If you like to go shopping, browse social media, or generally spend time online, you have been creating and providing data about yourself for a while. Businesses and public authorities can use this data to earn money, guide their marketing strategies, or make decisions about you – often without you being aware of any of it happening.
If this concerns you, and you have always wondered what benefits you gain from the right to data protection, read on. This series will introduce you to the main concepts of European data protection law that you want to be aware of in your everyday life.
A little background on European data protection
In 2000, the Charter of Fundamental Rights of the European Union (EU) formally enshrined the protection of personal data as a fundamental right under EU law. It became legally binding in 2009 with the coming into force of the Treaty of Lisbon. Since then, EU Member States are obliged to protect and give effect to this right.
At that point, EU laws already provided high standards of data protection, but due to the rapid digitalisation of our lives, the EU Commission thought there were still significant areas for improvement. To address these concerns, in 2016, the EU adopted the General Data Protection Regulation (GDPR) ¬– the most comprehensive data protection framework in the world at the time.
Despite such massive changes and improvements to the protection of our data, most of us do not fully understand what it means to have a right to data protection, how this right benefits us, and through which channels we can make use of it. This is because, as with many regulations, the legal text can be technical and does not always straightforwardly translate into how the law is applied in practice.
We want to change this and provide you with the key information you need to make the most of your right to data protection under EU law.
What is the GDPR?
Data about us is created, collected, and used to analyse us during almost everything we do, both online and sometimes offline. At the core of the GDPR’s objectives lies the protection of this very data – data about us. To guarantee protection, the GDPR is relevant for all activities where our data is handled and for the actors handling it, e.g., brands or organizations. Requiring them to ensure better protection for our data contributes to more privacy and security in our lives.
In practice, this means that, based on the existence of the fundamental right to data protection, the GDPR lays down further rules to protect this right. Simply put, it sets out requirements for those who deal with personal data, and it gives everyone involved specific rights.
What exactly is the GDPR concerned with?
The GDPR applies to the processing of your personal data. By data processing, we mean any activity performed upon personal data, such as the collection, use, storage, disclosure, or deletion of that data.
Personal data is information that relates to us – most of the data that we create, and data that helps to identify us. This information can be in a written, audio, or visual format. It can be objective, like our date of birth, or subjective, e.g., somebody’s opinion of us. And it can also be incorrect information. In other words, if someone posts a photo of you and your friends to social media, captioning “we all had tacos for lunch”, both the photo picturing you and the text about you are your personal data. It would still be your personal data if the text was incorrect and you did not in fact have tacos for lunch, or lunch at all.
Information relates to us if it is about us, i.e., if the information’s content is directly about us, if the purpose of using the information affects us (e.g., for an evaluation), or if the result of it can have an impact on our rights and interests. It, therefore, does not need to focus directly on us to relate to us. For example, if you sit an exam and receive a decision or mark at the end, your examiner’s reasons for awarding you with this mark would count as your personal data. This is because the purpose of using their opinions for marking the exam affects you and has an impact on your interests.
Lastly, information can directly reveal our identity, e.g., by providing our name and photo, or it can render us identifiable. Identifiability means that we can directly or indirectly be identified by reference to additional pieces of information that someone could obtain about us from elsewhere. For example, ask yourself how many pieces of information on a paper someone would need to identify you even if your name was not given: Would a document containing your gender, date of birth, company name and company department be enough for someone else to match it with your identity, if that person had access to an additional source, such as a company website with the names and photos of its employees? Even if the initial document did not give away your identity directly, you could still be identifiable, perhaps very easily so.
To make things more complicated, nowadays, there are sophisticated computational systems which can link even heavily anonymised information back to the individual it relates to. As such, little of what we know as anonymised information can be said to be truly anonymous.
Taken altogether, the considerations above mean that a lot of information that is out there could be considered your personal data: information that you did not realize you were giving away about yourself, information that you did not know someone else “created” about you, and information that you never thought of as data in the first place.
Who does the GDPR apply to?
The GDPR affects several different actors. If you have your personal data processed, in the eyes of the GDPR, you are deemed a data subject: a natural person who can benefit from the rights and the protection provided under the GDPR.
The actors who bear most of the responsibilities regarding data protection (e.g., conducting Data Protection Impact Assessments) under the GDPR are data controllers, however any actor processing personal data must comply. A data controller is a person, organization, or authority, that determines what data is being processed about you, how, and for what purpose. The activities they undertake with your data are called processing activities.
Data Controllers will often rely on one or multiple third parties to process data under their instruction, called data processors, They are people, organizations, or authorities, that only processes data on behalf of the controller – they cannot use the data for their own purposes. There may also be occasions where there are multiple Controllers, or joint Controllers for a process, in which case all need to bear the controller’s data protection responsibilities.
As mentioned earlier, the GDPR not only imposes obligations on actors like controllers and processors who deal with your personal data, it also creates rights for you that are aimed at giving you more control over what happens to your data. Such rights include the rights to have access to your data, to have errors in your data rectified, or to have your data erased altogether. We will discuss these rights in more detail in a later part to this series. Importantly, though, if you want to exercise these rights, you must direct your requests to the data controller(s), not the processor(s). It is, therefore, important to be aware of the persons or organizations who serve as the controllers of your personal data.
In practice, the distinction between a controller and processor might not be immediately obvious to you as a data subject. The key to discovering who the controllers are is to read the the privacy notice you receive from any entity processing your data. It will include instructions on how to make a data subject request (i.e., exercise your data protection rights).
Where does the GDPR apply?
Generally speaking, if you are in the EU, regardless of your citizenship or residency status, the GDPR applies to you. This is the case even if neither the controller(s), nor the processor(s) have an establishment (e.g., branch or subsidiary) there, but they otherwise offer you goods or services, or monitor your behaviours (e.g., tracking what items of clothing you looked at online).
Conversely, if you are not in the EU, but either the controller(s) or processor(s) of your personal data are, they are bound by the GDPR, and you will be able to exercise your rights under the regulation.
Talking about any kind of law can get overly complicated or dull quickly if it concerns something without an immediate impact on our lives. Data protection should not be one of these topics, though. We all give away data every day: both online, and in physical interactions. And most often, we do so without thinking about how this data will be used down the line. However, with more and more areas in life becoming digitalised and “data-driven”, we all need to become more familiar with our right to data protection and what it entails.