Synopsis 01: An Overview of GDPRs in the EU and LU

First, let me start with the essential clarification that, in general, the word “GDPR” represents - Regulation (EU) 2016/679 as the General Data Protection Regulation (GDPR) applicable directly within the member-states in the EU. However, the GDPRs (with the small ‘s’ at its end) in the title of this synopses represent all laws, regulations, and related Case-laws applicable within the area of general data protection in the member-states individually and collectively in the EU.

The above clarification emphasizes why sources of GDPRs are so vital for understanding the scope, means, and ends of the legal framework for general data protection in the EU. During the last few years, I have met and consulted with many people, entrepreneurs (e.g., GDPR-related RegTech and LegalTech entrepreneurs), and web-based GDPR-compliance-service providers, directly and indirectly, work with GDPR. And I found that we often make a mistake with the sources and collective understanding of GDPRs, such human error, which is potentially enough to mislead our entire work and purposes and waste our venture capital behind all GDPRs practice related initiatives.       

Therefore, from GDPRs-technology designer to GDPRs-apps developer, to legal students to legal experts to data protection officer (DPO) to human rights activists to private and public officials to individuals to corporates - all of those involved in the area of general data protection practices, we all NEED to understand that Regulation (EU) 2016/679 is one of many laws, regulations, and Case laws currently applicable in the domain of general data protection. For example, the right to information and data protection of criminally convicted persons is not covered by the said Regulation but specified in Directive (EU) 2016/680 and its transposed laws in the members-stares of the EU (e.g., in Luxembourg, the Act of 1 August 2018 is a transposition into national law of Directive (EU) 2016/680). 

Please be informed that there is a hierarchy of the applications of various legal instruments such as Treaties, Charter, Laws, Regulations, and Case-laws involved in the general data protection domain in the EU. At the top, it starts with the EU Treaties and EU Charter of Fundamental Rights - these are the starting points for EU law and are known in the EU as primary law. The link below provides an official description of the sources and hierarchy of EU laws:

Do you know that EU member states have set up national bodies (e.g., CNPD in Luxembourg) responsible for protecting personal data following Article 8(3) of the Charter of Fundamental Rights of the EU (NOT the Regulation (EU) 2016/679)?

Here, however, I have enlisted the most significant pieces of the legislative texts of the EU and LU, on which we need to have collective legal knowledge and understanding:

1)   EU Charter of Fundamental Rights and EU Treaties

2)   Regulation (EU) 2016/679 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data. Please read the Regulation's legal text, which includes the corrigendum published in the OJEU of 23 May 2018. 

3)   Directive (EU) 2016/680 on the protection of natural persons regarding the processing of personal data connected with criminal offenses or the execution of criminal penalties, and on the free movement of such data. And its transposed laws in the member-states of the EU.

4)   Regulation 2018/1725 sets forth the rules applicable to personal data processing by European Union institutions, bodies, offices, and agencies. It is aligned with the Regulation (EU) 2016/679 and the Directive (EU) 2016/680. It entered into application on 11 December 2018. Regulation 2018/1725 also established a European data protection supervisor (EDPS). The EDPS is an independent EU body responsible for monitoring data protection rules within European Institutions and investigating complaints.

5) Law No 686 of 1 August 2018 in Luxembourg, on the organization of the National Data Protection Commission (CNPD) being the Luxembourg data protection authority and the general data protection framework. This Act of 1 August 2018 is implementing the Regulation (EU) 2016/679 of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data and repealing Law of 2 August 2002 on the protection of individuals with regard to the processing of personal data and on the free movement of such data;

6) Law No 689 of 1 August 2018 in Luxembourg, on the protection of individuals with regard to the processing of personal data in criminal and national security matters. This Act of 1 August 2018 is a transposition into national law of Directive (EU)2016/680 of 27 April 2016 on the protection of natural persons with regard to the processing of personal data by competent authorities for the purposes of the prevention, investigation, detection or prosecution of criminal offenses or the execution of criminal penalties, and on the free movement of such data, and repealing Council Framework Decision 2008/977/JHA.   

Please do not confuse the roles of European data protection supervisor (EDPS) with the functions of the European Data Protection Board (EDPB) – which is an independent European body that shall ensure the consistent application of data protection rules throughout the EU and has been established by the Regulation (EU) 2016/679.     

In general, these legal rules for general data protection can be divided into four major categories. In this synopsis, I briefly share just insights in bullet-points on these categorizations (I will share the most critical aspects of these points later) :

(1)  Rights for citizens

a.      There are major nine types of rights

         i.     The right to information

         ii.     The right to access

         iii.     The right to erasure (the right to be forgotten)

         iv.     The right to data portability

         v.     The right to restriction of processing

         vi.     The right to contest a decision based solely on automated processing, including profiling

         vii.     The right to rectification

         viii.     The right to delisting

         ix.     The right to object

b.     Limitations of exercising the above rights

c.     How to assert the rights

       i.     Direct complaint

       ii.     File a complaint with the national supervisory authorities (e.g., CNPD in LU)

       iii.     Referral to the Court

(2)  Rules for business and organizations

a.      Major seven principles

      i.     Principles of lawfulness, fairness, and transparency

      ii.     Principles of purpose limitation

      iii.     Principles of data minimization

      iv.     Principles of accuracy

      v.     Principles of retention limitation

      vi.     Principles of integrity and confidentiality

      vii.     Principles of accountability

b.   Two major types of applications of Privacy

      i.     Privacy by design

      ii.     Privacy by default

c.    Security of personal data

      i.     Security of data processing

      ii.     IT security

d.     International transfer of personal data

e.     Data protection impact assessment (DPIA)

f.      Documentation and accountability

g.     Lawfulness of data processing

h.     Processor’s obligations

i.       Handling data breaches

j.       Comply with the rights of data subjects

k.     Records of processing activities

(3)  Data Protection Officer (DPO)

a.      General obligations such as responsibilities of controller and join-controller

b.     Security of personal data such as notification of a personal data breach to the supervisory authority

c.      Data protection impact assessment and prior consultation

d.     Designation, position, and tasks of DPO

e.      Codes of conduct and certification of DPO

(4)  Supervisory bodies

a.      Roles of national supervisory bodies (e.g., CNPD in LU) 

b.     Roles of European data protection supervisor (EDPS)

c.     Roles of the European Data Protection Board (EDPB) 

As mentioned above, in the coming days and weeks, I will share in-depth and critical synopsis of the most critical aspects of the above points, such as how to deal with encryption from a general data protection perspective and the cybersecurity perspective.

If you want to have a more in-depth discussion on these issues, please send me a message.