Protecting Personal Data: What is GDPR?
It has been quite a long time now that we are hearing about the GDPR (General Data Protection Regulation). A regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive (95/46/EC).
In parallel, there have been many legislations all over the world in relation to the Protection of Personal Data, Qatar was not an exception to this. The Qatari authorities introduced a legislation in respect of privacy and data protection (Law No. 13 of 2016, the “Law Concerning Personal Data Protection”), which is based on and tries to capture certain aspects of, European data protection and privacy principles.
Well, after such a super-serious introduction for non-legal specialized professionals, does it look complicated!? I believe yes….
So, let us try to simplify the whole issue as the law is not that hard to understand and I will tell you why. The very heart and soul of any core law are PRINCIPLES, while the related rights to such principles, the processes, obligations and requirements, and consequential penalties could be considered as the rest of the body. Thus, if you understand the principles - that we are usually agreed upon and most importantly believe in - then you will not face any problems to understand the law itself.
Having that said, and with a quick look at the titles of the different data protection laws, the aim of such legislations is all about protecting our personal data that is becoming more exposed to threats in cyberspace. With such a legitimate aim to protect, what are the core principles that are baselining the protection aspects?! Well, there have been many legislations in this regard in many countries, but this is not the right place to discuss all of them. Instead, let us discuss the most effective one these days, the GDPR and of course the Qatari National data protection legislation.
What is GDPR?
Article 5 of the GDPR outlines six data protection principles when it comes to the processing of personal data. Such principles summaries the many requirements from the data controller and data processor. We may briefly list them as follows;
Although this first principle might be relatively self-evident, to understand the benefits of it we have to dig deeper into the obligations of the controller and the processor. Long story short, the GDPR is enforcing many mandates on both, specifically the data controller to grant their obeyance to the many rules and safeguards of the GDPR.
Rights granted by this principle is our right to access our own data that has been collected. Recital 63 explicitly states “A data subject should have the right of access to personal data which have been collected concerning him or her, and to exercise that right easily and at reasonable intervals, in order to be aware of, and verify, the lawfulness of the processing”
(ii) Purpose limitation: Our personal data shall be collected for specified, explicit, and legitimate purposes and not further processed in a manner that is incompatible with those purposes. So, unless there is a clear consent for further processing, the personal data shall not be further processed, and the previously given consent cannot be built upon even if the purpose is like the initial one.
However, the article is giving some exceptions if the further processing is aiming to archiving purposes in the public interest, scientific or historical research purposes or statistical purposes then it shall be in accordance with Article 89(1) wherein this case only, the further processing shall not be considered as incompatible with the initial purposes and derogation shall apply.
(iii) Data minimization: personal data shall be adequate, relevant, and limited to what is necessary in relation to the purposes for which they are processed.
Let us read this principle with the previous one, organizations shall clearly state the purpose and only collect data that is serving that purpose and only if necessary, to serve the purpose. In this regard, the GDPR has given the data subject an overly critical right named “right to be forgotten”. This right has been explained as “and a ‘right to be forgotten’ where the retention of such data infringes this Regulation or Union or Member State law to which the controller is subject. In particular, a data subject should have the right to have his or her personal data erased and no longer processed where the personal data are no longer necessary in relation to the purposes for which they are collected or otherwise processed...etc”
(iv) Accuracy: personal data shall be accurate and, where necessary, kept up to date; every reasonable step must be taken to ensure that personal data that are inaccurate, having regard to the purposes for which they are processed, are erased or rectified without delay.
We may connect this principle to your named “right to rectification” to grant the accuracy of our data.
(v) Storage limitation: personal data shall be kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed; personal data may be stored for longer periods insofar as the personal data will be processed solely for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes in accordance with Article 89(1) subject to implementation of the appropriate technical and organizational measures required by this Regulation in order to safeguard the rights and freedoms of the data subject.
(vi) Integrity and confidentiality: personal data shall be processed in a manner that ensures appropriate security of the personal data, including protection against unauthorized or unlawful processing and against accidental loss, destruction, or damage, using appropriate technical or organizational measures.
In this regard, the GDPR has set new measures named “Data protection by design and by default” to grant that the data is being processed in a manner that ensures appropriate security of the personal data, including protection against unauthorized or unlawful processing and against accidental loss, destruction or damage through using appropriate technical and organizational measures with due regard to the state of the art, to make sure that controllers and processors are able to fulfill their data protection obligations.
These six principles provide an overview of the GDPR, the rest of the Regulation goes into much more detail on the specific practices that organizations should undertake to make sure they meet GDPR’s compliance requirements.
Check the next article where we discuss Qatar's personal data privacy law that relates to the data privacy and the impact on both the Qatari investments, legal ecosystem & compliance issues.