Category: GDPR Articles

Article 27: The Facts GDPR doesn't apply to your personal data once you've passed away.  Except when it does! Article 27 consists of two sentences. This Regulation does not apply to the personal data of deceased persons. Member States may provide for rules regarding the processing of personal data of deceased persons. Graeme's View Your death does not signal a free-for-all on your personal data.  As I've said elsewhere, individual nations can and do apply their own regulations here.  For example, in Denmark the GDPR applies for 10 years after the death of the data subject. The deceased person's family, heirs and/or other nominated people may have rights under national law over the use and protection of the data.  A common case for this would be to access and administer…

Article 94: The Facts This brief article repeals the 1995 Data Protection Directive. Article 94 consists of two clauses. Directive 95/46/EC is repealed with effect from 25 May 2018. References to the repealed Directive shall be construed as references to this Regulation. References to the Working Party on the Protection of Individuals with regard to the Processing of Personal Data established by Article 29 of Directive 95/46/EC shall be construed as references to the European Data Protection Board established by this Regulation. The old Data Protection Directive 95/46/EC came into effect on 24-Oct-1995 and regulated the processing of personal data within the European Union. It was an important piece of privacy legislation, and to some extent it was a forerunner of the GDPR. To quote the original legislation, It sets…

Article 99: The Facts The article has two clauses concerning the GDPR's entry into force, and subsequently becoming law. 1.This Regulation shall enter into force on the twentieth day following that of its publication in the Official Journal of the European Union. 2.It shall apply from 25 May 2018. This, the final article of the regulation, says when the GDPR starts taking effect: 25-May-2018. To describe the timeline: the GDPR was published in volume 59 of the Official Journal of the European Union on 04-May-2016.  (The Journal is published daily on the European Union Law website in up to twenty-four languages.  In the same volume were two related directives on the use of personal data by competent authorities with regards to criminal activities.)  Twenty days later the GDPR came into force…

Article 98: The Facts This Article gives the European Commission the ability to propose changes to existing EU legislation where it might conflict with the GDPR. The Commission shall, if appropriate, submit legislative proposals with a view to amending other Union legal acts on the protection of personal data, in order to ensure uniform and consistent protection of natural persons with regard to processing. This shall in particular concern the rules relating to the protection of natural persons with regard to processing by Union institutions, bodies, offices and agencies and on the free movement of such data. (Article 96 gives a bit more detail on this, saying that pre-GDPR agreements made by EU countries concerning transferring personal data overseas stay in effect until they are changed or revoked.  See the Article 96…

Article 96: The Facts This part of the GDPR covers agreements made between EU and non-EU countries, pre-GDPR (i.e. before 24-May-2016), which concern the transfer of personal data to those non-EU countries. Such agreements will stay in effect until they are changed or revoked. International agreements involving the transfer of personal data to third countries or international organisations which were concluded by Member States prior to 24 May 2016, and which comply with Union law as applicable prior to that date, shall remain in force until amended, replaced or revoked. Graeme's View Is this a major hole in GDPR? Let's say EU Country A and Non-EU Country B have a legal agreement to share data on their citizens that dates back to before 2016. "We agree to swap lists of…

Article 97: The Facts Article 97 concerns the review and possible amendment of the GDPR, and has five clauses. By 25 May 2020 and every four years thereafter, the Commission shall submit a report on the evaluation and review of this Regulation to the European Parliament and to the Council. The reports shall be made public. In the context of the evaluations and reviews referred to in paragraph 1, the Commission shall examine, in particular, the application and functioning of: (a) Chapter V on the transfer of personal data to third countries or international organisations with particular regard to decisions adopted pursuant to Article 45(3) of this Regulation and decisions adopted on the basis of Article 25(6) of Directive 95/46/EC; (b) Chapter VII on cooperation and consistency. For the purpose…

Article 95: The Facts Article 95 tries to remove potential conflict between GDPR and the regulation of electronic communications by existing legislation. It consists of one sentence. This Regulation shall not impose additional obligations on natural or legal persons in relation to processing in connection with the provision of publicly available electronic communications services in public communication networks in the Union in relation to matters for which they are subject to specific obligations with the same objective set out in Directive 2002/58/EC. In another post I've written about the difference between natural and legal persons if you would like clarification on that. There is potentially conflict between the GDPR and the Privacy and Electronic Communications Directive 2002/58/EC (and its subsequent amendment by Directive 2009/136/EC).  The key point here, though, is these…