GDPR

European Privacy Law Framework

1981

Council of Europe – Convention 108

protections of individuals with regard to automatic processing of personal data; first binding international instrument

EU Data Protection Directive (95/46/EC)

EU Directive of Privacy & Electronic Communications (2002/58/ED) (ePrivacy Directive)

EU Directive on Electronic Commerce (2000/31/EC)

General Data Protection Regulation (GDPR) (EU)

ORGANIZATIONS

Council of Europe
47 member states

European Economic Area
27 EU states & Iceland, Norway & Liechtenstein

Due to Brexit, UK left the GDPR & passed amendments to the Data Protection Act 2018 called the “Data Protection, Privacy and Electronic Communication”

EU
27 member states


GDPR

Chapter 1 General

Article 1 – Subject Matter & Objectives

Article 2 – Material Scope

Article 3 – Territorial Scope

Article 4 – Definitions

Article 5 Principles

lawfulness, fairness & transparency

purpose limitation

data minimization (relevance)

accuracy

storage limitations

integrity & confidentiality

Article 6 Criteria

Contract

Legal Obligation

Vital Interest

Legitimate Interest

Consent

Article 7 Consent

Under GDPR, for consent to be valid it must be:

clearly distinguishable from other matters

intelligible

in clear & plain language

freely given

as easy to withdraw as to provide

specific

informed

unambiguous

Article 9 Sensitive Personal Data

Racial / Ethnic Origin

Political Opinions

Religious or Philosophical Beliefs

Trade Union Membership

Genetic Information

Biometric

Health

Sex Life or Orientation

Chapter 3 Rights of the Data Subject

Article 12 – Transparency & Modalities

Articles 13 & 14 – Information to be provided to Data Subject when personal information was or was not obtained from Data Subject

Article 15 – Right of Access by Data Subject

Article 16 – Right of Rectification (to correct inaccurate information)

Article 17 – Right to be Forgotten

Article 18 – Right to Restrict Processing

Article 19 – Notification re Obligations

Article 20 – Right to Data Portability

Article 21 – Right to Object

Article 22 – Automated Individual Decision-Making, including Profiling

Article 23 – Ability of EU & Member States to Restrict Rights in Articles 12 – 22

Chapter 4

Controller & Processor

Article 24 – Responsibility of Controller

Article 25 – Data Protection by Design & by Default

Article 26 – Joint Controllers

Article 27 – When Controller or Processor are not in EU (Use of Representatives)

Article 28 – Processor

Article 29 – Records of Processing Activities

Article 31 – Cooperation with Supervising Authority

Article 32 – Security of Processing

Article 33 – Notification of Personal Data Breach

Article 35 – Data Protection Impact Assessment

Article 36 – Prior Consultation

Articles 37 – 59 – Data Protection Officer

Chapter 7 Cooperation & Consistency

Section 1 – Articles 60 – 62 – Cooperation

Section 2 – Articles 63 – 67 – Consistency

Section 3 – Articles 68 – 76 – European Data Protection Board

Chapter 8 Remedies, Liability & Penalties

Section 1 – Articles 60 – 62 – Cooperation

Section 2 – Articles 63 – 67 – Consistency

Section 3 – Articles 68 – 76 – European Data Protection Board

Article 9 Sensitive Personal Data

Racial / Ethnic Origin

Political Opinions

Religious or Philosophical Beliefs

Trade Union Membership

Genetic Information

Biometric

Health

Sex Life or Orientation

Chapter 3 Rights of the Data Subject

Article 12 – Transparency & Modalities

Articles 13 & 14 – Information to be provided to Data Subject when personal information was or was not obtained from Data Subject

Article 15 – Right of Access by Data Subject

Article 16 – Right of Rectification (to correct inaccurate information)

Article 17 – Right to be Forgotten

Article 18 – Right to Restrict Processing

Article 19 – Notification re Obligations

Article 20 – Right to Data Portability

Article 21 – Right to Object

Article 22 – Automated Individual Decision-Making, including Profiling

Article 23 – Ability of EU & Member States to Restrict Rights in Articles 12 – 22

Chapter 4

Controller & Processor

Article 24 – Responsibility of Controller

Article 25 – Data Protection by Design & by Default

Article 26 – Joint Controllers

Article 27 – When Controller or Processor are not in EU (Use of Representatives)

Article 28 – Processor

Article 29 – Records of Processing Activities

Article 31 – Cooperation with Supervising Authority

Article 32 – Security of Processing

Article 33 – Notification of Personal Data Breach

Article 35 – Data Protection Impact Assessment

Article 36 – Prior Consultation

Articles 37 – 59 – Data Protection Officer

Chapter 7 Cooperation & Consistency

Section 1 – Articles 60 – 62 – Cooperation

Section 2 – Articles 63 – 67 – Consistency

Section 3 – Articles 68 – 76 – European Data Protection Board

Chapter 8 Remedies, Liability & Penalties

Article 77 – Right to Lodge a Complaint with Supervisory Authority

Articles 78, 79 – Right to Effective Judicial Remedy

Article 80 – Right of Representation for Complaints

Article 81 – Suspension of Proceedings if Same Subject Proceeding Elsewhere

Article 82 – Right to Compensation for Damages

Article 83 – General Conditions for Imposing Administrative Fines

Article 84 – Penalties

Chapter 9 Specific Processing Situations

Article 85 – Processing & Freedom of Expression & Information

Article 86 – Processing & Public Access to Official Documents

Article 87 – Processing of National ID Number

Article 88 – Processing Employee’s Data

Article 89 – Safeguards & Derogations for archiving in public interest or for scientific or historical or statistical purposes

Article 90 – Obligation of Secrecy

Article 91 – Rules for Churches & Religious Organizations

Chapter 10 Acts to Delegate & Implement

Article 92 – Delegation of Powers

Article 93 – Committee Procedures

Chapter 11 Final Provisions

Article 94 – Repeal of Directive 95/46/EC (data processing law of 1995)

Article 95 – Relationship with Directive 2002/58/EC (re privacy in electronic communications sector)

Article 96 -Relationship with Previous International Agreements

Article 97 – Commission Reports

Article 98 – Review of Other EU Legal Acts on Data Protection

Article 99 – Entry into Effect: 25 May 2018