While countries within the European Union can set their own data protection laws, an EU Regulation, known as the General Data Protection Regulation, or GDPR for short, sets out the minimum rights and obligations with respect to personal data about EU citizens controlled or processed by organisations in the EU.
What is personal data?
Personal data is any information relating to someone who can be identified from it.
It could be collected, used or stored online or offline.
It may include:
- your name
- your address
- an identification code, such as a customer number or passport number
- geographic location data, such as places you have visited
- actions you have taken on a website
- online identifiers, such as your computer’s Internet Protocol (IP) address
- your financial data, including credit history
The law recognises that some types of information are more sensitive than others and the consequences for you if these were misused would be much more severe.
The requirements to protect them are therefore much greater.
These types of information include:
- your race and ethnic origin
- your beliefs, including those relating to politics and religion
- your membership of trade unions and other political bodies
- your health, genetics and biometrics
- your sex life and sexual orientation
Data relating to criminal convictions and offences is also sensitive, and is treated as a separate category.
Even stronger safeguards apply to this information compared to other personal data.
Data about children
Where an online information service is offered to someone under the age of 16, the service provider must obtain consent from the parent or guardian to provide that service.
The consequence of breaking the law is likely to be greater if the data relates to children. In other words, the fines are likely to be higher.
What is processing and controlling?
In reference to data protection, the term controlling means deciding the purpose and the means of processing personal data.
Processing means collecting, using and storing the data.
An organisation might be both a controller and a processor. Or may be one for certain types of personal data, and another for other personal data.
Who must comply with the law?
The law applies to all organisations, whether businesses or non-commercial, which operate in the European Union, and which process or control data about people who live in the EU. An organisation might be headquartered in the EU or outside the EU.
- the owner of any website you visit
- a company that analyses data collected from a website you visit
- a business from which you buy goods or services
- your employer
- a charity to whom you donate
- a not-for profit organisation
- a club or society of which you are a member
- public bodies including government departments that hold information about you
There are exceptions where the use is covered under the Law Enforcement Directive, for example, for national security purposes, and where the user is an individual and the use is personal.