Once all the considerations have passed, we get into the meat of the law. The law itself is divided into chapters, which have articles. Each article can have one or more members. I would advise to have the law text up in another tab to reference the full text; I will not be going into the text word-by-word, but rather explain what the various articles and chapters are about.
Chapter One – General provisions
This chapter has 4 articles and is aimed at providing the scope in which the law is, and is not applicable.
Article 1 – defines the subject matter of the law, and states in short: To lay down rules for a) the protection of a consumers rights to protection of their personal data and b) protecting free movement of personal data in the EU itself.
Its goal here is to say; Consumers throughout the EU should have control over their data, no matter where that data is inside the EU.
Article 2 – ‘Material Scope’ tells us which data the regulation is applied to. In other words; When should a consumers rights be protected by this law? Not always, as the case may be. However, if you are reading this from a commercial perspective, chances are slim Article 2 will let you collect data without consent. It excludes private people and governmental and investigative powers, leaving commercial entities as one the clear targets of the law.
Article 3 deals with the physical area on the planet that the law applies to; not surprisingly, that covers all the countries in the EU. The law gives rights to all the private people in the EU without regard for the specific location of a commercial company that wants to interact with an EU’s subjects personal information. It does not matter where you company is based on the planet. If you service europeans, you must obliged by the rules in this regulation.
Article 4 contains the definitions of specific terms used througout the law’s text. Studying these carefully will help to understand the later texts. These definition can be quite precise, refer back to them often..
Chapter II – Principles
Article 5 contains the principles that explain what you need to keep in mind when you are processing (see definitions) personal information (see definitions) that belongs to subjects of the EU (see article 3). So each time you are requesting permission to process you need to be thinking about these things:
- Being frank and honest about what you are going to do with the data.
- Collecting consent only for each seperate processing purpose
- Minimising the collection to only provably needed information
- Keeping information actively up to date
- Minimising period of need for keeping a record of personal data
- Precessing data in a safe and secure manner
And to top that off, the article states that the controller, in this context usually the owner of the website and domainname is accountable for ensuring above principles are adhered to.
Article 6, member 1 looks at when it is lawful to actually process information. This is an important article to understand from a commercial perspective, as it tells you when you do and do not need to request processing consent. The article has 6 condition under which it is lawful to process information.
The first reason, is because the data subject (the person on the EU territory) has given you consent (see definition) and you have requested that in line with the principles in article 5. In other words, someone filled out a form on your website and ticked a box in which the willfully consented to you using their data.
The second reason a commercial company does not need permission to process data is when a contract exists between the commercial party and a consumer. A delivery service needs to handle an address to deliver a parcel, or handle data concerning clothes sizes for a particular consumer. The data used is limited to what is needed to fulfil the contract.
The third reason to process data is ‘a legal obligation’ – You have married, bought a house or signed an employment contract.
The fourth reason concerns data processing when a persons life, or another natural persons is threatened. The law is worden as ‘to protect the vital interests of the data subject’. This may indicate that property or bankaccounts may be included in protected interests.
The fifth reason is to exempt governments and their workers from the GDPR. so when law enforcement, courts, fines or child custody services come into play. The third reason is there to exempt police and other excuting officials from the gdpr burden while fulfilling their duties.
The final sixth reason under which it is lawful to process personal data is when ‘processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party.‘ that sentence is then contrasted by ‘except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child.‘
This statement causes a lot of confusion, and is one of the “get-out-of-jail for free” cards of the GDPR. If you want to read it positively, you can state that it is essential for your company to gather marketing data, because if you do not, you’re business model doesn’t work. Your legitimate interest is then to gather data to keep you’re company from going bankrupt.
Article 6, member 2 deals with the notion that memberstates may introduce more specific rules on top of the GDPR basis for reasons number 3 (legal) and 5 (government).
Article 6, member 3 goes through the motions of declaring that the GDPR rules, but also any country specific rules apply.
Article 6, member 4 looks at the condition you need to stick to if you are going to reuse data that already have, for a different purpose. It requires you, the controller, to make to make sure the new processing is in line with the earlier given consent. So if you want to combine website statistics data with another data source, you need to check if your actions on the data are allowed.
Article 7 – Conditions for consent
When is consent consent? When it meets the criteria set in article 7.
Member 1 tells us that the data controller must have a record of the consent given, if that was required in the first place.