Recitals: 1
Recital - 1.
Data Protection as a Fundamental Right
Executive Summary
Companies do not own the data they keep or create regarding EU citizens; they are custodians. The expectation of data privacy has become a civil right and failure by the custodian to protect data has become a violation of civil rights. These rights are not constrained within the territory of the EU.
Quick Wins
Know what data you collect intentionally and inadvertently. This includes call logs, voicemail recordings, server logs, vpn records, internet use records, security video feeds etc. It also includes inadvertent data such as the OS of a computer a customer is using to access your website or the header in an email. Provide that list to anyone you collect data about.
Recital Text
The protection of natural persons in relation to the processing of personal data is a fundamental right. Article 8(1) of the Charter of Fundamental Rights of the European Union (the ‘Charter’) and Article 16(1) of the Treaty on the Functioning of the European Union (TFEU) provide that everyone has the right to the protection of personal data concerning him or her.
, 2
Recital - 2.
Respect of Fundamental Rights & Freedoms
Executive Summary
The regulations cover all EU territories and EU citizens.
Quick Wins
Publish the physical address of any business locations that do OR MIGHT process data related to a resident of the EU or EEA.
Recital Text
The principles of, and rules on the protection of natural persons with regard to the processing of their personal data should, whatever their nationality or residence, respect their fundamental rights and freedoms, in particular their right to the protection of personal data. This Regulation is intended to contribute to the accomplishment of an area of freedom, security and justice and of an economic union, to economic and social progress, to the strengthening and the convergence of the economies within the internal market, and to the well-being of natural persons.
, 4
Recital - 4.
Data Protection in Balance with Other Fundamental Rights
Executive Summary
Fundamental rights (like a request for minutes from a government meeting) supersede privacy rights (like disclosing the attendees of that meeting). In this case, the fundamental right of government transparency supersedes the right to privacy of the attendees of that meeting.
Quick Wins
Inform employees, customers or partners that attendance of meetings, functions or events may be disclosed and will not be considered private.
Recital Text
The processing of personal data should be designed to serve mankind. The right to the protection of personal data is not an absolute right; it must be considered in relation to its function in society and be balanced against other fundamental rights, in accordance with the principle of proportionality. This Regulation respects all fundamental rights and observes the freedoms and principles recognised in the Charter as enshrined in the Treaties, in particular the respect for private and family life, home and communications, the protection of personal data, freedom of thought, conscience and religion, freedom of expression and information, freedom to conduct a business, the right to an effective remedy and to a fair trial, and cultural, religious and linguistic diversity.
, 6
Recital - 6.
Ensuring a High level of Data Protection
Executive Summary
The GDPR includes all EU member states, Third Countries and international organizations where EU citizens reside or conduct business.
Quick Wins
Be aware that GDPR covers citizens of countries in North America, South America, Europe and Asia as well as certain Pacific Islands. This regulation is not exclusive to the EEA.
Recital Text
Rapid technological developments and globalisation have brought new challenges for the protection of personal data. The scale of the collection and sharing of personal data has increased significantly. Technology allows both private companies and public authorities to make use of personal data on an unprecedented scale in order to pursue their activities. Natural persons increasingly make personal information available publicly and globally. Technology has transformed both the economy and social life, and should further facilitate the free flow of personal data within the Union and the transfer to third countries and international organizations, while ensuring a high level of the protection of personal data.
, 7
Recital - 7.
Framework Based on Control and Certainty
Executive Summary
Individuals have control over their personal data and its use.
Quick Wins
Disclose to your employees, partners, vendors and customers what you collect, why, how long it is kept and how to contact the DPO.
Recital Text
Those developments require a strong and more coherent data protection framework in the Union, backed by strong enforcement, given the importance of creating the trust that will allow the digital economy to develop across the internal market. Natural persons should have control of their own personal data. Legal and practical certainty for natural persons, economic operators and public authorities should be enhanced.
, 74
Recital - 74.
Responsibility and Liability of the Controller
Executive Summary
Invest in IT security systems and personnel.
Quick Wins
Invest in IT security systems and personnel.
Recital Text
The responsibility and liability of the controller for any processing of personal data carried out by the controller or on the controller's behalf should be established.In particular, the controller should be obliged to implement appropriate and effective measures and be able to demonstrate the compliance of processing activities with this Regulation, including the effectiveness of the measures.Those measures should take into account the nature, scope, context and purposes of the processing and the risk to the rights and freedoms of natural persons.
, 75
Recital - 75.
Risks to the Rights and Freedoms of Natural Persons
Executive Summary
Processing data poses a variety of risks to the Data Subject and to the Processor.
Recital Text
The risk to the rights and freedoms of natural persons, of varying likelihood and severity, may result from personal data processing which could lead to physical, material or non-material damage, in particular: where the processing may give rise to discrimination, identity theft or fraud, financial loss, damage to the reputation, loss of confidentiality of personal data protected by professional secrecy, unauthorised reversal of pseudonymization, or any other significant economic or social disadvantage; where data subjects might be deprived of their rights and freedoms or prevented from exercising control over their personal data; where personal data are processed which reveal racial or ethnic origin, political opinions, religion or philosophical beliefs, trade union membership, and the processing of genetic data, data concerning health or data concerning sex life or criminal convictions and offences or related security measures; where personal aspects are evaluated, in particular analysing or predicting aspects concerning performance at work, economic situation, health, personal preferences or interests, reliability or behaviour, location or movements, in order to create or use personal profiles; where personal data of vulnerable natural persons, in particular of children, are processed; or where processing involves a large amount of personal data and affects a large number of data subjects.
Executive Summary
Policies on Privacy and Protection of personally identifiable information of EU Citizens and those within EU territories shall be created, approved by management, communicated to employees and relevant parties, and kept updated as required. These policies should take into account the risks resulted from personal data processing.
Article ID: 278
Created: September 27, 2022
Last Updated: September 27, 2022
Author: Matthew Burdick
Online URL: http://www.compliancewiki.org/article/gdpr-privacy-and-protection-of-pii-278.html