At the heart of it, the European Union’s new data privacy legislation, the General Data Protection Regulation (“GDPR”), restricts what the company’s that hold or manipulate personal data of individuals can do with it, and what type of consent is required for what acts. Like all regulations, there are a number of defined terms, which must be understood to grasp the coverage of the GDPR. In summary it covers a lot of activities that companies may not have thought would be regulated.
As I discussed in an earlier post, the GDPR only applies to “personal data” which is:
any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person
With respect to personal data, there are generally two boxes that companies can fall into, the first being companies that collect and own the personal data, and the second being companies that are contracted by the the first companies to manage, protect, or otherwise use the personal data (more on this later). The first set of companies are referred to as “controllers” and the second as “processors”. Note that the definitions in the GDPR are more broad than my simple examples of same above:
A “controller” under the GDPR:
means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data; where the purposes and means of such processing are determined by Union or Member State law, the controller or the specific criteria for its nomination may be provided for by Union or Member State law.
A “processor” under the GDPR:
means a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller.
So the million dollar question is what exactly falls under the definition of “process” (or processing, processes or some derivative). The GDPR defines “processing” as:
any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction
Also, “cross border processing” includes:
a. processing of personal data which takes place in the context of the activities of establishments in more than one Member State of a controller or processor in the Union where the controller or processor is established in more than one Member State; or
b. processing of personal data which takes place in the context of the activities of a single establishment of a controller or processor in the Union but which substantially affects or is likely to substantially affect data subjects in more than one Member State.
So if you think the definition of processing is broad, you are correct. It is, likely intentionally, very broad to cover any acts with respect to personal data.
Chapter 2, Articles 5-11 of the GDPR applies to the processing of personal data. In essence, and we will be taking a deeper dive into this in later posts, the GDPR requires that all processing of personal data is done lawfully, with consent, collected and use for legitimate purposes, is narrowed for specific purpose the processing is for, maintained reasonably, and only used in a manner which ensures the security of the personal data. The controller is responsible for the foregoing. It can contract with a processor and push down these obligations on the processor through contract.