This article is a heavily opinionated piece of text written by someone completely unqualified to give legal advice in any context. It is merely intended to spark ideas on how to make an organisation compliant but should, under no circumstances, be used to create something with legal consequences.
When it comes to understanding the European Union (EU)’s General Data Protection Regulation or GDPR, there are three groups of people:
How do these groups gain knowledge on GDPR?
In this article, we (mortal humans) will dive into the law and try to extract the bits that will relieve business owners of stress.
Quick sidenote: in VTEX’s context, CTR = client, PRC = VTEX, the reason
why clients ask for solid compliance from VTEX is because they would be blamed for
picking the wrong PRC.
You’ve probably heard that it protects data but it’s worth noting two things: GDPR only goes as far as the personal data of “living natural persons”. This means that the regulation probably doesn’t protect your great-grandmother’s second uncle’s dad’s privacy, nor the financial data of your startup venture.
Since it’s a law of the EU, you’d expect that as soon as you board a plane for Sydney, you can forget about it. Actually, this is a tad more complicated than that (apart from the fact that most EU airports don’t connect directly with Sydney). GDPR applies when:
“In an activity which falls outside the scope of Union law”, it does not apply. This simply means that it doesn’t apply everywhere.
Now we may think that the controller and processor can play around the law by not being in the EU at all, but GDPR clearly says that in this case, they need to appoint an official representative who will be in the EU.
National security, public interest, compliance with law and freedom of expression and information overrides GDPR. But we need to be careful here. First, it is clear that we can’t start suing people for gossiping, which is fair enough. However, GDPR explicitly warns that freedom of expression must not result in abuse of personal data that can harm the data subject.
GDPR regulates how data is handled and it basically restricts how much data can be collected, used, etc. This makes things difficult but it is with the intention of protecting individuals’ personal data. GDPR’s guiding principle is data minimisation. It means that all data you keep about a data subject must be necessary for the controller. You can only use this data for the purpose you collected them for, and as soon as you don’t need them, you must delete it.
Since GDPR is all about protecting the data subject ’s privacy, let’s see what rights the regulation gives them.
Before collecting the data, there’s a few boxes to check – quite literally.
Before anything happens, the data subject must agree that you’ll use their data. This consent is actively given – no pre-ticked boxes! When you want to use the collected personal data for more than one purpose, you need to ask permission for each purpose separately. When collecting personal data, the controller shares with the data subject why they collect the data, how they will process and protect them, the DPO’s details, etc. This should be written in simple language so the data subject can understand it easily.
Once personal data are collected, processing can begin. However, transparency is still key. The owner of this data can have regular access to how, where and what data are kept/processed about them. This info should be given free of charge, unless the request is “manifestly unfounded or excessive”. This is how lawyers say “too much”. So a controller can charge a “reasonable fee” for, or simply refuse annoying requests. On the other hand, the controller then needs to prove why exactly it was annoying.
The most famous result of the GDPR is the right to be forgotten. First of all, the data subject can say no to processing anytime, even after you start processing their personal data. In this case, the controller has to act within 1 month and completely free of charge.
Furthermore, they can also ask the controller to delete their data. This is more difficult as, for instance on social media, the data subject might have agreed to publishing their data. In this case the controller has to “take reasonable steps” to make sure that the data gets deleted.
“Reasonable” is a tricky word. GDPR uses it here because it’s not always possible to delete all of someone’s data from everywhere. And even if it is, it might be crazy expensive. GDPR understands it and gives a little leeway to controllers. But remember, as easy it is to define “reasonable”, it’s just as hard to defend your definition. So when a business decides what reasonable steps to take to delete some personal data, they have to be prepared to defend that in court, should the data subject not be satisfied.
We can see that the data subject has a lot of power in the process and they can step in anytime to stop someone from using their data. However, their power is not endless. For instance, when creating statistics, the personal data of thousands or millions of data subjects are processed together. Together is the key differentiator here! Statistics are rarely about one person, so nobody would ever single out someone in such processes (It’s like being a drop in the ocean). Statistics are usually for the greater good (imagine the daily figures on Covid-19), so it would be impractical and damaging if data subjects could refuse to give their data. The result is a compromise: when it’s for statistics only, the data subject doesn’t have much freedom in giving consent/restricting processing, but the controller must make sure that no individual data leaks out (all drops stay in the ocean).
Remember that public interest, national security and law weaken the scope of GDPR. This is because authorities need to handle data of citizens and they can’t just ask for permissions every day – imagine how crazy life would become. Also think about lawsuits, treating patients, preventing epidemics and so on. If you ever read GDPR you’ll see that it’s full of exceptions when it touches one of these factors. So generally speaking, the DS can’t tell controllers and processors not to process their data when it’s for an official/legal purpose. However, there’s an exception. The data subject can reject a decision based only on automated processing, including profiling, which affects them legally or in another significant way.
GDPR’s Article 33 describes what to do in case of a data breach.
As you would expect, if an organisation profits from an infringement, they’ll have to pay it back in form of a fine. But this is not even close to all the money they’ll have to pay.
The real punishment for a data breach: administrative fines and penalties.
Penalties and fines are given as “up to” a certain maximum, but the real value will depend on how much of “a good girl/boy you have been” (e.g. cooperation with supervisory authority, your infringements in the past, if you’ve followed advice of supervisory authority, steps you took to save the situation after the breach, etc.). Remember this when we get to How to stay on the safe side.
If the data subject suffers damage from a data breach, they will be fully compensated by the controller or the processor.
It will, of course, get to the point of who is responsible. Chances of both the controller and the processor getting away without punishment are very slim. It can only happen if they prove that they did literally everything right. In most cases of a data breach, the controller will be responsible. The processor is safe if they’ve complied with:
If there are multiple controllers or processors, one of them pays the compensation and then claims the fair share back from each fellow controllers or processors.
The general rule of thumb: comply with the rules as much as you can. The law can be vague and if you read through it, it becomes clear that it is not safe to stretch the rules or be “just about compliant”. Remember that if something happens, the amount you’ll pay heavily depends on how much you’ve tried to comply. If the supervisory authority sees that you’ve been balancing on the edge of the law, your shareholders will probably lose their hair.
GDPR likes using the term “reasonable steps”. This means “considering costs of implementation and the state of the art”. Compliance measures (e.g. protection procedures, breach mitigation, etc.) are usually labelled “reasonable”. This is super vague but, in all fairness, how could it be more specific?
No. Member States can further restrict and GDPR actually encourages them to do that. This is quite European, actually. Since the EU is made up of a lot of sovereign states, there is a tendency to leave high autonomy to individual countries even in such universal and strict legislations as the GDPR. Germany’s example describes it quite well. Since it’s a federal republic within the EU, a German business will have to comply not only with GDPR, but also with German federal law AND local state law.
You would think, “okay, this seems complicated but relatively straightforward and reasonable”. I agree. But there are exceptions: “Member States shall by law reconcile the right to the protection of personal data pursuant to this Regulation with the right to freedom of expression and information, including processing for journalistic purposes and the purposes of academic, artistic or literary expression.” Again, this is law lingo for “you can’t kill poetry with data protection”.
They explain that Member States can introduce exemptions and derogations to GDPR. Now let’s stop for a moment here. So is it true that Member States can be stricter but also less strict? Well, the answer is… yes. We can view GDPR as a default law in the EU. However, since Member States can be harsher or more easy-going at their discretion, it is not enough to comply with GDPR, but we’ll always need to know the privacy laws of every country we operate in.
Not exactly. Since technology is changing and GDPR produces real-life cases, the law will be reviewed every 4 years.
Since now everybody is super keen to comply, the EU has an official body to help with this: the European Data Protection Board. It can:
In case of any updates, it’s worth checking the Official Journal of the European Union. It publishes a list of countries where data protection is not guaranteed. It’s important to keep this in mind because the European Commission can prohibit PD transfer to these places.
There is more to GDPR than what we’ve seen here, but not much more. It’s 134 A4 pages’ worth so if you want to know all the details, feel free to read it. If you decide, however, not to read it just yet, then we’ll recommend you:
You’re all set. Time to write that privacy policy…