General Data Protection Regulation
The General Data Protection Regulation (GDPR) replaced the Data Protection Directive in 2018. The GDPR aims to provide one set of data protection rules for all EU member states and the European Economic Area (EEA). The document comprises 173 recitals and 99 articles. The regulation extends beyond territorial boundaries and applies to all entities that offer goods and services to EU data subjects (a person physically in the EU) regardless of the entity’s physical presence within the EU.
What is the purpose of the GDPR?
The main purpose of GDPR is to give EU residents greater control over how their personal data is collected, stored, used, and protected, and destruction once it is no longer needed. The GDPR evolved from the EU’s earlier directive of 1995, known as the Data Protection Directive, which set to retain an individual’s right of ownership over their personal data, including after they have shared it with an organization.
Must Fordham University comply with the GDPR?
Fordham University must comply with the GDPR. The regulation applies to Fordham because it processes data subjects’ personal data in the EU when offering them goods or services. Fordham has students and staff at the London Centre and has students and staff participating in programs, research, and internships in member states of the EU. Additionally, Fordham markets to EU residents and retains their personal data in its systems and those managed by third parties.
What happens if non-compliance is discovered?
Organizations that do not comply with the GDPR could face a maximum fine of €20 million or 4% of their worldwide revenue, whichever is greater. A 2% or €10 million fine will be charged for lesser infringements. A non-compliant organization will also be subjected to regular, periodic data protection audits to ensure its policies and procedures are updated and sustain GDPR compliance. Additionally, the media coverage following a non-compliance finding could cause significant reputational damage.
User Rights Under the GDPR
The Right to be Informed
The first of the eight rights lies in Articles 13 and 14 of the GDPR. Article 13 refers to information that organizations must provide when they collect personal data directly from data subjects. Article 14 covers the organization’s responsibilities when obtaining data about the data subject from a third party or indirectly.
The Right of Access
Article 15 outlines the right to access. The right to access allows the data subject to access the personal data that organizations process.
- Why and how you process the data
- Categories of personal data involved
- Who sees the data (including and especially in countries outside the EU)
- How long you intend to store the data
- How to exercise their rights
- Any available information to the source of data when you do not collect the data from the data subject
- Your use of profiling and automated decision-making
The Right to Rectification
Article 16, the right to rectification, provides European data subjects with the right to change or modify the data they provided organizations when they believe the data is inaccurate or out-of-date. Organizations need to provide this information “without undue delay.”
The Right to be Forgotten
Article 17 describes the user’s right to erasure, better known as the right to be forgotten. The article says that the data subject has the right to ask a data controller to erase their data without undue delay in the following circumstances:
- “The personal data are no longer necessary in relation to the purposes for which they were collected or otherwise processed”
- “The data subject withdraws consent on which the processing is based…”
- “The data subject objects to processing pursuant to Article 21(1), and there are no overriding legitimate grounds for the processing”
- “The personal data have been unlawfully processed”
- “The personal data have to be erased for compliance with a legal obligation in Union or Member State law to which the controller is subject”
In some cases, organizations do not need to comply with a request to access the right to erasure. The GDPR outlines these circumstances as follows:
- When processing involves a right to the freedom of expression and information
- When processing involves compliance with a legal obligation and the public interest
- When processing includes reasons of public interest within the realm of public health
- When processing meets the guidelines published in Article 89(1)(or public interest, historical, scientific purposes, or statistics purposes)
- When processing is for the “establishment, exercise, or defence of legal claims”
Suppose the organization’s processing falls under one of these categories, and they can demonstrate the case. In that case, they can deny the request for erasure by citing the reason for the notice's rejection.
The Right to Restrict Processing
Article 18 outlines the data subject’s right to request the restriction of processing under certain conditions. That means organizations must temporarily stop processing their data as requested as long as their requests meet one of the following:
- The data subject contests the accuracy of the data
- The data subject objects to unlawful processing, and the data subject prefers you to restrict the processing rather than erasing their data
- The data controller does not need the data for processing, but they need to keep the data pursuant to the “establishment, exercise, or defence of a legal claim.”
Article 18(3) states that if organizations temporarily stop processing data, then they must inform the data subject before lifting the restriction and resuming the processing if the organization chooses to do so.
The Right to Data Portability
The right to data portability outlined in Article 20 refers to the data subject’s right to receive the personal data held by the data controller in a commonly used format and send the data to another controller or use it for their personal purposes under certain circumstances.
The Right to Object
Article 21 says that data subjects have the right to object to data processing, including profiling, when it is on relevant grounds.
Rights Related to Automated Decision-Making and Profiling
The eighth right offered by the GDPR lies in Article 22: Automated decision-making, including profiling. The right to avoid automated decision-making comes with three exceptions when it cannot be exerted:
- When automated decision-making is necessary to enter into or complete a contract
- When the controller has authorization from the EU or a Member State and uses safeguards to protect the subject’s interests and freedom
- When the profiling or decision-making occurs with the subject’s explicit consent