General Data Protection Rule
The GDPR 2016 has eleven chapters, concerning general provisions, principles, rights of the data subject, duties of data controllers or processors, transfers of personal data to third countries, supervisory authorities, cooperation among member states, remedies, liability or penalties for breach of rights, and miscellaneous final provisions.
Unless a data subject has provided informed consent to data processing for one or more purposes, personal data may not be processed unless there is at least one legal basis to do so. Article 6 states the lawful purposes are:
(a) If the data subject has given consent to the processing of his or her personal data;
(b) To fulfill contractual obligations with a data subject, or for tasks at the request of a data subject who is in the process of entering into a contract;
(c) To comply with a data controller's legal obligations;
(d) To protect the vital interests of a data subject or another individual;
(e) To perform a task in the public interest or in official authority;
(f) For the legitimate interests of a data controller or a third party, unless these interests are overridden by interests of the data subject or her or his rights according to the Charter of Fundamental Rights (especially in the case of children).
If informed consent is used as the lawful basis for processing, consent must have been explicit for data collected and each purpose data is used for (Article 7; defined in Article 4). Consent must be a specific, freely-given, plainly-worded, and unambiguous affirmation given by the data subject; an online form which has consent options structured as an opt-out selected by default is a violation of the GDPR, as the consent is not unambiguously affirmed by the user. In addition, multiple types of processing may not be "bundled" together into a single affirmation prompt, as this is not specific to each use of data, and the individual permissions are not freely-given. (Recital 32)
Assessing and maintaining compliance with the strict EU General Data Protection Rule (GDPR) is made easy. Address each of the rules included in the sweeping regulation, and automatically flags areas of non-compliance, along with instructions on what to do about it.
Monday-Thursday: 9:00am - 5:00pm
Friday: 9:00am - 12:00pm
© 2020 Shenandoah HIPAA Consultants, LLC Stephens City, Virginia