Introduction:

The General Data Protection Regulation ("GDPR"), Regulation (EU) 2016/679 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data came into force on May 25, 2018 in the European Union. GDPR replaces the erstwhile EU Directive 95/46/EC. Fundamental objective of GDPR is to harmonize protection vis-à-vis use of personal data which is always considered to be at loggerheads. Enactment of GDPR have huge implications for Indian Companies doing business in Europe and dealing with data subjects (natural persons) who are in the European Union. They are put to strict tests to ensure protection of personal data of the data subjects. This piece highlights the key provisions of GDPR which have implications for Indian Companies which are carrying activities of a Controller or a Processor in the European Union or are dealing with data subjects who are in the European Union.

The Bush called GDPR:

Unlike India, the European Convention on Human Rights under Article 8, provides that everyone has a right to protection of personal data concerning him or her. GDPR reinforces this right with an additional objective of ensuring free movement of personal data. The term personal data has been widely defined under GDPR to cover "any information relating to an identified or identifiable natural person". GDPR imposes obligation on the Controller and makes it accountable for personal data.1 Controller has been defined under GDPR as a natural or legal person, public authority, agency or other body which determines the purpose and the means of processing personal data. The GDPR further imposes restrictions on the Processor of personal data.2 The salient features of GDPR are:

  1. What is the territorial scope of GDPR?

    The Regulation applies to the processing of personal data in the context of an establishment of Controller or Processor in the European Union. It further applies to processing of personal data of data subjects who are in the European Union by a Controller or Processor not established in the Union where the processing activities are related to the offering of goods or services to the data subjects in the European Union or the monitoring of the behaviour of the data subjects in the European Union. The Regulation is also applicable to the Controller not established in the European Union but established at a place where Member State law applies by virtue of public international law. The applicability of the regulation is, therefore, wide and even encompasses establishments, not established in the European Union, which are controlling personal data of any nature whatsoever of data subjects in the European Union.
  2. What are the principles applicable for processing of personal data?

    Personal data can only be processed in a lawful, fair and transparent manner. GDPR imposes further limitations on the Controller which are the following: a) to collect personal data for legitimate purpose (purpose limitation); b) to only collect limited and relevant personal data (data minimization); c) to take any reasonable step to ensure accuracy of personal data (accuracy); d) to store personal data only till it is necessary to achieve the purpose for which it was processed (storage limitation); e) to process personal data in a manner that ensures security (integrity and confidentiality).3
  3. What is the importance of consent of the data subject for processing of his/her personal data?

    GDPR provides that processing of personal data could be done if at least one of the following applies: a) the data subjects has given its consent for processing of personal data; b) the processing is necessary for performance of a contract to which the data subject is party; c) processing is necessary to comply with legal obligation; d) processing is required to protect vital interest of the data subject; e) processing is required in public interest; f) processing is required for legitimate interest.4

    Hence, consent of the data subject plays an important factor which makes processing of personal data lawful. The consent has to be in a clear, distinguishable, intelligible and easily accessible form.5 For a child, GDPR provides that where the child is below 16 years, processing shall only be lawful if consent is given by holder of parental responsibility.6 GDPR provides that the consent has to be in a particular form.7
  4. What are the rights of the data subject under GDPR?

    The data subject has been provided the following rights under GDPR:

    1. Right to access personal data;8
    2. Right to rectification;9
    3. Right to erasure;10
    4. Right to restriction of processing;11
    5. Right to data portability;12
    6. Right to object to automated individual decision making.13
  5. What are the responsibility of the Controller under the GDPR?

    The Controller has been obligated to implement appropriate technical and organizational measures to ensure that processing of personal data is performed in accordance with the regulation.14 The technical measures might include pseudonymisation and encryption of personal data.15 The Controller shall further ensure implementation of appropriate data protection policies.16 Where the Controller or the Processor is not established in the European Union, it has to appoint a representative in the Union.17 Where processing is to be carried out on behalf of a Controller, the Controller shall use only Processors providing sufficient guarantees to implement appropriate technical and organisational measures in such a manner that processing will meet the requirements of this Regulation and ensure the protection of the rights of the data subject.18 Further, the Controller has been obligated to maintained a record of processing activities.19 The Controller or its representative under the GDPR has also been obligated to co-operate with the supervisory authority established under Article 51 of GDPR.20 The Controller has also been entrusted with the task to notify about the breach of personal data to the data subject21 and the supervisory authority22. The Controller shall also carry out data protection impact assessment if the nature, scope and purpose of processing of personal data is to result in high risk to the rights of natural person.23 The Controller shall also a point a data protection officer in certain cases.24
  6. What are the remedies which data subjects can avail for breach of the regulation?

    The data subjects can avail judicial25 or administrative[26] remedy against the Controller or Processor for the breach of the regulation. GDPR further provides that Member States may impose penal consequences.[27]

The path for Indian Companies:

Indian Companies which are established in the European Union and/or which are not established in the European Union but are dealing with data subjects who are in the Union can not now beat the bush. They have to strictly adhere to GDPR. Failure on their part to comply with the terms of GDPR might result in high administrative fines or damages.

Footnotes

1. Article 1(2) of General Data Protection Regulation.

2. Article 29 of General Data Protection Regulation.

3. Article 1(1) of General Data Protection Regulation.

4. Article 6(1) of General Data Protection Regulation.

5. Article 7(2) of General Data Protection Regulation.

6. Article 8(1) of General Data Protection Regulation.

7. Article 12 to 14 of General Data Protection Regulation.

8. Article 15 of General Data Protection Regulation.

9. Article 16 of General Data Protection Regulation.

10. Article 17 of General Data Protection Regulation.

11. Article 18 of General Data Protection Regulation.

12. Article 20 of General Data Protection Regulation.

13. Article 22 of General Data Protection Regulation.

14. Article 24(1) of General Data Protection Regulation.

15. Article 32(1) of General Data Protection Regulation.

16. Article 24(2) of General Data Protection Regulation.

17. Article 27(1) of General Data Protection Regulation.

18. Article 28(1) of General Data Protection Regulation.

19. Article 30(1) of General Data Protection Regulation.

20. Article 31 of General Data Protection Regulation.

21. Article 34 of General Data Protection Regulation.

22. Article 33 of General Data Protection Regulation.

23. Article 35 of General Data Protection Regulation.

24. Article 37 of General Data Protection Regulation.

25. Article 79 of General Data Protection Regulation.

26. Article 83 of General Data Protection Regulation.

27. Article 84 of General Data Protection Regulation.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.