Background
The European Union General Data Protection Regulations (the “EU GDPR” or the “Regulation”) is legal requirement that was adopted by the European Parliament in April 2016 and becomes effective on May 25, 2018. The EU GDPR is a binding legislative act addressing the processing of personal data of individuals physically located with the European Union (“EU”). There is no distinction based upon individuals’ permanent place of residence or citizenship. The scope of the EU GDPR extends to foreign entities that are processing the ‘personal data’ of EU residents.
The Regulation includes six general principles that state personal data shall be:
- Processed lawfully, fairly and in a transparent manner
- Collected for specific, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes
- Limited to what is necessary in relation to the purposes for which they are processed
- Accurate and kept up to date
- Retained only as long as necessary
- Secure
Personal data consists of any information relating to an identified or identifiable person. Additionally, the EU GDPR provides additional protections for sensitive personal data that includes: racial and ethnic origin; health; genetic/biometric; religion; sexual orientation; and, political views.
Under the Regulation, a data subject is also provided certain rights in relation to the individual’s personal data including: right to access; right to rectification; right to erasure; right to restriction of processing; right to data portability; right to object to processing; and the right to lodge a complaint with a supervisory authority.