Even if you are not a business owner or a corporate officer or manager, by now you have probably heard the term ‘GDPR’, or the phrase ‘General Data Protection Regulation’, which is what ‘GDPR’ stands for. As an individual you may have thought “Whatever the heck GDPR is, it doesn’t affect or apply to me.” But you would quite possibly be wrong. The good news is that, as an individual, you are the protected entity covered by the ‘Protection’ in General Data Protection Regulation!
GDPR specifically protects individuals in the EU or, as it says, “in the Union”. Now, for those of you sitting or standing in an EU country right now, that GDPR protects you is probably fairly clear. But because of the vagueness of parts of GDPR, along with ambiguities as to what GDPR actually means in other parts, it could well be construed to mean individuals whose data is anchored “in the Union”, individuals who are flying over the EU at the time they provide their personal data, etc., etc..
You may have thought “Whatever the heck GDPR is, it doesn’t affect or apply to me.” But you would quite possibly be wrong.
None of this is as far-fetched as it may sound, and it will undoubtedly at some point be cleared up by either the Commission issuing clarifications, or, more likely, by litigation.
So, basically, it’s fair to assume, until further notice, that if you can assert just about any connection to the EU that passes what we in the legal biz call “the straight face test”, then it’s not unreasonable for you to initiate an action under GDPR if you believe that the handling of your personal data is in violation of GDPR.
And, as an individual, you can bring such an action, because GDPR specifically provides for what’s known as a “private right of action”, meaning that individuals can sue an entity directly for violation of GDPR.
So, what are the protections that GDPR gives to individuals? I.e. what are the rights granted to individuals (known as “data subjects” in GDPR) under GDPR?
The Rights of Individuals Under GDPR
- The right to have your personal data collected only when you provide informed consent.
- The right to be informed as to who it is collecting your information, and their contact information.
- The right to be informed as to why they are collecting your information and what they are going to do with it.
- The right to be assured that they will not do anything with your personal data that they have not both informed you of, and obtained your express, informed consent to.
- The right to know whether they intend to transfer your data to a third party, and, if so, to whom, and where they are located (particularly if in another country).
- The right to know for how long they intend to store your data.
- The right to access your data that they have stored.
- The right to update or otherwise amend your data that they have stored.
- The right to withdraw your consent to the use and retention of your data at any time.
- The right to have them delete your data (a/k/a “the right to be forgotten”).
- The right to have authorities notified if your data has been breached, within 72 hours of the discovery of that breach.
- The right to bring legal action under GDPR for a breach of any of the requirements of GDPR.
Pretty impressive list, right?
The other things that you may have heard in connection with GDPR are the terms “Data Controller” and “Data Processor”.
From the individual’s standpoint, the Data Controller is any entity to whom you have given your personal data, or who has otherwise collected your personal data. So, for example, if you give Acme Company your personal data during a sales transaction (name, address, phone number, email address, and on and on), Acme is a Data Collector. If Acme then uploads their customer list, including your data, to Email Marketers Я Us so that they can send out their email newsletter, then Email Marketers Я Us is a Data Processor.
Speaking of Data Controllers and individuals, GDPR very specifically exempts individuals who collect personal data from other individuals for personal use.
Section 18 of the prefatory language of GDPR says very specifically:
“This Regulation does not apply to the processing of personal data by a natural person in the course of a purely personal or household activity and thus with no connection to a professional or commercial activity. Personal or household activities could include correspondence and the holding of addresses, or social networking and online activity undertaken within the context of such activities. However, this Regulation applies to controllers or processors which provide the means for processing personal data for such personal or household activities.”
|Get notified of new Internet Patrol articles!
You might also like some of our other articles: