GDPR at a glance

Data Protection Regulations in Europe Since May 2018

Since May 25, 2018, data protection regulations in Europe have been governed by the General Data Protection Regulation (GDPR). This European Union regulation applies directly in all member states, without the need to be transformed into national law. In addition, individual member states contain data protection provisions. Thus, there are two concurrently applicable legal bases: the GDPR at the European level and national laws.

Foundations and Scope of Data Protection Law

At the heart of data protection legislation are various legal bases located at both European and national levels. The European General Data Protection Regulation (GDPR) forms the basis for data protection in the EU and applies to both public and private entities. This regulation is supplemented by national laws. Overall, data protection law covers a broad spectrum of application areas, from authorities to businesses, and varies depending on federal or state jurisdiction.

Scope and Definition of Personal Data in Data Protection Law

The applicability of data protection law, specifically the GDPR, depends on the handling of personal data of living natural persons. Processing includes various operations such as collecting, storing, transmitting, and sharing such data. The nature of the data is crucial: they must be personal, meaning information related to an identified or identifiable natural person. Personal data encompass a wide range of information, from names and identification numbers to location data and online identifiers like IP addresses and cookies, to birth dates and addresses. Also included are characteristics expressing the physical, genetic, psychological, economic, cultural, or social identity of a person. The key factor is whether a person can be identified through these data. When such data are processed, the GDPR applies.

Anonymous vs. Pseudonymized Data in Data Protection Law

In data protection law, a distinction is made between personal and anonymous data. Anonymous data are those that do not allow the identification of a living natural person. Since they do not permit inferences about individuals, they fall outside the provisions of the GDPR and are thus exempt from data protection restrictions.

In contrast are pseudonymized data, a special case of personal data. According to Article 4(5) of the GDPR, pseudonymization refers to the processing of personal data in such a way that the data can no longer be attributed to a specific data subject without additional information. This additional information must be stored separately and protected by technical and organizational measures to prevent assignment to an identifiable person. Pseudonymized data replace identifying characteristics with identifiers like personnel numbers, fictional names, or encryptions. However, for certain groups, these identifiers may still enable identification. Therefore, pseudonymized data fall under the scope of the GDPR and enjoy certain privileges within the legal framework. They are a special case of personal data and subject to data protection law, including the GDPR. It is important to understand that despite the use of identifiers, identification by certain individuals can be possible, which is why they are considered personal data and data protection law must be observed.

Territorial Scope and Responsibilities in the General Data Protection Regulation

The question of the territorial scope of the General Data Protection Regulation (GDPR) arises after clarifying the material scope, which encompasses the processing of personal data. It is crucial whether the data processor or the data controller has an establishment within the European Union (EU). If this is the case, the GDPR applies, regardless of where the data processing actually occurs. This principle is known as the establishment principle: An EU establishment entails the application of the GDPR, regardless of the location of data processing. Additionally, the scope of the GDPR has been extended. It also applies to controllers or processors who process personal data of individuals who are in the EU, for instance, in the context of offering goods or services or in online marketing activities targeting users’ behavior in the EU. This is known as the market location principle.

The GDPR often refers to “controllers of data processing,” defined in Article 4 Number 7 of the GDPR. Responsible are natural or legal persons, authorities, institutions, or other bodies that alone or jointly determine the purposes and means of processing personal data. Whoever collects, stores, or transmits data and determines their purpose of use is considered responsible. These controllers must comply with the provisions of the GDPR.

Legality of Data Processing under the General Data Protection Regulation

The central question in data protection law is under what conditions the processing of personal data is lawful. Article 6 Paragraph 1 of the General Data Protection Regulation (GDPR) provides the legal bases for this. Lawful data processing can be based on the explicit consent of the data subject. This means that the person expressly agrees that their personal data may be processed. In addition to consent, there are other permissible reasons for data processing, such as the necessity for contract performance. For example, a seller needs the name and address of the buyer for the delivery of goods.

Other legal bases include the fulfillment of legal obligations or the performance of a task in the public interest, which is particularly relevant in the research sector at universities. Similarly, data processing can be legitimate based on a legitimate interest of the controller, provided it does not collide with the fundamental rights and freedoms of the data subject. The interests of the data processor must outweigh those of the data subject, without disproportionately infringing upon their freedoms.

Consent to data processing is detailed in Article 4 Number 11 and Article 7 of the GDPR. It must be voluntary and explicit. Written documentation of consent is advisable, although not mandatory. The data subject has the right to withdraw their consent at any time and must be informed about this right.