Scope of GDPR

• Article 2 – Material Scope: Defines what type of data processing is covered.

• Article 3 – Territorial Scope: Defines where GDPR applies. (anything that happens in Europe/concerns a European citizen/institution) Data Processing Rules

• Article 5 – Principles for processing personal data (lawfulness, transparency, purpose limitation, etc.).

• Article 6 – Lawful basis for processing personal data.

• Article 9 – Prohibits processing of special categories of personal data (e.g., health data, racial origin, biometrics) unless exceptions apply. Data Subject Rights

• Article 12-14 – Transparency requirements.

• Article 15 – Right of access (users can request their data).

  • Purposes of the processing;
  • The categories of personal data concerned;
  • The recipients to whom the personal data have been or will be disclosed;
  • Where possible, the envisaged period for which the personal data will be stored, or, if not possible, the criteria used to determine that period;
  • The existence of the right to request from the controller rectification or erasure or restriction of processing of personal data;
  • The right to lodge a complaint with a supervisory authority;
  • Where the personal data are not collected from the data subject, any available information as to their source;
  • The existence of automated decision-making, including profiling, at least in those cases, meaningful information about the logic involved, as well as the significance and the envisaged consequences of such processing for the data subject.

• Article 16 – Right to rectification (correct inaccurate data).

  • The data subject shall have the right to obtain from the controller without undue delay the rectification of inaccurate personal data concerning him or her.
  • Taking into account the purposes of processing, the data subject shall have the right to have incomplete personal data completed, including by means of providing a supplementary statement.

• Article 17 – Right to erasure ("right to be forgotten").

  The data subject shall have the right to obtain from the controller the erasure of personal data concerning him or her without undue delay and the controller shall have the obligation to erase personal data without undue delay IF:

  • The request is based on specific grounds
  • The right to erasure is not excluded based on specific exceptions

• Article 18 – Right to restriction of processing.

  • The data subject shall have the right to obtain from the controller restriction of processing
  • Where processing has been restricted, such personal data shall, with the exception of storage, only be processed with the data subject's consent or for the establishment, exercise or defence of legal claims or for the protection of the rights of another natural or legal person or for reasons of important public interest of the Union or of a Member State.

• Article 20 – Right to data portability (transfer of data).

  • The data subject shall have the right to receive the personal data concerning him or her, in a structured, commonly used and machine-readable format and have the right to transmit those data from the controller to a new controller, without hindrance, where:
    • The processing is based on a contract or on consent; and
    • The processing is carried out by automated means → The right to data portability shall not adversely affect the rights and freedoms of others

• Article 21 – Right to object to processing.

  • The data subject shall have the right to object, on grounds relating to his or her particular situation, at any time to the processing of personal data concerning him or her where processing is necessary for:
    • the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller;
    • the purposes of the legitimate interests pursued by the controller or by a third party

• Article 22 – Rights regarding automated decision-making and profiling.

  • The data subject shall have the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning him or her or similarly significantly affects him or her.
  • This right does not apply where the processing:
    • is necessary for entering into, or performance of, a contract between the data subject and a data controller;
    • is authorised by Union or Member State law to which the controller is subject and which also lays down suitable measures to safeguard the data subject's rights and freedoms and legitimate interests; or
    • is based on the data subject's explicit consent.

• Article 34 - Data breach communication to the data subjects

• Article 35 - Data protection Impact Assessment (DPIA)