What is the GDPR?
In April 2016, the European Parliament and the European Council adopted new legislation which regulates, in a broader and more comprehensive way that encompasses all the countries in the European Union, how the personal data of European citizens can be collected, stored, transferred and protected. This regulation (GDPR – Global Data Protection Regulation) aims to give citizens more control over how their personal information is used.
What is personal data?
“PII – Personally Identifiable Information – Any information relating to an identified or identifiable natural person”
“Identifiable” means a natural person who can be identified, directly or indirectly, by reference to an identifier, such as a name, an identification number, location data, identifiers by electronic means, or to one or more specific elements of the physical, physiological, genetic, mental, economic, cultural or social identity.
The data can be in any support, be it physical, virtual, graphic, technological or sonorous. This includes labels, files, RFID chips/cards, cloud information, CRM information, video images, data bases, flyers or any printed/written material.
Treatment of personal data
The processing of personal data includes any action on them and can only be done when exists a legitimate reason to do that.
Despite much talk about it, consent is not the only basis for processing data and may sometimes not even be required. Whatever the basis for data processing, it must follow its own rules and always be documented.
In general, data can be processed when:
- The data owner has given his consent for the processing of his personal data for one or more specific purposes;
- Processing is necessary for the performance of a contract to which the data subject is a party;
- Processing is necessary for the fulfillment of a legal obligation to which the controller is subject;
- Processing is necessary for the purpose of the legitimate interests pursued by the controller or by third parties.
Regarding consent, it must be:
- “Free” – based on a proactive action by the user, without limiting their access to services and with the possibility of being withdrawn with the same ease as it was given;
- “Informed” – in simple and direct language;
- “Specific” – Consent must be given for each treatment purpose (for example: registering to enter an event is different from registering to receive Marketing information);
- “Expressed” – Pre-validated options are not allowed and omission can not serve as “consent”;
- “Demonstrable” – The data processor must be able to demonstrate that consent has been given or withdrawn;
Data processing vs. Data control
It is critical that organizations involved in processing personal data understand their role and determine whether they are acting as a data processor or data controller. This information is relevant in the clearance of responsibilities.
The data controller determines the purpose for which the data is to be used and how the data will be processed.
The data processor manage the data in behalf of the data controller, according to the means and purposes that has been defined. The data process may only do so by means of a written contract and with the knowledge of the data owner.
Scope
This regulation applies to any data processing carried out in the European Union, and is applicable to any organization that provides services in the European Union or event held here, regardless of the nationality of the individual holding the data or the origin of the company.
Return to our GDPR index: Are your events ready for the GDPR?
Still have questions about this? Talk to us!