Course sections

INTRODUCTION, Lecture 1

WHAT IS GDPR?

GDPR is a recently adopted EU legal act which brings data protection to another level. In the contemporary world our personal data are used on a daily basis by companies, institutions and bodies. At the same time, the risk of losing them is increasing. Thus, GDPR serves as a guarantee for a very high level of protection in this domain. It is an EU regulation, which is directly applicable in all member states simultaneously, nevertheless, giving exempt to some national regulations.

WHO IS PROTECTED BY GDPR?

GDPR applies to natural persons. This has an important feature. Data of legal persons (such as legal companies or associations) are not covered by GDPR.

GDPR not only applies to organisations located within the EU but also applies to organisations located outside of the EU if they offer goods or services to, or monitor the behaviour of, EU citizens. It applies to all companies processing the personal data of data subjects residing in the European Union, regardless of the company’s location.

WHAT IS PERSONAL DATA AND DATA PROCESSING?
The concept of personal data is crucial to understanding the protection.
Personal data is any information that relates to:

• an identified person or
• a person who can be identified (directly or indirectly, for example by name, identification number, location data or factors concerning the physical, physiological, genetic, mental, economic, cultural or social identity of that person).

The nature of data processing is vital for understanding the concept of data protection. Certain criteria and requirements must be met prior to data processing. Processing is a general term which means any operation which is performed on personal data, whether or not by automated means, such as:

• collection,
• recording,
• organisation,
• structuring,
• storage,
• adaptation or alteration,
• retrieval,
• consultation,
• use,
• disclosure by transmission,
• dissemination or otherwise making available,
• alignment or combination,
• restriction,
• erasure or destruction

WHO DOES GDPR IMPOSE OBLIGATIONS ON?

GDPR requires actions from two main categories of subjects: data controllers and data processors.
A data controller is the natural or legal person, such as a company, that determines the purposes for which and the means by which personal data is processed.
A data processor is a subject who processes data on behalf of a data controller. Data processors are, for example, accounting services companies which process data for other controllers.
Their obligations, although largely comparable, are different in certain areas.