European Union: GDPR, Part VII: A Brief Guide To The GDPR

On May 25, 2018, the European Union's General Data Protection Regulation (GDPR) will take effect. The primary objectives of the GDPR are to return control of "personal data" to EU citizens and residents and to simplify the regulatory environment for international business by unifying regulations within the EU. In practice, the GDPR will be, by far, the world's most comprehensive and complex data protection law, and it will not apply only to businesses in Europe. Instead, the GDPR will require any business that offers goods or services to EU citizens, or that monitors EU citizens' behavior to comply with its rules or face hefty penalties.

The Digital Insights blog has published a comprehensive, seven-part guide to the GDPR, which can be viewed here. The purpose of this article is to provide a brief synopsis of the critical aspects of the GDPR.

Key GDPR Terms

The GDPR broadly defines "personal data" as information relating to an identified or identifiable natural person (referred to as the "data subject"). Unlike U.S. breach notification laws, which are concerned with narrow classes of statutorily defined "personal information" such as Social Security numbers or driver's license numbers, "personal data" under the GDPR can be virtually any information that identifies the data subject. The GDPR's definition can overlap with U.S. law, but it can also be far broader to include information about a data subject, location data on a mobile device, or an IP address, just to name a few.

As far as personal data is concerned, the GDPR applies when data is "processed", meaning "any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction." This too is a broad definition and applies virtually any time personal data is used with automated means.

The identity of who controls the processing is another key aspect of the GDPR. A "controller" is a legal or natural person who controls the "purposes and means" of processing data. A "processor" is a legal or natural person who processes personal data on behalf of a controller. The GDPR strictly governs the controller-processor relationship, and the relationship can be complex.

Additionally, the GDPR defines "sensitive personal data" as "personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, and the processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person's sex life or sexual orientation." This data is subject to even higher restrictions on processing.

Is My Business Subject to the GDPR?

As discussed above, the GDPR applies not only to businesses within EU member states, but also to businesses anywhere in the world that offer goods or services to EU citizens or monitor the behavior of EU citizens. The determination about whether a U.S.-based business is subject to the GDPR must be made on a business-by-business basis.

Assuming a business outside of the EU or European Economic Area, the GDPR specifies that data may be transferred by that business (or the country in which the business is located) only if the controller and processor comply with certain conditions. Most notably, external data transfers can be effectuated where there has been an "adequacy decision" by the European Commission, finding that the target country has adequate safeguards in place to protect the data. Crucially, the U.S. is not on the list of countries with adequate safeguards in place. However, since 2016, there has been a "Privacy Shield" in place, whereby the U.S. Department of Commerce can certify that certain U.S. businesses provide adequate safeguards.

Other methods of effectuating external data transfers include adopting binding corporate rules, certain standard data protection clauses, approved codes of conduct, and approved certification mechanisms.

Key Compliance Elements for Businesses Subject to the GDPR

If a business is subject to the GDPR, it will have to comply with a number of requirements and could be subject to severe penalties for non-compliance. Below is an outline of some of the more important requirements, penalties, and features of the GDPR.

The Data Privacy Officer Requirement: Public entities, as well as private companies that process personal data on a large scale or primarily process large amounts of sensitive personal data or criminal convictions data must appoint a Data Privacy Officer (DPO). The DPO must be involved in all issues relating to personal data and must have independence within the company (e.g., not follow instructions from others and not face penalties for doing his or her job). Generally speaking, the DPO must advise the company on GDPR compliance and obligations under the GDPR and cooperate with supervisory authorities. Lewis Brisbois can act as an external DPO for organizations.

Controller-Processor Contracts: Processors must enter into contracts with controllers that, among other things, specify the subject matter and duration of processing and types of personal data to be processed. The contracts must include numerous provisions, including that the processor will act only as instructed by the controller. If a processor wishes to sub-contract to a sub-processor, it will need consent from the controller and will need to enter into a contract with the sub-processor that imposes the same legal obligations as those imposed between the controller and processor. This is a key component of defining the controller-processor relationship, because a processor that begins to make decisions about the purpose and means of processing data (beyond mere technical means) may be defined as a controller by operation of law and may then have higher obligations under the GDPR.

Data Privacy Impact Assessments: If processing — particularly by using new technologies — is likely to pose a high risk to the rights and freedoms of data subjects, a Data Privacy Impact Assessment (DPIA) must be carried out to assess the impact of the proposed processing. There are certain instances where DPIAs are necessary (e.g., processing sensitive personal data), and supervisory authorities are permitted to specify other areas in which DPIAs are required to be undertaken.

Sensitive Personal Data Requirements: Article 9 prohibits the processing of sensitive personal data, unless certain exceptions can be met (e.g., the data subject has consented, processing is necessary to carry out the controller's obligations related to employment, processing is necessary to protect the data subject's vital interests, processing relates to personal data that is "manifestly made public by the data subject," etc.).

Breach Notification Requirements: In the event of a data breach, a controller must notify supervisory authorities "without undue delay and, where feasible, not later than 72 hours after having become aware of it . . . unless the personal data breach is unlikely to result in a risk to the rights and freedoms of natural persons." This is a vastly more stringent notice requirement than U.S. laws, which typically require notice in 30, 45, or 60 days. Unlike U.S. laws, however, the GDPR does not always require notice to the data subject, but rather only when "personal data breach is likely to result in a high risk to the rights and freedoms of natural persons." In such a case, the controller must notify the data subject "without undue delay."

Penalties: The GDPR sets severe penalties for non-compliance. Certain acts of non-compliance can result in penalties, including the higher of 10 million Euros or two percent of a business' annual, worldwide turnover for the prior year. For certain other, more egregious violations, the penalties can be the higher of 20 million Euros or four percent of a business' annual, worldwide turnover for the prior year. The term annual, worldwide turnover is roughly equivalent to the gross annual revenue for a business.

Relation to Other EU Laws: The GDPR is but one European privacy law, and is in effect side-by-side with the 2016 Law Enforcement Data Protection Directive (LEDP Directive), the goal of which is to synchronize EU rules and protect fundamental rights whenever law enforcement uses personal data to prevent, detect, or prosecute crimes. The GDPR is also augmented by the ePrivacy Directive, which imposes requirements for the processing of personal data on public communications networks (notably, for the use of cookies). The GDPR also makes clear that in many respects, member states are free to enact their own, more stringent laws. For example, while the GDPR requires that personal data collection of children under 16 be subject to more stringent requirements, it also permits member states to enact laws imposing those same requirements on personal data collection for children ages 13 and below.

Rights Created or Augmented by the GDPR

The GDPR creates and/or augments many rights for data subjects. It is critical for businesses who qualify as controllers or processors to understand these rights because those businesses may need to provide certain information or access to data subjects. A brief summary of those rights is below:

Right to Transparent Information: If information is provided by a controller to a data subject, that information must be "in a concise, transparent, intelligible and easily accessible form, using clear and plain language, in particular for any information addressed specifically to a child." The GDPR identifies the kinds of information that are required to be provided to a data subject and when it is to be provided. 

Right of Access: Data subjects have the right to certain information from controllers, including the purposes of the processing, the categories of personal data that are being processed, and recipients of personal data.

Right to Rectification: The GDPR creates a right to rectification of personal data held by a controller or processor in certain instances.

Right to Erasure: The right to erasure (better known as the right to be forgotten) requires controllers and processors to erase personal data upon request where certain criteria apply (e.g., the data is no longer necessary, it was not lawfully possessed, etc.)

Right to Restriction of Processing: Similar to the right to erasure, a controller or processor must cease or restrict processing upon request by a data subject if certain conditions are met.

Obligation to Notify Recipients: To the extent that a controller is required to erase or rectify personal data, the controller, generally, must notify each recipient of that personal data.

Right to Data Portability: Data subjects have the right to receive personal data about themselves from a controller or to have that personal data transferred to a new controller or third party in a "a structured, commonly used and machine-readable format." Thus, businesses that are deemed controllers now have the obligation to assist in the transfer of customers' information to third parties (including, potentially, to competitors).

Right to Object: Data subjects have a right to object to processing, and controllers must comply with objections promptly, absent certain circumstances.

Automated Decision-Making and Profiling Rights: One of the more cutting-edge rights created by the GDPR is the right of data subjects, in certain circumstances, "not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning him or her or similarly significantly affects him or her." This right is tremendously important for businesses that advertise online and/or that create profiles of potential customers.


This article is intended to provide a synopsis of the rights of data subjects, obligations of controllers and processors, and rights of data subjects. Compliance with the GDPR can be difficult, and Lewis Brisbois is here to advise you every step of the way.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.

To print this article, all you need is to be registered on

Click to Login as an existing user or Register so you can print this article.

Similar Articles
Relevancy Powered by MondaqAI
In association with
Practice Guides
by Mondaq Advice Centres
Relevancy Powered by MondaqAI
Related Topics
Similar Articles
Relevancy Powered by MondaqAI
Related Articles
Related Video
Up-coming Events Search
Font Size:
Mondaq on Twitter
Mondaq Free Registration
Gain access to Mondaq global archive of over 375,000 articles covering 200 countries with a personalised News Alert and automatic login on this device.
Mondaq News Alert (some suggested topics and region)
Select Topics
Registration (please scroll down to set your data preferences)

Mondaq Ltd requires you to register and provide information that personally identifies you, including your content preferences, for three primary purposes (full details of Mondaq’s use of your personal data can be found in our Privacy and Cookies Notice):

  • To allow you to personalize the Mondaq websites you are visiting to show content ("Content") relevant to your interests.
  • To enable features such as password reminder, news alerts, email a colleague, and linking from Mondaq (and its affiliate sites) to your website.
  • To produce demographic feedback for our content providers ("Contributors") who contribute Content for free for your use.

Mondaq hopes that our registered users will support us in maintaining our free to view business model by consenting to our use of your personal data as described below.

Mondaq has a "free to view" business model. Our services are paid for by Contributors in exchange for Mondaq providing them with access to information about who accesses their content. Once personal data is transferred to our Contributors they become a data controller of this personal data. They use it to measure the response that their articles are receiving, as a form of market research. They may also use it to provide Mondaq users with information about their products and services.

Details of each Contributor to which your personal data will be transferred is clearly stated within the Content that you access. For full details of how this Contributor will use your personal data, you should review the Contributor’s own Privacy Notice.

Please indicate your preference below:

Yes, I am happy to support Mondaq in maintaining its free to view business model by agreeing to allow Mondaq to share my personal data with Contributors whose Content I access
No, I do not want Mondaq to share my personal data with Contributors

Also please let us know whether you are happy to receive communications promoting products and services offered by Mondaq:

Yes, I am happy to received promotional communications from Mondaq
No, please do not send me promotional communications from Mondaq
Terms & Conditions (the Website) is owned and managed by Mondaq Ltd (Mondaq). Mondaq grants you a non-exclusive, revocable licence to access the Website and associated services, such as the Mondaq News Alerts (Services), subject to and in consideration of your compliance with the following terms and conditions of use (Terms). Your use of the Website and/or Services constitutes your agreement to the Terms. Mondaq may terminate your use of the Website and Services if you are in breach of these Terms or if Mondaq decides to terminate the licence granted hereunder for any reason whatsoever.

Use of

To Use you must be: eighteen (18) years old or over; legally capable of entering into binding contracts; and not in any way prohibited by the applicable law to enter into these Terms in the jurisdiction which you are currently located.

You may use the Website as an unregistered user, however, you are required to register as a user if you wish to read the full text of the Content or to receive the Services.

You may not modify, publish, transmit, transfer or sell, reproduce, create derivative works from, distribute, perform, link, display, or in any way exploit any of the Content, in whole or in part, except as expressly permitted in these Terms or with the prior written consent of Mondaq. You may not use electronic or other means to extract details or information from the Content. Nor shall you extract information about users or Contributors in order to offer them any services or products.

In your use of the Website and/or Services you shall: comply with all applicable laws, regulations, directives and legislations which apply to your Use of the Website and/or Services in whatever country you are physically located including without limitation any and all consumer law, export control laws and regulations; provide to us true, correct and accurate information and promptly inform us in the event that any information that you have provided to us changes or becomes inaccurate; notify Mondaq immediately of any circumstances where you have reason to believe that any Intellectual Property Rights or any other rights of any third party may have been infringed; co-operate with reasonable security or other checks or requests for information made by Mondaq from time to time; and at all times be fully liable for the breach of any of these Terms by a third party using your login details to access the Website and/or Services

however, you shall not: do anything likely to impair, interfere with or damage or cause harm or distress to any persons, or the network; do anything that will infringe any Intellectual Property Rights or other rights of Mondaq or any third party; or use the Website, Services and/or Content otherwise than in accordance with these Terms; use any trade marks or service marks of Mondaq or the Contributors, or do anything which may be seen to take unfair advantage of the reputation and goodwill of Mondaq or the Contributors, or the Website, Services and/or Content.

Mondaq reserves the right, in its sole discretion, to take any action that it deems necessary and appropriate in the event it considers that there is a breach or threatened breach of the Terms.

Mondaq’s Rights and Obligations

Unless otherwise expressly set out to the contrary, nothing in these Terms shall serve to transfer from Mondaq to you, any Intellectual Property Rights owned by and/or licensed to Mondaq and all rights, title and interest in and to such Intellectual Property Rights will remain exclusively with Mondaq and/or its licensors.

Mondaq shall use its reasonable endeavours to make the Website and Services available to you at all times, but we cannot guarantee an uninterrupted and fault free service.

Mondaq reserves the right to make changes to the services and/or the Website or part thereof, from time to time, and we may add, remove, modify and/or vary any elements of features and functionalities of the Website or the services.

Mondaq also reserves the right from time to time to monitor your Use of the Website and/or services.


The Content is general information only. It is not intended to constitute legal advice or seek to be the complete and comprehensive statement of the law, nor is it intended to address your specific requirements or provide advice on which reliance should be placed. Mondaq and/or its Contributors and other suppliers make no representations about the suitability of the information contained in the Content for any purpose. All Content provided "as is" without warranty of any kind. Mondaq and/or its Contributors and other suppliers hereby exclude and disclaim all representations, warranties or guarantees with regard to the Content, including all implied warranties and conditions of merchantability, fitness for a particular purpose, title and non-infringement. To the maximum extent permitted by law, Mondaq expressly excludes all representations, warranties, obligations, and liabilities arising out of or in connection with all Content. In no event shall Mondaq and/or its respective suppliers be liable for any special, indirect or consequential damages or any damages whatsoever resulting from loss of use, data or profits, whether in an action of contract, negligence or other tortious action, arising out of or in connection with the use of the Content or performance of Mondaq’s Services.


Mondaq may alter or amend these Terms by amending them on the Website. By continuing to Use the Services and/or the Website after such amendment, you will be deemed to have accepted any amendment to these Terms.

These Terms shall be governed by and construed in accordance with the laws of England and Wales and you irrevocably submit to the exclusive jurisdiction of the courts of England and Wales to settle any dispute which may arise out of or in connection with these Terms. If you live outside the United Kingdom, English law shall apply only to the extent that English law shall not deprive you of any legal protection accorded in accordance with the law of the place where you are habitually resident ("Local Law"). In the event English law deprives you of any legal protection which is accorded to you under Local Law, then these terms shall be governed by Local Law and any dispute or claim arising out of or in connection with these Terms shall be subject to the non-exclusive jurisdiction of the courts where you are habitually resident.

You may print and keep a copy of these Terms, which form the entire agreement between you and Mondaq and supersede any other communications or advertising in respect of the Service and/or the Website.

No delay in exercising or non-exercise by you and/or Mondaq of any of its rights under or in connection with these Terms shall operate as a waiver or release of each of your or Mondaq’s right. Rather, any such waiver or release must be specifically granted in writing signed by the party granting it.

If any part of these Terms is held unenforceable, that part shall be enforced to the maximum extent permissible so as to give effect to the intent of the parties, and the Terms shall continue in full force and effect.

Mondaq shall not incur any liability to you on account of any loss or damage resulting from any delay or failure to perform all or any part of these Terms if such delay or failure is caused, in whole or in part, by events, occurrences, or causes beyond the control of Mondaq. Such events, occurrences or causes will include, without limitation, acts of God, strikes, lockouts, server and network failure, riots, acts of war, earthquakes, fire and explosions.

By clicking Register you state you have read and agree to our Terms and Conditions