Relevance of GDPR for companies and people inside and outside of the EU
It has been a while since Regulation (EU) No 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data and repealing Directive 95/46/EC (General Data Protection Regulation) ("GDPR") came into force.
It should be seen as a tool to achieve consistency between the right of controllers to process personal data and the rights of data subjects to be protected against unlawful, excessive and unjustified processing of their personal data.
The aim of the GDPR is to achieve a situation where only personal data about data subjects is processed which is necessary for its processing and that every natural person knows at any point in time who is processing his or her personal data, for what purpose, in what way, with whom he or she is sharing it, and for how long he or she is storing it.
For this reason, the GDPR has set out the rules for processing, including the legal basis for such processing. These are (i) consent of the data subject, (ii) performance of a contract to which the data subject is a party, (iii) performance of a legal obligation of the controller, (iv) protection of the vital interests of the data subject or of another natural person, (v) performance of a task carried out in the public interest, (vi) legitimate interest of the controller or of a third party.
In order to protect the personal data of data subjects (in the context of GDPR mainly EU citizens and EU resided third country nationals), a mechanism had to be included in the GDPR to protect these data even in the case of cross-border transfers. The basic rule for cross-border transfers set out in Article 1(3) of the GDPR means, in practice, that when personal data are transferred within EU and EEA countries, the rule of free movement of personal data applies. For transfers to third countries, the transfer is possible if (i) a so-called adequacy decision is issued for the country in question (if the third country sufficiently enforces the rule of law), or (ii) an 'adequate safeguards' is available (the data subjects have enforceable rights and effective legal remedies), or (iii) an exemption is available (a similar situation to the legal bases for processing under the GDPR).
In other words, the GDPR Regulation is a legal framework that imposes obligations on so-called controllers (businesses, public authorities and other entities that process personal data in the course of their activities) to ensure that the personal data (any information relating to an identified or identifiable natural person directly or indirectly) of data subjects (i.e., an identifiable natural person who can be identified directly or indirectly) are protected in an effective manner, both within and outside the EU.
With hindsight, it can be said that, in theory, this protection is ensured and, in practice, the level of this protection varies depending on the quality of the application practice of the authorities in the Member States concerned, as well as in third countries where there has been a lawful cross-border transfer.
AUTHOR