At the outset, it is important for users to know what GDPR is. The General Data Protection Regulation, or GDPR, is a European Union regulation that regulates and replaces existing data protection law. The protection of individuals in relation to the processing of personal data is one of the fundamental human rights and the most important is the respect for private and family life or the storage of sensitive information about other persons.
A comprehensive set of data protection rules came into force on 25 May 2018, which means that from this date all users must review and standardise their information systems and data handling practices. Their flow is controlled within the Union and the Regulation guarantees high protection against misuse of sensitive information.
The General Data Protection Regulation (GDPR) is the European Union’s strict regulation on the protection of consumers’ personal data. With its unprecedented scope and reach, the GDPR is the most important data protection policy since the commercialisation of the internet in the 1990s. The new law strengthens the data protection rights of European Union citizens. It creates new obligations for organisations that control and process this data. Regardless of where the user is located, they must comply with certain rules under the GDPR.
GDPR compliance applies to websites and all online platforms. It affects user experience, content, marketing, analytics and all online activities.
When is processing of personal data allowed?
- when they have a contract with the user – for example, a contract for the supply of goods or services;
- to comply with a legal obligation – where processing the data is a legal requirement, for example if your employer provides your monthly salary data to a social security authority for social security purposes;
- when the processing is in the vital interest – if it can protect the user’s life;
- if there are legitimate interests – for example, where a bank uses personal data to check whether a person is eligible for a savings account with a higher interest rate.
Consent to personal data processing
The consent required by the company or organisation must be clearly and actively expressed by the user, for example by signing a consent form or selecting yes when choosing between yes/no options on the website.
Importantly, it is not enough to express disagreement, for example by ticking a box indicating that the user does not wish to receive marketing emails. The user must agree to the storage of personal data and/or to its re-use for this purpose.
Before giving consent, the user should have the following information:
- information about the company/organisation that will process the data, including contact details and contact details of the responsible person;
- the reason why the company/organisation will use the user’s personal data;
- how long they keep the personal data;
- information on data protection rights such as access, rectification, …
Withdrawal of consent to the use of personal data and the right to object
If the user has given consent to the company or organisation to use personal data, he or she may contact the controller at any time to withdraw his or her consent. Once consent is withdrawn, the company or organisation can no longer use the personal data.
If the organisation processes the user’s personal data on the basis of its legitimate interest or in the context of a task carried out in the public interest or for reasons of public authority, the user may have the right to object. In some specific cases, the public interest may prevail and the company or organisation may be allowed to continue to use the personal data. This situation may arise in the case of scientific research or statistics.
Special rules concerning children
If children want to use online services such as social networking sites, music downloads or games, they usually need the consent of a parent or guardian because these services use the child’s personal data. After the age of 16, a child does not need parental consent, and in some EU countries the age limit is already 13.
Does the GDPR replace the PECR?
For better understanding: the PECR is a 2003 directive and its full name is the ePrivacy Regulation, which is based on European law. This directive sets out privacy rights in the field of electronic communications. It recognises that widespread access to digital mobile networks and the Internet opens up new opportunities for businesses and users, but also that this level of accessibility brings new privacy risks.
The main difference is that the GDPR concerns the processing of personal data, whereas the PECR applies specifically to e-marketing and contains specific rules on, for example, cookies, security of communication services and customer privacy regarding location data.
What are cookies?
Although cookies are governed by the PECR, it does not specify exactly what information the user must request and how to provide it. Cookies are text files containing information such as usernames and passwords that are used to identify a computer when using a computer network. Specific cookies, also known as http cookies, are used to identify specific users and to improve the browsing experience. http cookies are essential to the modern internet and also serve as a user privacy protection.