The European Union's General Data Protection Regulation, which came into force last year, is the most significant development in data protection law in the past 20 years.
The regulation also applies to organizations located outside the European Union if they offer goods or services to, or monitor the behavior of, EU citizens. A U.S.-based business that markets to businesses and/or individuals in Europe and collects personally identifiable information, including demographic data, via its website must comply.
The regulation, also known as the GDPR, applies to both "controllers" and "processors." Controllers are organizations that make decisions regarding personal data, while processors are third parties that process personal data for and on the instructions of controllers. If a U.S.-based business with employees located in the EU uses a third-party human resources information system to process HR and compensation transactions, the U.S. employer is the data controller, while the system vendor/operator is the processor.
Personal data not only includes names, addresses and images but also health, ethnicity, religious and political beliefs as well as biometric and genetic data. In many cases, businesses that use personal data are required to obtain explicit consent from data subjects to do so.
There are also increased requirements as to what information must be provided to individuals via a privacy notice before processing their data. Such notices must be in plain language and prominent.
Individuals have enhanced data subject rights including the right to be forgotten--also known as the right of erasure--rights of access, rights to understand profiling by controllers and processors, rights of rectification and the right of portability.
Data processing agreements between controllers and processors are required to contain extensive mandatory data protection clauses such as the controller's right to audit its processors, and obligations on processors to assist with subject access requests and data incidents.
If controllers or processors outside the EU are subject to the regulation, they will likely have to designate in writing a representative who must be established in an EU member state where the data subjects are located. When processing of EU citizens' personal data takes place in several member states, the representative will need to be appointed in the member state where most of these citizens are located.
The role of the representatives is to...