intelligible and
contributes to your goals.
easily accessible.
There is an overlap between this and the lawful
grounds, most of which only justify processing
Second-hand data
which is necessary (to the performance of a
Similar requirements apply if you obtain personal contract, for your legitimate interests etc.).
data other than directly from data subjects (under However, this requirement makes clear that even
Article 14). In this case, you must usually contact if you have consent to processing, you will still
data subjects to provide the above information, need to think about whether each piece of data
You must keep the data accurate their freedoms, rights and responsibilities.
Personal data which you collect, and use should As another example, say that you are an online
be kept accurate and up to date. This means that vendor, and a client with an existing account
you need to take all reasonable steps to correct makes a purchase. It would probably count as a
or delete any inaccurate data. reasonable step (and would certainly be good
practice) to remind the client of the delivery
As we saw above, there is an obligation to inform address and payment details you have on record
data subjects of their right to have their data and give them an opportunity to amend them
before purchase, to avoid problems completing
rectified. However, this principle will in some
the order.
cases go further, requiring a proactive approach
You must keep records Now that we have gone through some of the
general principles which govern the processing
the Rights
• Who else (if anyone) the data will be
transferred to. If you plan to transfer
of Data
the data to a non-EU country or an
international organization, you must also
include the grounds relied upon to justify
GDPR?
• The data subject’s rights to have their data
rectified, erased or transferred, or restrict
or object to processing.
• The data subject’s right to complain about
processing to a supervisory authority (see
data. One of the ways it does this is by restating • The source of the data (where it was not
and increasing the rights of data subjects, received from the data subject).
including the rights to access their data, to have • Whether the data will be used for any
The clearest case where this will be applicable is In some cases it may be appropriate to require
where the data subject is looking to switch from evidence before rectifying data. For example,
one service provider to another. This essentially where the data subject does not have the right
on Data
processor must inform the data
persons”. In these circumstances, as well as telling judgement for data controllers. It is likely to be
the case wherever an external party has gained
What Does
GDPR Require in
Data Processing
Agreements?
What does
Data controllers must only use data processors
who can give “sufficient guarantees” that they
GDPR
can and will comply with the requirements of
the Regulation and protect the rights of data
Require
subjects.
Agreements?
be justified.
GDPR regulates the processing of personal Data processors must only ever process data
data by imposing obligations on two types under the data controller’s documented
processors. Data controllers set the agenda for EU or national law (Article 29). As well as being
processing, while data processors act on the a violation in itself, straying outside of these
must contain. This article will look at these controller and processor (or some “other legal
In this series of articles we have attempted to • The organization’s core activities involve
go through all of the major areas covered by regular, large scale and systematic
the Regulation. However, there are a few more monitoring of data subjects.
which did not quite fit into any of the categories • The organization’s core activities involve
discussed so far, and so we will review them here. large scale processing of special
or someone working under a service contract. of the kinds of processing activities this covers,
They must report directly to the organization’s but the Regulation makes clear that it will include:
interests.
Before starting any processing
If an organization appoints a data protection which is likely to result in a
officer, it must also do the following:
high risk to people’s rights
• Ensure that they are involved in all data and freedoms, you must carry
protection issues.
out a data protection impact
• Support them in their duties and make sure
the drafting. Where appropriate, you should ask the Regulation, the supervisory authority will
for the views of data subjects on the intended provide written advice, and may issue a warning,
processing. The assessment must include: prohibit the processing or use any of its other
you should consult with lawyers if you are (ii) the transferring organization must have
• The data subject has explicitly consented suitable safeguards, and (iii) the data controller
to the transfer after being informed must inform the supervisory authority and
of the possible risks in the absence of data subjects of the transfer, explaining the
safeguards.
Further information on some of these
• The transfer is necessary for performance
requirements (explicit consent, performance of a
of a contract with the data subject or pre-
contract, vital interests and legitimate interests)
contractual measures requested by the
can be found in our article on lawful grounds for
data subject.
processing.
• The transfer is necessary for important
rights and freedoms of the data subjects. Once they are in place, certification and
However, see further below. adherence to codes will go a good way towards
requirements.
Personal data
Data processor
Any information relating to a data subject.
A person or organization which processes
This could for example include names,
personal data based on the instructions of data
addresses, contact details, online usernames or
controllers. This could for example include
demographic data.
subcontractors.
Glossary 58
• Biometric data
• Health data
• Information about a person’s sex life
Supervisory Authority
Glossary 59
Learn more at www.truevault.com
or follow @TrueVault.