What is GDPR?


Feedback form    |       Play Audio    |    Download content / /




General Overview

Objectives&Goals Click to read  

At the end of this module you will be able to:

  • Familiarise with the GDPR

Background, scale and scope…

  • Gain awareness on your (digital) rights

The right to be forgotten 

  • Comprehend what cookies are what is their scope

When they are harmful and when they are not…

General OverviewClick to read  

Have you ever noticed that whenever you try to access a website, a big disclaimer pops up requesting you to read carefully (and accept eventually) their cookie policy?

What is a cookie and what is this disclaimer about? Why the WWW is so concerned about terms and conditions of your privacy and (digital) identity?

While surfing on the Internet, you might have come across – or read about – something known as GDPR

For beginners Click to read  

The GDPR (General Data Protection Regulation) is an EU Parliament and EU Council regulation of April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data.

Source: https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX%3A02016R0679-20160504

Brief disclaimer – what is a Regulation in EU law? Click to read  

Together with Directives, Decisions, Recommendations and Opinions, Regulations represent of the types of EU legislation – legal acts of different binding degrees to which all (or some) Member States should comply with.

Regulations are the ones with at higher binding degree and they must be applied in their entirety across EU.

To know more about the types of legislation: https://european-union.europa.eu/institutions-law-budget/law/types-legislation_en

About general scale and scope of GDPRClick to read  

In the formal policy document, it is stated that:

1. [GDPR] lays down rules relating to the protection of natural persons with regard to the processing of personal data and rules relating to the free movement of personal data.
2. [GDPR] protects fundamental rights and freedoms of natural persons and in particular their right to the protection of personal data.
Who must comply with GDPR?Click to read  

The whole point of this regulation is to protect EU’s citizens personal data. As such, any organisation operating in EU territories must comply with GDPR.

The regulation applies to ALL organisation, regardless of their juridical status (public institutions, private sectors’ representatives and third sector) and their country of origin, as long as they operate in EU territories (this is the case of tech giants from US such as Facebook, Google, Amazon, etc.). 

Key highlights

Key highlightsClick to read  

In order to have a comprehensive understanding of GDPR, it is important to pinpoint a couple of terms around which the regulation revolves. These includes:

Seven principles of data protection
Eight privacy rights that must be protected (and supported)
Glossary of specific references used by the Regulation 
Glossary and reference terms – Article 4, Definitions (1)Click to read  

Personal data → Any information relating to an identified or identifiable natural person (“data subject”); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.

 

Glossary and reference terms – Article 4, Definitions (2)Click to read  

Processing → Any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as: collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.

Glossary and reference terms – Article 4, Definitions (3, 4)Click to read  

Restriction of Processing → The marking of stored personal data with the aim of limiting their processing in the future.
Profiling → Any form of automated processing of personal data consisting of the use of personal data to evaluate certain personal aspects relating to a natural person, in particular to analyse or predict aspects concerning that natural person’s performance at work, economic situation, health, personal preferences, interests, reliability, behaviour, location or movements.
Glossary and reference terms – Article 4, Definitions (7, 8)Click to read  

Controller → The natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data; where the purposes and means of such processing are determined by Union or Member State law, the controller or the specific criteria for its nomination may be provided for by Union or Member State law.

Processor → A natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller.

Glossary and reference terms – Article 4, Definitions (11, 12)Click to read  

Consent → Any freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her.
Personal data breach → A breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed.
Seven principles of data protection – Chapter 2, Article 5Click to read  

1. Lawfulness
2. Purpose limitation
3. Data minimisation
4. Accuracy
5. Storage limitation
6. Integrity and confidentiality
7. Accountability
Eight privacy rights that must be protected – Chapter 3, Article 12 – 23 Click to read  

1. Citizens have the right to be informed
2. Citizens have the right to access their data
3. Citizens have the right to rectification of their data
4. Citizens have the right to be forgotten
5. Citizens have the right to restrict processing of their data.
6. Citizens have the right to the portability of their data
7. Citizens have the right to object their data
8. Citizens have rights in relation to automated decision making and profiling
Implications for citizens

When organisations are allows to process your dataClick to read  

There are some specific scenarios in which organisations – upon full compliance with GDPR – are allowed to process your data (processing in the sense of Art. 4).

Article no. 6 of the Regulations lists all instances in which organisations can in fact “look into” your personal data.

These conditions fall under six domains…

1.There is specific consent (unambiguous) by the subject this data belongs to
2.The subject is entering into a contract – and the organisation is entitled to a background check of personal information
3.The organisation process data to comply with further legal obligations
4.In the case data processing is instrumental to protect the vital interests of the data subject or of another natural person
5.In the case data processing is instrumental for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller

Any other case in which there is legitimate interest by the organisation

Legitimate interestClick to read  

Scenario no. 6 is more susceptible to free interpretation than all the others. If the given interest is legitimate or not, depends on its explicit conflict (or not) with fundamental rights and freedoms of data subjects.

The label of legitimate interest can gain also other shapes and forms in “sensitive” cases: people with criminal records, children and other vulnerable categories…

Website cookiesClick to read  

The most typical example in which you agree on to the processing of your (digital) data is when you accept cookies before browsing any website you want access to.

Cookies are designed to improve your browsing experience and allow website’s owner(s) to keep you signed in, store your preferences, and provide you with locally relevant content that is thematic to your interests.

Due to the clear conflict of interest, after GDPR website’s owners become increasingly concerned about your awareness on this tool.

How many cookies are out there?Click to read  

This depends on:

DURATION
PROVENANCE
PURPOSE
 
DURATION
Sessions cookies – they expire as soon as you end your session
Persistent cookies – they remain on your hard drive as long as you don’t delete them “manually”. Persistent cookies have the expiration date embedded into their programming code.
Technically they should not last more than 12 months, but in practice they might live much longer
 
PROVENANCE
First-party cookies – they are put on your IT device (laptop, phone, etc.) by the very same website your accessing into
Third-party cookies – they are put on your IT device by – typically – an advertiser that has a formal agreement with the website’s owner(s)
 
PURPOSE
Strictly necessary – cookies that are functional (essential) for your browsing experience (save the item that you want to by into the shopping list)
Preferences – cookies that allow website’s owners to retain information that will improve and facilitate your next visit of the website (save log-in credentials)
Statistics – relatively harmless, these cookies help website’s owners in better understating what users like and look into
Marketing – typically of third-party provenance, these cookies help advertisers in collecting information about, for instance, purchase behaviour of customers
Should you accept cookies?Click to read  

Technically speaking, you’re not forced to accept cookies. The GDPR is designed to make you aware of their existence and usage by website’s owner(s) and third parties.

This helps you to make better informed decisions on who you’re giving your data and what for…

…however, if that is the case, website’s owner(s) might retain the right to block you from accessing their website or to limit its functionalities and your overall browsing’s experience.

Cookies are not a threat whenClick to read  

The website you’re visiting is highly reliable (i.e., your Facebook account)
They help you improving your user’s experience (i.e., online shopping, online banking, etc.)
They save you time and resources – specifically when repeatedly logging in to your go-to websites (i.e., email account)
 
The website you’re visiting is NOT encrypted – the lock icon beside the URL is not locked ( ← encrypted website,  ). Per se, these websites are not dangerous but they might not be prepared to data breaches neither…keep an eye open.
Third-parties’ cookies. Again, these cookies are not dangerous, but if you’re particularly concerned about your (digital) privacy, you might not like the idea of someone looking into your data.
Whenever your antivirus spots suspicious activities.
In any case you need to provide the website with highly-sensitive information (bank account, scan and copy of ID, etc.).
 

FOR INSTANCE: Website cookies, EU Commission’s website:

…the EU Commission website relies for the most on first-parties cookies of three main kinds:

 

FOR INSTANCE: How can you manage cookies?

Remove cookies from your device → by cleaning the history of your browser

Manage site-specific cookies → by proactively filtering the cookies that you allow and don’t

Blocking cookies → by setting-up you browser to the most “advanced” standards

What if you wish to take action to protect your personal data? Click to read  

1. Submit a complain to your national Data Protection Authority (DPA)
2.Take legal action against the “offender”
3.Take legal action against the DPA

Source: What should I do if I think that my personal data protection rights haven’t been respected?, EU Commission

1. Submit a complain to your national Data Protection Authority (DPA)

2. Take legal action against the “offender”

Definitely a more direct approach than the previous one…

You can be assisted by a professional (i.e., lawyer) if your think that a company or an organisation “mistreated” your personal data = non-compliance with any of the seven principles of data protection

3. Take legal action against the DPA

If you have a genuine belief that the DPA failed to represent your interests, you have the right to settle the case before a court. This is the case when:

1.You are not satisfied with the answer / reply / feedback you have been given
2.You don’t receive updates / news on your case from the DPA within 3 months starting counting from the first day you submitted your complain to their office

Test Yourself!



Description:

Have you ever noticed that whenever you try to access a website, a big disclaimer pops up requesting you to read carefully (and accept eventually) their cookie policy?

What is a cookie and what is this disclaimer about? Why is the WWW so concerned about terms and conditions of your privacy and (digital) identity?

While surfing on the Internet, you might have come across – or read about – something known as GDPR…but in practice, what is GDPR?


Keywords

GDPR, privacy, data protection


Objectives/goals:

At the end of this module, you will be able to:
● Familiarise with the GDPR
Background, scale and scope…
● Gain awareness on your (digital) rights
The right to be forgotten
● Comprehend what cookies are what is their scope
When they are harmful and when they are not…