The Territorial and Material scope of the GDPR
The geographic range of the GDPR is broader than the current Directive from 1995 because it will apply not only to data controllers who are established in the EU. The regulative also applies to data controllers who are not established in the EU; but where the processing activities are related to the monitoring of their behaviour, if the behaviour takes place within the European Union." Under Article 3 of the GDPR.
Companies based outside the EU but are personal processing data on EU residents about the profiling activities will be subject to the GDPR. Accordingly, they will have to comply with the rules on automated decision-making.
It means that companies that carry out marketing activities in Europe, regardless of whether they are established within or outside Europe, are within the scope of the GDPR to most.
Material scope of the GDPR
GDPR article 22 sets out three criteria that can trigger the provisions on automated processing of personal data:
- a decision is made about an EU individual
- the decision has a legal effect or significantly affects the person
- this decision is based solely on automated processing
If the above three criteria are met, "then the data subject shall have the right not to be subject to a decision that is solely based on automated processing, including profiling, which produces legal effects concerning him or her or significantly affects him or her" (article 22, GDPR).
The right "not to be subject" to automated decisions is interpreted as the right to object to such processing.
However, where the profiling is based on a contractual relationship with explicit consent, the controller must implement "suitable measures" to safeguard the rights of the individuals. Including the right to contest the decision.
Data controllers are also obliged to inform individuals specifically about "the existence of automated decision making including profiling, as well as the significance and the foreseen consequences for the data subject" (Article 13.2.f of the GDPR).
In conclusion, GDPR explicitly prohibits the use of an individual's sensitive personal data for automated decision-making purposes, unless:
- that individual has given explicit consent (except if a law exempts the individual's consent); or
- computerised decisions are necessary for the general public interest
What are the practical implications?
Article 22 of the GDPR covers restrictions on automated decision-making with several substantial changes:
- a specific definition for the term 'profiling';
- explicit consent for profiling activities;
- a prohibition to profile individuals based on their sensitive data
- inform the data subjects specifically about any profiling activities.
Companies must assess whether their intended profiling activities produce any legal effects or significantly affect the individuals concerned. The current available definitions on what constitutes a "legal effect" or "significantly affects" as the interpretation of these concepts vary between the EU Member States, depending on the national data protection authority or the federal court reviewing the controller’s profiling activities.
This may be done, for example, by applying data minimisation and pseudonymisation techniques that are aimed at minimizing the risk of affecting the privacy of individuals, and by carrying out privacy impact assessments prior to conducting their profiling activities, mainly if there is a risk of discrimination, identity theft or fraud, financial loss, damage to reputation, or other adverse effects for individuals.
Non-compliance to GDPR on individuals’ rights is punishable by a fine of up to EUR 20,000,000, or up to 4% of the total worldwide annual turnover of the preceding financial year (whichever is higher)
- How can Indian companies be compliant and protect and safeguard customer's personal identifiable information?
- How can Indian IT companies ensure agility, accessibility and flexibility as part of the data strategy?
- How can Indian companies control the data through better policies and parameters, to be compliant with the GDPR?
Also see article on; Data analytics can transform GDPR risk assessment on, e.g. Profiling in this newsletter
More on the above issues at our events in the
http://eugdpr.institute/2017/newdelhi/
http://eugdpr.institute/2017/mumbai/