Personal data of EU citizens also protected in third countries
The new, harmonised EU basic data protection regulation came into force on 24 May 2016 and is to be applied from 24 May 2018 without any further transitional period. For us, this is a reason to examine the basic data protection regulation in more detail in a series of articles.
What is covered by data protection?
In principle, it can be stated that the regulation concerns all information relating to an identified or identifiable natural person. The extent to which this information is personal, encrypted or sensitive is irrelevant in this first consideration. All data that does not relate to natural persons is therefore not considered for data protection purposes. Other regulations, such as copyright law, of course still apply.
This means, for example, that meteorological measurements such as temperature, precipitation etc. do not have to be taken into account in the context of data protection. Furthermore, legal persons do not enjoy the same protection as natural persons. However, not all legal persons are treated equally in this respect. If a legal entity is closely linked to a particular partner - for example, if the partner's name is in the company name and does not employ any other employees - there is suddenly a direct link between the information on the company and the natural person of the partner. Already this clear rule as to what is to be taken into account and what is not partially softened and also data on legal persons are covered by the law.
The central issue here is whether data can be assigned to a natural person. This assignment of data to a person can be possible via a direct link in the data model (identification) or via detours (identifiability). The potential that data could be assigned to a specific person is therefore sufficient. Whether the possibilities are used in practice is irrelevant.
EU citizens are also protected in third countries
A central innovation of the EU data protection basic regulation is that the data of persons residing in the EU - regardless of their nationality - are also protected in third countries. For companies in Switzerland, for example, the EU Data Protection Basic Regulation will apply to the data of EU persons from 24 May 2018 in addition to Swiss data protection legislation. The market place principle (similar to the VAT principle) is the primary criterion for determining which data protection legislation is applicable. For example, if a company offers products to customers in a web shop and therefore keeps the contact data of EU persons in the CRM, it is sufficient that these companies are also subject to EU law and can be prosecuted with the high fines imposed by the EU. Not covered by the European DSGVO in Switzerland are services that are provided locally, such as hairdressing salons, dentists, etc.
The who is who of the basic data protection regulation: the parties involved
The basic data protection regulation essentially distinguishes between five roles:
The word processing in this context means "any operation performed with or without the aid of automated processes". relating to personal data" (Article 4(2)). In particular, this includes the input of data, any use and disclosure. The mere fact of having access to data constitutes processing.
Persons responsible and processors
Two roles are distinguished for the controlled companies: responsible persons and order processors. The person in charge is responsible for all measures relating to data protection. If he calls in third parties, he must give them clear and appropriate contractual conditions and instructions regarding data protection. The processor is then obliged to comply with these requirements. Some simplifications apply to pure processors.
However, it is not always obvious whether a company "merely" takes on the role of a contract processor. After all, the decisive factor in determining who is responsible is, first and foremost, who decides on the purposes and means of processing personal data. While the processor still has a certain degree of discretion with regard to the specific technical means, this does not exist with regard to the purpose of the processing. The situation can arise relatively quickly that the processor himself becomes the (co-)controller and has to comply with the same requirements. Accordingly, the regulation also provides for joint responsibility as a variant.
Our series of articles on the topic
- In the lead-in article we drew attention to the need for action.
- In this 1st part of the series we introduce the different actors and set the framework.
- Part 2 examines the principles of data protection based on four pillars.
- Part 3 explained the specific requirements for the processing of special categories of personal data and for profiling, which is considered as particularly critical.
- Part 4 examines legally privileged, desired processing methods.
- Part 5 of the series concludes with a framework for the pragmatic and appropriate implementation of data protection in your IT project.
About linkyard
linkyard is specialized in the realization of software solutions with high security requirements and the professional support of IT procurement processes. Especially for the correct and economical implementation of data protection requirements in IT systems an iterative interaction of IT security specialists like linkyard and a specialized lawyer proves to be advantageous. Because the search for the most cost-effective and at the same time legally compliant solution often requires the elaboration and evaluation of different implementation variants and the first best solution usually undergoes some adjustments. We would also be pleased to accompany your project.
