The preparations for the application of the GDPR have come to its final phase, since the Regulation is directly applicable in all EU Member States from May 25. Despite the fact that the Regulation will soon become part of the daily practice, there are still many misunderstandings and myths concerning the application and interpretation of the GDPR. I attempt to dispel some of the most common misbeliefs below.
1. The Regulation will enter into force on May 25, 2018, and we can start the preparation for its application after its entry into force
Actually, the GDPR has been in effect since May 2016. It becomes applicable on 25 May this year, i.e. the two-year period for the preparation expires. Accordingly, no further period of time is available for the preparation. From then on, the GDPR "goes live" and any further preparation activities can only be carried out under the GDPR-regime.
2. GDPR does not apply to SMEs
GDPR applies to all data controllers and processors, regardless of their "size". Even small businesses cannot delay the preparation.
The Regulation, however, intends to encourage that the special circumstances of SMEs are taken into account when applying the Regulation. However, it is still unclear how this will work in practice. The GDPR itself contains only few real deviations or reductions for SMEs. For example, an enterprise or an organisation employing fewer than 250 persons (unless the processing it carries out is likely to result in a risk to the data subjects, the processing is not occasional, or the processing includes special categories of data) does not need to keep records of its processing activities. (Please also see my previous post regarding this topic here.)
3. Data processing activities must, in principle, be based on consent
Many data controllers consider the consent as the primary legal basis for data processing. This is not necessarily the case. The data controller is obliged to define the appropriate legal basis for its data processing before starting such activity. GDPR provides six different legal bases for data controllers in Article 6. When processing special categories of data, controllers must thoroughly review Article 9 of the Regulation.
4. Under the GDPR, direct marketing activities can be carried out without the prior consent of the data subjects concerned
If you read only the GDPR, you may easily feel that direct marketing activities can be based on the legitimate interest of the data controller (i.e. on an opt-out bases).
Article 21 of the Regulation sets out that "where personal data are processed for direct marketing purposes, the data subject shall have the right to object at any time to processing of personal data concerning him or her for such marketing, which includes profiling to the extent that it is related to such direct marketing."
The above wording of the GDPR really suggests that direct marketing can work on an opt-out bases; however, sectoral rules may also be applicable in the Member States that require the prior consent to the direct marketing activities (opt-in). For example, this is the case in Hungary. After the acceptance of the e-Privacy Regulation, the situation will probably change (at least according to the currently available drafts). In the meantime, in spite of the fact that the GDPR would provide more possibilites for controllers to apply direct marketing techniques, the provisions of sectoral rules should also be respected.
5. Data processors do not need to worry about anything
The "master" of data processing will of course continue to be the data controller. At the same time, the Regulation imposes far more requirements and obligations on data processors. The accountability principle is also applicable to processors. Processors may also be sanctioned and fined by the supervisory authorities.
+1 Data protection rules do not applicable to paper-based data processing
This assumption may be based on the scope of GDPR, which states that "this Regulation applies to the processing of personal data wholly or partly by automated means and to the processing other than by automated means of personal data which form part of a filing system or are intended to form part of a filing system."
The GDPR therefore basically refers to automated or partially automated data processing and to data processing that forms part of a filing system or are intended to form part of a filing system, even if it is not automated. The GDPR also defines the concept of a filing system, which imeans "any structured set of personal data which are accessible according to specific criteria, whether centralised, decentralised or dispersed on a functional or geographical basis."
The Regulation also covers manual data processing when it comes to data structured based on specific criteria. On the other sied, the preamble to the GDPR (15) provides that "files or sets of files, as well as their cover pages, which are not structured according to specific criteria should not fall within the scope of this Regulation." However, please keep in mind that the laws of the Member State may extend the application of the data protection rules to unstructured files or sets of files, even if they are processed manually. (This will be the case, for example, in Hungary.)