Foundations of the GDPR

The GDPR regulates the processing of personal data of living individuals. Processing encompasses all steps, such as collecting, storing, transmitting, and sharing data. Crucially, it involves data that can identify or make identifiable a natural person. Personal data may include identifiers like names, identification numbers, location data, online identifiers (e.g., IP addresses or cookies), birth dates, or addresses. They also include characteristics that are an expression of physical, genetic, psychological, economic, cultural, or social identity.

Anonymous Data

Anonymous data are those that do not enable the identification of a living natural person. Since they are not identifiable, they fall outside the scope of the GDPR. Anonymous data are not subject to the data protection restrictions of the GDPR and can be processed without regard to data protection laws.

Pseudonymized Data

Pseudonymized data are a special case of personal data. According to Article 4 Number 5 of the GDPR, pseudonymization is the processing of personal data in such a way that they can no longer be attributed to a specific data subject without additional information. This additional information must be stored separately and protected by technical and organizational measures to prevent the assignment to an identified or identifiable natural person. Pseudonymized data replace identifying characteristics with identifiers such as employee numbers or fantasy names, making them difficult to identify, but not anonymous. They fall under the GDPR and enjoy certain privileges within the framework of legal regulations.

Personalized Data

Personalized data are directly attributable to a specific individual and include all information that makes a natural person identifiable. They are the primary focus of the GDPR and are subject to strict processing and protection rules. Handling personalized data requires careful measures to maintain privacy and data security.

Summary

The GDPR clearly differentiates between anonymous, pseudonymous, and personalized data. While anonymous data lie outside the scope of the GDPR, pseudonymous and personalized data are covered by it. Pseudonymized data offer a middle ground by making identification more difficult but still ensuring certain rights and protections. Personalized data require the highest level of attention in data protection, as they are directly linked to an individual’s identity. Understanding these categories is crucial for the proper application and compliance with data protection provisions.

The post Anonymous, Pseudonymous, and Personalized Data appeared first on GDPR map.

Technical and Organizational Measures (TOMs) are crucial steps that every organization processing personal data must take. These measures are established in the General Data Protection Regulation (GDPR) and aim to ensure the security of data processing. The GDPR requires organizations to protect the rights and freedoms of individuals whose data they process, including ensuring lawful data processing.

Key Aspects of the GDPR

There are specific articles in the GDPR relevant to the security of personal data:

• Article 24: This article stipulates that organizations must comply with data protection principles, including lawfulness, fairness, transparency, and data minimization.
• Article 32: Addresses measures for data processing security. Organizations should implement measures like pseudonymization and data encryption, especially when transmitting data, such as in emails.
• Article 25: Emphasizes data protection through technology design and privacy-friendly default settings. Organizations should consider data protection aspects in the development of products and services, like prototypes or demonstrators.

Documentation and Responsibilities

Every organization processing personal data must create and continuously update a processing directory. Required by Article 30 of the GDPR, this directory should contain information about data processing, such as the controller’s name and contact details, the purposes of processing, and data deletion timelines. It must also include technical and organizational measures for each data processing activity and be available to supervisory authorities upon request.

Practical Implementation of TOMs

Organizations must implement a wide range of technical and organizational measures depending on their size and processing activities. These include establishing information security policies, access controls, using secure passwords and encryption methods, and measures for secure document disposal and emergency plans. It’s essential to regularly review and adjust all measures to new risks.

In addition to technical measures, organizations must also implement organizational security measures. This includes ensuring that data can only be accessed or modified by authorized persons and maintaining data integrity and availability. The organization must also assess the required level of security based on the sensitivity and value of the processed data and potential risks in case of data loss.

Finally, it’s important to note that there is no one-size-fits-all solution for information security. What is appropriate for an organization depends on its specific circumstances and the risks associated with its data processing.

The post Technical and Organizational Measures appeared first on GDPR map.

Since May 25, 2018, data protection regulations in Europe have been governed by the General Data Protection Regulation (GDPR). This European Union regulation applies directly in all member states, without the need to be transformed into national law. In addition, individual member states contain data protection provisions. Thus, there are two concurrently applicable legal bases: the GDPR at the European level and national laws.

Foundations and Scope of Data Protection Law

At the heart of data protection legislation are various legal bases located at both European and national levels. The European General Data Protection Regulation (GDPR) forms the basis for data protection in the EU and applies to both public and private entities. This regulation is supplemented by national laws. Overall, data protection law covers a broad spectrum of application areas, from authorities to businesses, and varies depending on federal or state jurisdiction.

Scope and Definition of Personal Data in Data Protection Law

The applicability of data protection law, specifically the GDPR, depends on the handling of personal data of living natural persons. Processing includes various operations such as collecting, storing, transmitting, and sharing such data. The nature of the data is crucial: they must be personal, meaning information related to an identified or identifiable natural person. Personal data encompass a wide range of information, from names and identification numbers to location data and online identifiers like IP addresses and cookies, to birth dates and addresses. Also included are characteristics expressing the physical, genetic, psychological, economic, cultural, or social identity of a person. The key factor is whether a person can be identified through these data. When such data are processed, the GDPR applies.

Anonymous vs. Pseudonymized Data in Data Protection Law

In data protection law, a distinction is made between personal and anonymous data. Anonymous data are those that do not allow the identification of a living natural person. Since they do not permit inferences about individuals, they fall outside the provisions of the GDPR and are thus exempt from data protection restrictions.

In contrast are pseudonymized data, a special case of personal data. According to Article 4(5) of the GDPR, pseudonymization refers to the processing of personal data in such a way that the data can no longer be attributed to a specific data subject without additional information. This additional information must be stored separately and protected by technical and organizational measures to prevent assignment to an identifiable person. Pseudonymized data replace identifying characteristics with identifiers like personnel numbers, fictional names, or encryptions. However, for certain groups, these identifiers may still enable identification. Therefore, pseudonymized data fall under the scope of the GDPR and enjoy certain privileges within the legal framework. They are a special case of personal data and subject to data protection law, including the GDPR. It is important to understand that despite the use of identifiers, identification by certain individuals can be possible, which is why they are considered personal data and data protection law must be observed.

Territorial Scope and Responsibilities in the General Data Protection Regulation

The question of the territorial scope of the General Data Protection Regulation (GDPR) arises after clarifying the material scope, which encompasses the processing of personal data. It is crucial whether the data processor or the data controller has an establishment within the European Union (EU). If this is the case, the GDPR applies, regardless of where the data processing actually occurs. This principle is known as the establishment principle: An EU establishment entails the application of the GDPR, regardless of the location of data processing. Additionally, the scope of the GDPR has been extended. It also applies to controllers or processors who process personal data of individuals who are in the EU, for instance, in the context of offering goods or services or in online marketing activities targeting users’ behavior in the EU. This is known as the market location principle.

The GDPR often refers to “controllers of data processing,” defined in Article 4 Number 7 of the GDPR. Responsible are natural or legal persons, authorities, institutions, or other bodies that alone or jointly determine the purposes and means of processing personal data. Whoever collects, stores, or transmits data and determines their purpose of use is considered responsible. These controllers must comply with the provisions of the GDPR.

Legality of Data Processing under the General Data Protection Regulation

The central question in data protection law is under what conditions the processing of personal data is lawful. Article 6 Paragraph 1 of the General Data Protection Regulation (GDPR) provides the legal bases for this. Lawful data processing can be based on the explicit consent of the data subject. This means that the person expressly agrees that their personal data may be processed. In addition to consent, there are other permissible reasons for data processing, such as the necessity for contract performance. For example, a seller needs the name and address of the buyer for the delivery of goods.

Other legal bases include the fulfillment of legal obligations or the performance of a task in the public interest, which is particularly relevant in the research sector at universities. Similarly, data processing can be legitimate based on a legitimate interest of the controller, provided it does not collide with the fundamental rights and freedoms of the data subject. The interests of the data processor must outweigh those of the data subject, without disproportionately infringing upon their freedoms.

Consent to data processing is detailed in Article 4 Number 11 and Article 7 of the GDPR. It must be voluntary and explicit. Written documentation of consent is advisable, although not mandatory. The data subject has the right to withdraw their consent at any time and must be informed about this right.

The post GDPR at a glance appeared first on GDPR map.