Personal data of EU citizens is also protected in third countries
Die The new, harmonised EU General Data Protection Regulation came into force on May 24, 2016 and is applicable from May 24, 2018 without a further transition period. This is a reason for us to take a closer look at the General Data Protection Regulation in a series of articles.
What is covered by data protection?
In principle, it can be stated that the regulation concerns all information relating to an identified or identifiable natural person. The extent to which this data is personal, encrypted, or sensitive is irrelevant in this initial analysis. All data that does not relate to natural persons is therefore ineligible for data protection. Other regulations, such as copyright law, still apply, of course.
This means, for example, that meteorological measurements such as temperature, amount of precipitation, etc. do not have to be taken into account as part of data protection. In addition, legal persons do not enjoy the same protection as natural persons. However, not all legal entities are equal in this regard. If a legal entity is closely associated with a specific shareholder — for example, has their name in the company name and does not employ any other employees — there is suddenly a direct connection between the information about the company and the natural person of the shareholder. This clear rule is already what must be taken into account and what is not partially softened and data on legal entities is also covered by law.
Central to this analysis is therefore whether data can be attributed to a natural person. This data assignment to a person can be possible via a direct link in the data model (identification) or via detours (identifiability). The potential that data could be assigned to a specific person is therefore sufficient. It is irrelevant whether the options are used in practice.
EU citizens are also protected in third countries
A key change in the EU General Data Protection Regulation is that the data of persons residing in the EU - regardless of their nationality - is also protected in third countries. For companies in Switzerland, for example, the EU General Data Protection Regulation will therefore apply to data from EU persons in addition to Swiss data protection legislation from May 24, 2018. Which data protection legislation is to be applied is primarily based on the market location principle (similar to value added tax). For example, if a company offers products to customers in a web shop and therefore keeps the contact details of EU persons in CRM, this is enough that these companies are also subject to EU law and can be prosecuted with heavy fines from the EU. Services that are provided locally, such as hairdressing salons, dentists, etc., are not covered by the European GDPR in Switzerland.
The who is who of the General Data Protection Regulation: the parties involved
The General Data Protection Regulation essentially distinguishes between five roles:
The word workmanship In this context, stands for “any process carried out with or without the aid of automated processes... in connection with personal data” (Art. 4 para. 2). In particular, this includes data entry, any use and transfer. Even mere insight represents processing.
Responsible persons and contract processors
There are two roles for controlled companies: responsible persons and contract processors. The person responsible is responsible for all data protection measures. If he draws in third parties, he must provide them with clear and appropriate contractual requirements and instructions regarding data protection. The processor is then obliged to comply with these requirements. There are some simplifications for pure contract processors.
But it is not always obvious whether a company is “merely” playing the role of a contract processor. After all, it is primarily decisive for determining the person responsible who decides on the purposes and means of processing personal data. While the processor still has a certain margin of discretion with regard to the specific technical means, there is no such discretion as to the purpose of processing. The situation can arise relatively quickly that the order processor himself becomes (co-) responsible and has to meet the same requirements. Accordingly, the regulation also provides for joint responsibility as a variant.
Our series of articles on the subject
- In We have lead-in articles on the need for action alerted.
- In this first part of the series, we introduce the various actors and set the framework.
- Part 2 sheds light on principles of data protection based on four pillars.
- Part 3 explained the specific requirements for processing special categories of personal data and profiling, which is considered particularly critical.
- Part 4 highlights legally privileged, desired processing methods.
- Part 5 of the series concludes with a framework for pragmatic and appropriate implementation of data protection in their IT project.
About linkyard
linkyard specializes in the implementation of software solutions with high security requirements and the professional support of IT procurement processes. An iterative collaboration of IT security specialists such as linkyard and a specialized lawyer proves to be an advantage, especially when implementing data protection requirements in IT systems correctly and economically. This is because the search for the most cost-effective and at the same time legally compliant solution often requires the preparation and evaluation of various implementation variants and the first best solution usually undergoes a few adjustments. We are also happy to support your project.