On May 25, 2018, the General Data Protection Regulation (GDPR) goes into effect. The GDPR is a piece of legislation passed by European lawmakers to create a uniform data privacy law across all member states of the European Union (EU).
The purpose of the GDPR is to:
- support privacy as a fundamental human right;
- require companies to be accountable for managing personal data; and
- grant individuals rights in how their personal data is used and processed.
Under the GDPR, personal data is defined as “any information relating to an identified or identifiable natural person.” This includes name, address, email address, financial information, contact information, and identification numbers. It also includes digital information such as an IP address, browsing history, geolocation, cookies, or other digital identifiers. It may also include information about an individual’s physical, mental, social, economic or cultural identity. To sum, any information that may be traced or related to an identifiable person is more than likely “personal data” under the GDPR.
Although such rights are not absolute, the GDPR grants several rights to individuals, including:
- Access: Individuals may request a copy of any personal data retained by a controller or processor of personal data as well as an explanation of its usage.
- Rectification: Individuals have the right to correct, revise or remove any retained personal data at any time.
- Deletion: Individuals may request a party to delete their personal data.
- Restriction of processing: individuals may request limited use of their personal data if they believe that their personal data is inaccurate or has been collected illegally.
- Portability: Individuals have the right to receive their personal data in a commonly-used, structured, and machine-readable format.
- Objection: At any time, individuals may opt out of the use of their personal data if they no longer desire to permit their personal data to be included in analytics or to receive direct marketing emails or other personalized, targeted marketing content.
Pursuant to the GDPR, two types of parties have a responsibility when handling data, the “controller” and the “processor.” A “controller” determines the purposes and means of the use of personal data. In contrast, a “processor” acts solely on behalf of and pursuant to the instructions of the “controller” in processing personal data. Business entities affected by the GDPR must determine whether they are acting as a controller or a processor and understand their corresponding responsibilities.
The GDPR applies both to organizations located within the European Union and organizations located outside of the EU if they offer goods or services to, or monitor the behavior of, EU data subjects. The GDPR applies to all companies possessing and processing the personal data of data subjects residing in the European Union, regardless of the company’s location.
The attorneys at Glass & Goldberg in California provide high quality, cost-effective legal services, and advice for clients in all aspects of commercial compliance, business litigation, and transactional law. Call us at (818) 888-2220, send an email inquiry to firstname.lastname@example.org or visit us online at glassgoldberg.com to learn more about the firm and to sign up for future newsletters.