The General Data Protection Regulation (GDPR) is a regulation in European Union (EU) law on data protection and privacy in the EU and the European Economic Area (EEA). The GDPR is an important component of EU privacy law and human rights law, in particular Article 8(1) of the Charter of Fundamental Rights of the European Union. It also addresses the transfer of personal data outside the EU and EEA areas.
The GDPR’s primary aim is to enhance individuals’ control and rights over their data and to simplify the regulatory environment for international business. The GDPR is a new set of rules designed to give EU citizens more control over their personal data. It aims to simplify the regulatory environment for business so both citizens and businesses in the European Union can fully benefit from the digital economy.
Fundamentally, almost every aspect of our lives revolves around data. From social media companies to banks, retailers, and governments – almost every service we use involves the collection and analysis of our data. Your name, address, credit card number and more are all collected, analysed and, perhaps most importantly, stored by organisations.
GDPR Compliance requires you to respect users have 8 basic rights regarding personal data and data privacy.
The General Data Protection Regulation establishes eight rights that apply to all users the organization is obligated to respect these rights or face severe penalties. The GDPR allows for steep penalties of up to €20 million or 4% of global annual turnover, whichever is higher, for non-compliance. These rights are as follow –
1. The right to access.
Individuals may request access to their personal data. They may also ask about how their data is used, processed, stored, or transferred to other organizations. You must provide an electronic copy of the personal data, free of charge if requested.
2. The right to be informed.
Individuals must be informed and give free consent (not implied) before gathering and processing their data.
3. The right to data portability.
Individuals may transfer their data from one service provider to another at any time. The transfer must happen in a commonly used and machine-readable format.
4. The right to be forgotten.
If users are no longer customers or withdraw their consent to use their personal data, they have the right to have their data deleted.
5. The right to object.
If a user objects to your use or processing of their data, they can request that you stop. All processing must stop as soon as the user makes their request.
6. The right to restrict processing.
Individuals can ask you to stop processing their data or stop a certain kind of processing. Their data can remain in place if they choose.
7. The right to be notified.
Individuals have the right to be notified in the event of a personal data breach that compromises their personal data. This must happen within 72 hours of your first learning of the breach.
8. The right to rectification.
Users can request that you update, complete, or correct their personal data.
These rights give individuals considerable power over their data. They now have several tools to limit and prohibit the organisation from using their personal information.
Data breaches inevitably happen. Information gets lost, stolen or otherwise released into the hands of people who were never intended to see it – and those people often have malicious intent.
Under the terms of GDPR, not only do organisations have to ensure that personal data is gathered legally and under strict conditions but those who collect and manage it are obliged to protect it from misuse and exploitation, as well as to respect the rights of data owners – or face penalties for not doing so.
Question 1: Please elaborate on the exemptions to comply with a data subject request under GDPR?
Answer – Data protection principles, data subject rights and controller obligation are not absolute. They can be limited, restricted or lightened by the way of union and the member state law. To be law full, however, the limitation must fulfil the requirements mentioned in Article 23 of EU GDPR are as follows –
Union or Member State law to which the data controller or processor is subject may restrict by way of a legislative measure the scope of the obligations and rights provided for in Articles 12 to 22 and Article 34, as well as Article 5 in so far as its provisions correspond to the rights and obligations provided for in Articles 12 to 22 when such a restriction respects the essence of the fundamental rights and freedoms and is a necessary and proportionate measure in a democratic society to safeguard:
(a) For the protection of national security refer to both the internal and external security of Member States
(b) For the Defense related matter of Union or Member state.
(c) Public security covers the protection of human life, particularly incases of “natural or manmade disasters’’
(d) The prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties, including the safeguarding against and the prevention of threats to public security.
(e) Other important objectives of general public interest of the Union or a Member State, in particular an important economic or financial interest of the Union or a Member State, including monetary, budgetary and taxation matters, public health and social security.
(f) The protection of judicial independence and judicial proceedings.
(g) The prevention, investigation, detection and prosecution of breaches of ethics for regulated professions.
(h) A monitoring, inspection or regulatory function connected, even occasionally, to the exercise of official authority in the cases referred to in points (a) to (e) and (g).
(i) The protection of the data subject or the rights and freedoms of others.
(j) The enforcement of civil law claims.
Further according to Chapter IX Article 85 to 91 (Provisions relating to specific processing situations) of the EU General Data Protection Regulation (GDPR) define several exemptions from obligations to respond to Data Subject Access Request (DSARs) are as follow –
Elaboration of above mention points.
1. Article 85 Processing and freedom of expression and information.
The Member States shall by law reconcile the right to the protection of personal data according to this Regulation with the right to freedom of expression and information, including processing for journalistic purposes and the purposes of academic, artistic or literary expression.
The processing of personal data is not an activity which can be taken lightly. This, in turn, may have a negative impact on the circulation of information, and therefore on freedom of expression. For some people having limited resources indeed, such as artists, independent journalists, or simple citizens, complying with the GDPR may become too challenging for them and therefore deter them from expressing themselves. In other instances, the stringent obligations imposed by the GDPR, such as the obligation to inform data subjects (Article 12 to 14 GDPR), may defeat the very purpose of the processing, such as when a whistle-blower intends to disclose classified information, or when a journalist investigates fraudulent actions.
2. Article 86 Processing and public access to official documents.
Personal data in official documents held by a public authority or a public body or a private body for the performance of a task carried out in the public interest may be disclosed by the authority or body in accordance with Union or Member State law to which the public authority or body is subject in order to reconcile public access to official documents with the right to the protection of personal data pursuant to this Regulation.
Article 86 GDPR states that official documents “may be disclosed” for the sake of transparency even if the GDPR remains applicable, which is the case when those documents contain personal data. By doing so, Article 86 GDPR seems to indicate that EU data protection law should not systematically prevent their disclosure.
The provision further points out that a potential conflict may arise between transparency and data protection, and stresses the need to reconcile those two conflicting rights, albeit without providing any indications as to how this should be accomplished. The right of the public to transparency in the administration has often been conferred by provisions of national law requiring authorities to actively publish official documents or to communicate a copy of them upon request.
However, the GDPR remains applicable when those documents contain personal data, and the concerned authorities must therefore consider on which legal basis under Articles 6, 9 or 10 GDPR such processing of personal data may take place.
The analysis must be made on a case-by-case basis, in light of all the relevant circumstances, including the nature of the document, its value for the public, and the consequences of its disclosure.
3. Article 87 Processing of the national identification number
Member States may further determine the specific conditions for the processing of a national identification number or any other identifier of general application. In that case the national identification number or any other identifier of general application shall be used only under appropriate safeguards for the rights and freedoms of the data subject pursuant to this Regulation.
National identification numbers (NIN) or identifiers of general application as understood in Article 87 GDPR are numbers used as a unique and trustworthy method by state authorities for identifying a particular person so that public services might be provided to that person while also respecting their right to privacy. Member States have either adopted a system organised around a unique identifier or multiple identifiers for each citizen. Among the various identifiers of general application which may exist, one may for example refer to national registration numbers, national tax identifiers, ID or passport numbers, as well as social security numbers.
4. Article 88 Processing in the context of employment.
Member States may, by law or by collective agreements, provide for more specific rules to ensure the protection of the rights and freedoms in respect of the processing of employees’ personal data in the employment context, in particular for the purposes of the recruitment, the performance of the contract of employment, including discharge of obligations laid down by law or by collective agreements, management, planning and organisation of work, equality and diversity in the workplace, health and safety at work, protection of employer’s or customer’s property and for the purposes of the exercise and enjoyment, on an individual or collective basis, of rights and benefits related to employment, and for the purpose of the termination of the employment relationship.
Article 88(1) GDPR lists the matters that the Member States may regulate in the context of the processing of employees’ personal data. This list includes processing of individuals’ personal data for the purposes of recruitment, the performance of employment contracts, management, planning and organisation of work, equality and diversity in the workplace, health and safety at work, protection of employer’s or customer’s property and for the purposes of the exercise and enjoyment of social benefits in the course of employment or after the termination of the employment relationship.
Article 88(2) GDPR obliges the Member States, when they regulate matters related to employment data, to include in their provisions suitable and specific measures to safeguard the data subject’s human dignity, legitimate interests and fundamental rights, with particular regard to the transparency of processing, the transfer of personal data within a group of undertakings, or a group of enterprises engaged in a joint economic activity and monitoring systems in the workplace.
5. Article 89 Safeguards and derogations relating to processing for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes.
Processing for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes, shall be subject to appropriate safeguards, in accordance with this Regulation, for the rights and freedoms of the data subject. Those safeguards shall ensure that technical and organisational measures are in place in order to ensure respect for the principle of data minimisation. Those measures may include pseudonymisation provided that those purposes can be fulfilled in that manner. Where those purposes can be fulfilled by further processing which does not permit or no longer permits the identification of data subjects, those purposes shall be fulfilled in that manner.
Article 89 GDPR regulates the processing of personal data for four distinct purposes:
In many instances, collecting large quantities of personal data is a key component, if not a prerequisite, for achieving such purposes. For example, clinical trials or political polls are both based on the large-scale collection and analysis of sensitive personal data. Because of the broad scope of such processing operations, as well as the risks they entail, the EU legislator has introduced specific safeguards in Article 89(1) GDPR to protect the rights and freedoms of data subjects. At the same time, overburdening controllers with legal obligations may ultimately impede research, or even defeat the very purpose of the processing. This, in turn, may become detrimental to society, as many societal advances are based on archiving systems, scientific and historical research, or statistical studies. Hence, Article 89(2) and (3) GDPR also allow for a specific derogation to the GDPR for these purposes.
6. Article 90 – Obligations of secrecy.
Member States may adopt specific rules to set out the powers of the supervisory authorities laid down in points (e) and (f) of Article 58(1) in relation to controllers or processors that are subject, to Union or Member State law or rules established by national competent bodies, to an obligation of professional secrecy or other equivalent obligations of secrecy where this is necessary and proportionate to reconcile the right of the protection of personal data with the obligation of secrecy. Those rules shall apply only with regard to personal data which the controller or processor has received as a result of or has obtained in an activity covered by that obligation of secrecy.
Professional secrecy as a moral principle or rule can already be traced back to the Hippocratic Oath, which was drafted AD 275. According to this oath, physicians must refrain from divulging information on their patients and should consider such information as “holy secrets”. Today, professional secrecy is still considered an essential part of the organisation of modern life, as it guarantees the confidentiality of the communications between a person and a professional to whom sensitive information is being disclosed, such as a doctor, a lawyer or an accountant.
Because information subject to professional secrecy may contain personal data, the GDPR could also apply to it. This means, inter alia, that DPAs could request from a professional to disclose confidential information in the course of an investigation, in accordance with Article 58(1) GDPR. Article 90 GDPR was drafted to regulate potential conflicts between the applications of the GDPR on the one hand, and obligations of professional secrecy on the other. More specifically, this provision mandates the Member States with the task of regulating certain DPAs investigative powers when exercised against a controller or processor bound by professional secrecy.
7. Article 91 Existing data protection rules of churches and religious associations.
Religious organisations usually process large quantities of personal data relating to their members, for example, religious or philosophical beliefs, which are considered special categories of personal data according to Article 9 GDPR. As a consequence, ensuring that they comply with data protection law is essential to protect the rights and freedoms of data subjects who are (or were) members of such organisations. For historical reasons, however, specific religious organisations may benefit from a particular status in some Member States, which allows them to apply and adapt their own set of binding rules, distinct from national law.
Article 91 GDPR takes this reality into account by allowing, under certain circumstances, churches and religious associations or communities to be subject to their own set of data protection rules, distinct from the GDPR
For the derogation of Article 91 GDPR to become relevant, the following conditions must be fulfilled:
(i) First, the controller or processor must qualify as a church, a religious association or a religious community.
(ii) Second, the controller must have adopted and applied, before the entry into force of the GDPR, its own set of data protection rules
(iii) Third, this set of data protection rules must be comprehensive enough and in line with the GDPR (or must otherwise be brought in line with the GDPR.
A NOTE TO REMEMBER
All of these exemptions are not absolute it should not be taken as having a blanket effect. Each organisation and situation should be taken on a case-by-case basis. Exemptions don’t always apply to every new situation, even if they once applied before.
If your organisation decides to rely on an exemption, you should provide ample reasons for why you relied upon the exemption, along with documentation. Providing both of these will show compliance with the GDPR.