The much-discussed GDPR regulates data protection and has been in place since May 2018, and although it is an EU regulation, it will still apply to those operating in the EU from the US. The regulation stipulates that it applies to web users in the EU, so if you have any contact with them, it may be a good time to wise up on the GDPR. Its content focuses in particular on personal data, which both legislators and internet users see as highly worthy of protection. On the other hand, numerous business representatives see their ability to keep up in a competitive market, which is significantly based on big data, threatened by the stricter regulations. But what are personal data, and what rights do you have to your own?
The term personal data is generally understood as all data and information that provide insights into the identity of a natural person – that is, into a person “made of flesh and blood,” although there is no clear cut legal definition. This view therefore excludes legal entities and corporations, unless the partners and managing directors are the same individual.
Personal data is defined as “any information relating to an identified or identifiable natural person (“data subject”); an identifiable natural person is someone who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier, or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural, or social identity of that natural person”; (original wording from Article 4, paragraph 1 GDPR).
According to this definition, there are many types of personal data, some of which are presented together with examples in the following image. This overview is by no means complete, and just aims to provide a succinct list.
If, on the other hand, the data cannot be assigned to a specific person because it is completely anonymous, no data protection rules need to be followed. The problem arises again with so-called “pseudonym-ized” data, which can also be used to determine a unique reference person if you have the necessary additional information. In case of doubt, the principle of caution always applies. Since it is sometimes difficult to distinguish between personal and non-personal data, you should always start from the former in order to guarantee the protection of potentially private information. For example, data protection authorities assume that even IP addresses belong to personal data, since they can be clearly assigned to the respective internet user through the interaction of access and service providers.
In addition to the examples of personal information already listed, the GDPR also defines “special” personal data relating to natural persons. These include:
Due to the sensitive nature of this information, the relevant privacy regulations are much stricter. Accordingly, processing special categories of personal data is in principle prohibited under Article 9(1) of the GDPR, unless the data subject has expressly consented to having their data processed (a declaration of consent for processing general personal data is not enough). Another way in which personal data may be processed is if there is a legitimate public interest in this information, e.g. in the context of criminal prosecution. While the appointment of a professional data protection officer is normally a matter for consideration by the managing director, it is obligatory for the processing of special personal data.
It should be common knowledge that large internet companies such as Google and Facebook collect personal data about their users on a large scale. They mostly use these to place individualized advertising and generate economic profits. The data is mainly used for optimizing sales and individualizing marketing mechanisms.
This is made more difficult, as people are becoming ever more cautious of what they data the disclose online, and fear becoming “transparent people,” represented only by online data profiles. Recurrent cases of data theft and data abuse phishing and the use of Trojans fuel this fear even more. Because the more sensitive information about an individual is circulating, the greater the risk their financial and social information is at.
Data protection regulations therefore make those with heaps of personal data responsible: companies and authorities are legally obliged to guarantee the protection of information about their customers. This implies compliance with the following principles and practices laid out in the GDPR:
Violations of these principles can result in a fine of up to 20 million euros, or up to 4 percent of a company's worldwide annual turnover under Article 83(5) of the GDPR – a rule that provides a financial incentive to comply with the guidelines but still cannot guarantee absolute security for personal data. Data economy is therefore also an effective principle when surfing the internet. Furthermore, it is recommended to delete or at least falsify personal, address, and bank data entered after completing an online purchase. Last but not least, it also makes sense to be aware of your rights towards companies and authorities.
The GDPR stipulates three essential rights that people have when their personal data is collected:
Under European law, personal data must in principle be regarded as the property of an individual. In practice, this means that the collection, storage, processing, and forwarding of data is only permitted with the express and active consent of the person in question. An implicit recognition of the data protection practice of an online service is therefore not sufficient. A so-called coupling is also not allowed, in which a company or an authority only releases certain services against consent and leaves the user no free choice.
Under Article 15 of the GDPR, people also have a right of access to the companies and authorities to which they provide their personal data. The Information Commissioner’s Office in the UK offers a short, informal sample letter, which can be easily adapted and supplemented with any extra information you want to supply. The following questions are useful to get a good overview of the extent and procedure of data storage:
Although companies and authorities are obliged by law to provide information, in some cases you have to reckon with unwillingness or even harassment if you want these questions answered. This is where persistence pays off: by invoking your rights, setting a tight deadline, and ultimately threatening to consult the responsible data protection authority, you finally get the certainty that you deserve. And if you do not agree with the way in which data is collected, information is incorrect or outdated, or has even been stored or passed on illegally, you can apply your last right: the right to correct, delete, and block data (Article 15(1e) GDPR).
Click here for important legal disclaimers.
Cookies can be helpful business tools, but they often toe the data protection line dangerously. As a result of this tendency towards uncertainty, the EU has introduced a new cookie law to protect its users. This new policy will affect any US company that does online business with EU customers. What do website operators need to pay attention to when it comes to this new cookie law?
The EU plans to significantly tighten data security online: With the ePrivacy Regulation, the collection of personal data will only be allowed following explicit allowance. At this point, it’s not certain what exactly will be included in the ePrivacy Regulation: Here, we’ve consolidated what we already know. In this way, you can develop strategies now for complying with the regulation’s...
Provide powerful and reliable service to your clients with a web hosting package from IONOS.
View packages
