Content deleted Content added
Tag: Reverted |
No edit summary |
||
Line 28:
==Contents==
The GDPR 2016 has eleven chapters, concerning general provisions, principles, rights of the data subject, duties of data controllers or processors, transfers of personal data to third countries, supervisory authorities, cooperation among member states, remedies, liability or penalties for breach of rights, provisions related to specific processing situations, and miscellaneous final provisions. Recital 4 proclaims that ‘processing of personal data should be designed to serve mankind’.
===General provisions===
The regulation applies if the data controller (an organisation that collects information about living people, whether they are in the EU or not), or processor (an organisation that processes data on behalf of a data controller like cloud service providers), or the data subject (person) is based in the EU. Under certain circumstances,<ref>'''Article 3(2)''': This Regulation applies to the processing of personal data of data subjects who are in the Union by a controller or processor not established in the Union, where the processing activities are related to:
(a) the offering of goods or services, irrespective of whether a payment of the data subject is required, to such data subjects in the Union; or
(b) the monitoring of their behaviour as far as their behaviour takes place within the Union.</ref> the regulation also applies to organisations based outside the EU if they collect or process personal data of individuals located inside the EU. The regulation does not apply to the processing of data by a person for a "purely personal or household activity and thus with no connection to a professional or commercial activity." (Recital 18).
According to the [[European Commission]], "Personal data is information that relates to an identified or identifiable individual. If you cannot directly identify an individual from that information, then you need to consider whether the individual is still identifiable. You should take into account the information you are processing together with all the means reasonably likely to be used by either you or any other person to identify that individual."<ref>{{Cite web|url=https://ico.org.uk/for-organisations/guide-to-data-protection/guide-to-the-general-data-protection-regulation-gdpr/key-definitions/what-is-personal-data/|title=What is personal data?|date=January 2021|access-date=22 July 2019|archive-date=24 July 2019|archive-url=https://web.archive.org/web/20190724112940/https://ico.org.uk/for-organisations/guide-to-data-protection/guide-to-the-general-data-protection-regulation-gdpr/key-definitions/what-is-personal-data/|url-status=live}}</ref> The precise definitions of terms such as "personal data", "processing", "data subject", "controller", and "processor" are stated in '''Article 4'''.<ref name="32016R0679"/>{{rp|Art. 4}}
Line 54 ⟶ 55:
If informed ''consent''<ref name="32016R0679"/>{{rp|Art. 4(11)}} is used as the lawful basis for processing, consent must have been explicit for data collected and each purpose data is used for.<ref name="32016R0679"/>{{rp|Art. 7}} Consent must be a specific, freely given, plainly worded, and unambiguous affirmation given by the data subject; an online form which has consent options structured as an opt-out selected by default is a violation of the GDPR, as the consent is not unambiguously affirmed by the user. In addition, multiple types of processing may not be "bundled" together into a single affirmation prompt, as this is not specific to each use of data, and the individual permissions are not freely given. (Recital 32).
Data subjects must be allowed to withdraw this consent at any time, and the process of doing so must not be harder than it was to opt in.<ref name="32016R0679"/>{{rp|Art. 7(3)}} A data controller may not refuse service to users who decline consent to processing that is not strictly necessary in order to use the service.<ref name="32016R0679"/>{{rp|Art. 8}} Consent for children, defined in the regulation as being less than 16 years old (although with the option for member states to individually make it as low as 13 years old), must be given by the child's parent or custodian, and verifiable.<ref>{{Cite web|url=https://iapp.org/resources/article/age-of-consent-in-the-gdpr-updated-mapping/|title=Age of consent in the GDPR: updated mapping|website=iapp.org|access-date=26 May 2018|archive-url=https://web.archive.org/web/20180527023437/https://iapp.org/resources/article/age-of-consent-in-the-gdpr-updated-mapping/|archive-date=27 May 2018|url-status=dead}}</ref><ref name="privacy association">[https://www.privacyassociation.org/media/presentations/A12_EU_DP_Regulation_PPT.pdf "How the Proposed EU Data Protection Regulation Is Creating a Ripple Effect Worldwide"] {{Webarchive|url=https://web.archive.org/web/20210217012511/https://iapp.org/media/presentations/A12_EU_DP_Regulation_PPT.pdf |date=17 February 2021 }}. Judy Schmitt, Florian Stahl. 11 October 2012. Retrieved 3 January 2013.</ref>
If consent to processing was already provided under the Data Protection Directive, a data controller does not have to re-obtain consent if the processing is documented and obtained in compliance with the GDPR's requirements (Recital 171).<ref name="guardian-unneeded"/><ref>{{Cite journal|last1=Kamleitner|first1=Bernadette|last2=Mitchell|first2=Vince|date=2019-10-01|title=Your Data Is My Data: A Framework for Addressing Interdependent Privacy Infringements|journal=Journal of Public Policy & Marketing|language=en|volume=38|issue=4|pages=433–450|doi=10.1177/0743915619858924|s2cid=201343307|issn=0743-9156|doi-access=free}}</ref>
| |||