Our global pages
Close- Global home
- About us
- Global services/practices
- Industries/sectors
- Our people
- Events/webinars
- News and articles
- Eversheds Sutherland (International) Press Hub
- Eversheds Sutherland (US) Press Hub
- News and articles: choose a location
- Careers
- Careers with Eversheds Sutherland
- Careers: choose a location
Key concepts of GDPR |
|
![]() |
Key concepts of GDPR |
![]() |
![]() |
GDPR definitions
BCRs |
Directive |
DPA |
EEA | EU |
ICO |
Binding corporate rules | Directive 95/46/EC | Data Protection Act 1998 (UK) | European Economic Area | European Union | Information Commissioner’s Office (UK supervisory authority) |
Core conceptsTerritorial scope: GDPR applies to organisations:
One stop shop: Where an organisation has more than one establishment in the EU, it may be able to deal only or mainly with a single national data protection authority as its “lead supervisory authority” for regulation of cross-border processing activities carried out by that organisation Accountability: A controller is responsible for, and must be able to demonstrate compliance with, the principles relating to the processing of personal data Consent: Consent must be a freely given, specific, informed and unambiguous indication of the data subject’s wishes which, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to them. Implied consent and pre-ticked boxes will no longer be valid Data minimisation: Personal data shall be adequate, relevant, and limited to what is necessary in relation to the purposes for which they are processed Direct processor obligations: Data processors have direct obligations under the GDPR when processing on behalf of client controllers in relation to matters including data security, international data transfers, appointment of sub-processors and security breach notification International transfers: The GDPR codifies new adequate safeguards for data transfers outside the EEA, including:
|
Data subject rightsSubject access requests: Individuals have the right to request a broader scope of information, including details of:
In most cases, the information requested by an individual must be provided without undue delay and in any event within one month of receipt of the request. Unless manifestly unfounded or excessive, the information must be provided free of charge Erasure: Personal data must be erased without undue delay where:
Portability: If personal data has been provided by the individual and the processing is carried out by automated means based on consent or where the processing is necessary for the performance of a contract, a controller must, if required by the individual, provide the relevant personal data to the data subject or their nominated controller in a structured, commonly used and machine readable format Profiling and automated decisions: Individuals have the right not to be subject to a decision evaluating personal aspects relating to them which is based solely on automated processing and which produces legal or other significant effects concerning them (e.g. online credit applications or e-recruiting practices) Rectification: Individuals have the right to require a controller to rectify inaccurate personal data concerning him or her without undue delay Restriction of processing: Individuals have the right ro restrict processing where:
Right to object: Individuals have a right to object, on grounds relating to his or her particular situation, at any time to processing of personal data which is based on public interest or legitimate interest grounds |
Procedural requirementsPrivacy by design: A data controller must, at the time that the means of processing is determined and at the time of processing itself, implement appropriate technical and organisational measures which are designed to:
Appointing a processor: Organisations must only use data processors that provide sufficient guarantees that the processing will meet the requirements of the GDPR and all processing by processors must be governed by a contract or other binding legal act which contains prescribed obligations on the processor. Additionally, processors cannot engage another processor (e.g. a sub-processor) without prior specific or general written authorisation of the controller and, in some cases, the processor must flow down the same provisions as it has in place with the controller Security breach reporting: Organisations must provide notice of a security breach:
|