GDPR Cheat Sheet
[Updated 06/03/2020]
Having recently covered GDPR's individual rights and data protection principles and also business' top GDPR accountability and governance obligations, I decided in this blog post to put everything together in a simple "GDPR Cheat Sheet" that summarizes the GDPR from a scope, rights, obligations and enforcement perspective. I will subsequently use this cheat sheet to benchmark GDPR vs. California's CCPA and its (hopefully) soon to be ballot initiative, the CPRA.
Category
Topic
GDPR Provision
1
Scope
Effective Date
May 25, 2018
2
Scope
Who is Regulated?
Applies to "Controllers" (entities who determine the purposes and means of the processing of personal data) and "Processors" (third parties that process personal data on behalf of the controller) who are either: (a) established in the EU, regardless of whether the processing takes place in the EU or not, or (b) not established in the EU that either offer goods or services (irrespective of paid or not) to, or monitor behavior of, EU data subjects. [Article 3]
Small and medium-sized enterprise ("SMEs") that process personal data as described above do have to comply with the GDPR. However, if the processing isn’t a core part of a SME's business and their activity doesn't create risks for individuals, then some obligations of the GDPR will not apply to them (e.g. appointment of a Data Protection Officer).
3
Scope
Who is Protected?
An identified or identifiable natural person (i.e. a real person, not a corporation, and not a deceased person), regardless of whether they are a resident of the EU. Also referred to as a "data subject." [Article 4(1)]
4
Scope
Do Children Get Special Protection?
Yes. In general children merit specific protection with regard to their personal data, as they may be less aware of the risks, consequences and safeguards concerned and their rights in relation to the processing of personal data. [Recital 38].
Where the child is below the age of 16 years, such processing shall be lawful only if and to the extent that consent is given or authorized by the holder of parental responsibility over the child. EU states may provide by law for a lower age but not below 13 years. [Article 8] And children must be able to receive privacy notices in clear and plain language for them to understand. [Article 12].
5
Scope
Covers Employees?
Yes. EU states "may by law or by collective agreements also provide for more specific rules to ensure the protection of the rights and freedoms in respect of the processing of employees' personal data in the employment context, in particular for the purposes of the recruitment, the performance of the contract of employment, including discharge of obligations laid down by law or by collective agreements, management, planning and organization of work, equality and diversity in the workplace, health and safety at work, protection of employer's or customer's property and for the purposes of the exercise and enjoyment of rights and benefits related to employment, and for the purpose of the termination of the employment relationship." [Article 89]
6
Scope
What Information is Protected?
"Personal data" which means "any information relating to an identified or identifiable natural person (i.e. "data subject"); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person." [Article 4]
7
Scope
Additional Restrictions on Sensitive Data?
Yes. "Processing of personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, and the processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person's sex life or sexual orientation shall be prohibited." However, this will not apply in a number of cases including if the data subject gives explicit consent; is done in the context of labor or employment laws; is done for social security legislation; is done in the vital interest of the data subject, and others. [Article 9]
8
Scope
Exemptions?
The GDPR does not apply to the processing of personal data in the context of (a) purely personal or household activity; (b) deceased individuals; (c) if it in unstructured hardcopy format; and (d) national security and/or law enforcement. [Article 2]
9
Scope
Lawful Bases to Process Personal Data?
GDPR has six legal bases for processing data: 1. Performance of a contract; 2. Legal obligation; 3. Performance of a task in the public interest; 4. Consent from the individual; 5. Legitimate interest; and 6. Protect the vital interests of an individual. [Article 6]. Specific to consent, the controller shall be able to demonstrate that the data subject has consented to processing of his or her personal data, and have a record of when the consent was given. Consent shall be presented in a manner which is clearly understood. It must informed consent, freely given (i.e. "opt-in") and can be revoked. [Article 7]
10
Scope
Law is Protected from Watering Down?
N/A
11
Individual Rights
Right to be Informed (aka Right to Know or Right to be Notified)
At the time personal data is obtained, the controller must provide the data subject detailed information about its data collection and protection activities, including the legal basis for the processing, as well as instruct the data subject on their individual rights vis a vis their personal data. The controller must also provide notice regarding personal data collected by third parties. [Articles 13, 14]
12
Individual Rights
Right to Access
"Data subjects have the right to obtain from the controller whether or not personal data about the subject is being processed, and if that is the case, be able to access that personal data" as well additional information such as the purposes of processing, the categories of personal data, the recipients of that data, how long that data will be stored, etc. [Article 15]
13
Individual Rights
Right to Correct (aka Right to Rectification)
The data subject shall have the right to obtain from the controller without undue delay the rectification of inaccurate personal data concerning him or her. Taking into account the purposes of the processing, the data subject shall have the right to have incomplete personal data completed. [Article 16] Furthermore, the controller must take steps to inform other recipients of that subject's personal data being rectified. [Article 19]
14
Individual Rights
Right to Delete (aka Right to Erasure or Right to be Forgotten)
Data subjects have the right to obtain from the controller the erasure of personal data under six different scenarios including the personal data is no longer necessary in relation to the purposes for which they were collected, the data subject withdraws consent and there is no other lawful bases for processing and the personal data have been unlawfully processed. [Article 17] Furthermore, the controller must take steps to inform other recipients of that subject's personal data being erased. [Article 19]
15
Individual Rights
Right to Restrict Processing
GDPR lets a data subject to have the right to restrict the controller’s processing of the data subject’s data under a few scenarios including the accuracy of the personal data is contested by the data subject or the processing is unlawful. [Article 18] Furthermore, the controller must take steps to inform other recipients of that subject's personal data being restricted. [Article 19]
16
Individual Rights
Right to Data Portability
The data subject shall have the right to receive the personal data concerning him or her, which he or she has provided to a controller, in a structured, commonly used and machine-readable format and have the right to transmit those data to another controller. [Article 20]
17
Individual Rights
Right to Object to Processing
"The data subject shall have the right to object, on grounds relating to his or her particular situation, at any time to processing of personal data concerning him or her." Objections can be based on concerns over profiling, direct marketing, scientific and other matters. [Article 21]
18
Individual Rights
Right to "Opt Out" of Sale and Sharing of Personal Information (aka Right to Say No)
This is not one of GDPR's formally defined rights per se (was added to this cheat sheet to benchmark against CCPA and CPRA), but GDPR does provide other rights that can net the same result. e.g. the right to object: "Where the data subject objects to processing for direct marketing purposes, the personal data shall no longer be processed for such purposes." [Article 21] In addition, data subjects could revoke their right of consent as part of their right of erasure vis a vis direct marketing. [Article 17]
19
Individual Rights
Right to Limit Use of Sensitive Personal Information (including Precise Geolocation)
This is not one of GDPR's formally defined rights per se (was added to this cheat sheet to benchmark against CCPA and CPRA), but this is an implicit right in that the use of sensitive personal information is prohibited: "Processing of personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, and the processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person's sex life or sexual orientation shall be prohibited." However, this will not apply in a number of cases including if the data subject gives explicit consent; is done in the context of labor or employment laws; is done for social security legislation; is done in the vital interest of the data subject, and others. [Article 9] For other categories of personal information that are found in the CPRA definition of sensitive data, GDPR provides the right of restriction and objection (see above).
20
Individual Rights
Right to Reject Automated Decision Making and Profiling
"The data subject shall have the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning him or her or similarly significantly affects him or her." Exceptions include the data subject's explicit consent or the performance of a contract. [Article 22]
21
Individual Rights
Right of No Retaliation (aka Right to not be Discriminated Against)
This is not one of GDPR's formally defined rights per se (was added to this cheat sheet to benchmark against CCPA), but GDPR is implicit that discrimination is not allowed. e.g. "The risk to the rights and freedoms of natural persons, of varying likelihood and severity, may result from personal data processing which could lead to ... rise to discrimination". [Recital 75]
22
Obligations
Privacy Policy Disclosure
Per Article 5, the controller shall be responsible for, and be able to demonstrate compliance with, paragraph 1 of Article 5 (‘accountability’), with the first item of paragraph 1 in Article 5 being that personal data shall be "processed lawfully, fairly and in a transparent manner in relation to the data subject." Which means an obligation of the controller is to publish clear privacy notice and inform the data subject of their rights, including their "Right to be Informed." [Article 5]
23
Obligations
Data Protection by Design and Default
Controllers must implement data protection by design and by default. e.g. "the controller shall, both at the time of the determination of the means for processing and at the time of the processing itself, implement appropriate technical and organizational measures, such as pseudonymisation, which are designed to implement data-protection principles, such as data minimization, in an effective manner." Furthermore, "the controller shall implement appropriate technical and organizational measures for ensuring that, by default, only personal data which are necessary for each specific purpose of the processing are processed." [Article 25]
24
Obligations
Written Contracts with Processors / Service Providers / Contractors / Third Parties
"Processing by a processor shall be governed by a contract or other legal act under Union or Member State law, that is binding on the processor with regard to the controller and that sets out the subject-matter and duration of the processing, the nature and purpose of the processing, the type of personal data and categories of data subjects and the obligations and rights of the controller." [Article 28]
25
Obligations
Maintain Records of Processing Activities
"Each controller and, where applicable, the controller's representative, shall maintain a record of processing activities under its responsibility." [Article 30]
26
Obligations
Respond to Rights Requests
"The controller shall facilitate the exercise of data subject rights ... and shall not refuse to act on the request of the data subject for exercising his or her rights ... unless the controller demonstrates that it is not in a position to identify the data subject." Furthermore, "the controller shall provide information on action taken on a request ... to the data subject without undue delay and in any event within one month of receipt of the request." [Article 12]
27
Obligations
New Homepage Links Required (e.g. do not sell/share personal information, limit use of sensitive personal information)
N/A
28
Obligations
Implement Appropriate Security Measures
"The controller and the processor shall implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk" including "pseudonymisation and encryption of personal data" as well "ensure the ongoing confidentiality, integrity availability and resilience of processing systems and services." [Article 32]
29
Obligations
Security Breach Notification
Controllers must notify both the supervisory authority and impacted data subjects within 72 hours. There is a carve out with the supervisory authority where "the personal data breach is unlikely to result in a risk to the rights and freedoms of natural persons." The carve out with data subjects is if the data were encrypted and not readable. [Article 33, 34]
30
Obligations
Data Protection Impact Analysis
"Where a type of processing in particular using new technologies, and taking into account the nature, scope, context and purposes of the processing, is likely to result in a high risk to the rights and freedoms of natural persons, the controller shall, prior to the processing, carry out an assessment of the impact of the envisaged processing operations on the protection of personal data." [Article 35]
31
Obligations
Data Protection Officers
Controllers and processors must appoint a Data Protection Officer in specific instances including when their core activities include monitoring of data subjects on a large scale. The DPO should have a certain amount of independence and be the main point of contact with the supervisory authority. Specific tasks are spelled out in Article 39. [Articles 37-39]
32
Obligations
Adhere to the Rules of Cross-Border Data Transfers
Transfers of personal data outside the EU are restricted with the following exceptions: (1) OK to transfer to countries or territories deemed "adequate" by the European Commission in terms of the protection of personal data (note the US or states such as California do not have an "adequacy decision"; (2) where there is an EU-approved transfer agreement and/or mechanism (e.g. the EU-US Privacy Shield and/or binding corporate rules between a controller and a processor); or (3) there an exception to specific personal data such as explicit consent. [Articles 44-50]
33
Enforcement
Dedicated Supervisory Authority
Each European Union Member State shall have at least one independent "Supervisory Authority" (SA) [Article 51] that "shall contribute to the consistent application of this Regulation throughout the Union." [Article 51]. Each SA shall "remain free from external influence, whether direct or indirect, and shall neither seek nor take instructions from anybody." [Article 52]. Each SA shall "shall facilitate the submission of complaints" that are "free of charge" for data subjects. [Article 57]. Each SA has a number of investigative and corrective powers as well as authorization and administration powers, including the ability to issue fines. [Article 58] Each SA "shall draw up an annual report on its activities" [Article 59] and cooperate with other SAs [Article 60] and provide mutual assistance [Article 61].
The European Data Protection Board is an oversight organization that "ensure the consistent application of this Regulation" and provides advisory services to both Member States' SAs as well as the European Commission [Article 70]. It issues "guidelines, recommendations, and best practices on procedures" related to the GDPR. [Article 69] The Board will be composed of the head of each Member State's SA [Article 68] and shall act independently. [Article 69]. "The Board shall draw up an annual report regarding the protection of natural persons with regard to processing in the Union and, where relevant, in third countries and international organisations." [Article 71]
34
Enforcement
Penalties (Civil Fines)
A range of penalties can be issued by Supervisory Authorities including: (1) fines up to €20 million or 4% of annual worldwide turnover; (2) requiring entities to change how they process personal data; and/or (3) stopping entities from processing data altogether. [Articles 83-84]
35
Enforcement
Penalties (Private Rights of Action)
Data subjects have private rights of actions that be filed against controllers and processors. These private rights of actions can be for material or non-material damage. Furthermore, there is mechanism spelled out how to enable a not-for-profit body, organization or association to bring class action claims. Data subjects can also lodge complaints with Supervisory Athorities. [Articles 77-82]
There are a number of other executive summaries of GDPR which you may find helpful including the ones below that also compare that GDPR to CCPA:
Next up in my next blog posts — the California Consumer Privacy Act (CCPA) as well as a look at California's Data Breach Notification law.