eBooks & Reports

Understanding and Demonstrating Alignment with the GDPR

Issue link: https://resources.threatstack.com/i/930584

Contents of this Issue


Page 2 of 18

3 APPLICABILITY Many companies exploring this new privacy doctrine, in the Unites States and elsewhere, are asking "does the GDPR even apply to me?" and "how can the GDPR have province over our business if we're not even located in the European Union?" The GDPR applies to any organization that is offering goods or services (irrespective of payment) to residents of the European Union or who is monitoring residents of the European Union. Monitoring in the GDPR framework is referred to as "profiling" and is defined as the automated analysis or predicting of behavior, location, movements, reliability, interests, personal preferences, health, economic situation, performance, etc. It does not matter whether an organization operates physically within Europe (a concept referred to as "extraterritoriality"). This pertains to both data controllers and processors to the extent that processors (and relevant sub-processors i.e. subservice organizations) are obligated to accommodate controllers in carrying out their security and privacy obligations when procedural or technical barriers necessitate it. This means that a processor must assist a data subject in facilitating certain activities that uphold the rights of the data subject (like the right to access and rectify data or the right to erasure) if that processor solely manages any personal data or system layer germane to the controller's overall operation or IT production environment. The "what" that is covered in this applicability equation is the processing of personal data belonging to residents of the European Union. This entails your common types of personal data (i.e. name, address, etc.) and now also includes categories of online data like static and dynamic IP addresses, cookie IDs, etc. Special categories of personal data, that historically has covered information like religious affiliation, political affiliation, sexual orientation, now encapsulates genetic information and biometric data as well and must only be processed for certain purposes explicitly stated in the framework. There are also specific handling requirements for personal data belonging to children. Children under the age of 13 can never give consent to the processing of their personal data as it pertains to online services. Consent for the processing of personal data belonging to children between the ages of 13 and 15 must be obtained from a data subject's parent (Individual Members States will define the age window).

Articles in this issue

view archives of eBooks & Reports - Understanding and Demonstrating Alignment with the GDPR