GDPR-General Data Protection Regulation
Presented by: Dipanjan Dey

GDPR - General Data Protection Regulation
 What is GDPR?
 The General Data Protection Regulation (GDPR) standardizes data protection law across all 28 EU countries and imposes strict new rules
on controlling and processing personally identifiable information (PII). It also extends the protection of personal data and data
protection rights by giving control back to EU residents. GDPR replaces the 1995 EU Data Protection Directive, and came into force on
May 25, 2018. It also supersedes the 1998 UK Data Protection Act.
 Who's covered under GDPR?
 GDPR applies to all organizations holding and processing EU resident’s personal data, regardless of geographic location. Many
organisations outside the EU are unaware that the EU GDPR regulation applies to them as well. If an organization offers goods or
services to, or monitors the behavior of EU residents, it must meet GDPR compliance requirements.
 What it covers?
 The main points of GDPR concern the privacy rights of everyday users and the data they create online, and will affect businesses of all
sizes due to their effect on how companies gather, store, and look after their data.
 What are the consequenses for non-compliance?
 Any organisation found to not be conforming to the new regulations after the May 25 deadline could face heavy fines, equivalent to 4%
of annual global turnover, or €20 million, whichever is greater

Relevancy of GDPR in India
 Direct impact the GDPR has on Indian businesses
and people living in India
 Indirect impact on India's legal approach to privacy
and data protection
 The biggest impact of the GDPR for India is
probably the indirect, or the persuasive impact.
Evidently, in preparation for the day this law kicks
in, companies across the world have updated their
consent terms and their privacy policies.
An Indian
Travelling to
Europe
A IT Company
providing
Goods &
Services to a
EU
Consent Terms
& Privacy
Policy
GDPR

Jurisdiction of GDPR- A Global Law
 Material Scope (Art.2)
 Art. 2 governs the material scope of the GDPR and applied to applies to the processing of “personal data,” which is defined to
mean any information relating to an identified or identifiable natural person.
 Territorial Scope (Art.3)
 Article 3 of the GDPR governs its territorial scope. Pursuant to Articles 3(1) and 3(2), the GDPR applies to businesses
established in the EU, as well as to businesses based outside the EU that offer goods and services to, or that monitor,
individuals in the EU. Article 3(3) adds that the GDPR also applies in places where EU Member State law applies by virtue of
public international law.
 Summary
 Under the GDPR, jurisdiction is less related to the location where a business is incorporated or headquartered and more to the
scope and location of business activity.
 The GDPR will apply to the processing of personal data by businesses “established” within the EU.
 More controversially, it also will apply to businesses outside the EU if their data processing activities relate to the offering of
goods or services to individuals in the EU or to the monitoring of such individuals’ behavior.
 This latter provision expands the territorial scope of the GDPR well beyond the EU, essentially making it global law.

Data Subject Rights
 The General Data Protection Regulation (GDPR) grants
people, in their capacities as consumers, citizens and so
forth a range of specific data subject rights they can
exercise under particular conditions, as per usual always
with a few exceptions. GDPR compliance among others
means enabling the exercise of these rights.
 They are listed in GDPR Articles 15 until 22 as GDPR
Article 12 on transparent information, communication
and modalities for the exercise of the rights of the data
subject stipulates.
 Data subject rights are never absolute: there are, as
mentioned conditions and exceptions, but there are also
other rights to keep in mind.
 Organizations have legal obligations and there might be
contractual stipulations which override data subject
rights.
The8FundamentalDataSubjectRights

Right to information (Art. 12, 13, 14)
 This right provides the data subject with the ability to ask a company for information about what personal
data (about him or her) is being processed and the rationale for such processing. For example, a customer
may ask for the list of processors with whom his or her personal data is shared.
 Before data is collected, a data subject has the right to know how it will be collected, processed, and stored,
and for what purposes.
 Create easy-to-read policies that provide explicit details on what information is being stored on an
individual—and how it will be used. Ensure all data collection processes place informing the user before the
collection of data.

Right to Access (Art. 12, 15)
 This right provides the data subject with the ability to get access to his or her personal data that is
being processed. This request provides the right for data subjects to see or view their own personal
data, as well as to request copies of the personal data.
 After data is collected, a data subject has the right to know how it has been collected, processed, and
stored, what data exists, and for what purposes.
 A service provider must implement a process and the technical capabilities to:
a) track all data relating to the requestor in their systems,
b) vet a right to access request, and
c) provide that information to the requestor.

Right to Rectification (Art. 12, 16)
 This right provides the data subject with the ability to ask for modifications to his or her personal
data in case the data subject believes that this personal data is not up to date or accurate.
 A service provider must implement a process and the technical capabilities to:
a) vet a right to access request,
b) correct the data, and
c) confirm correction to the requestor

Right to Erasure or Forgotten (Art. 12, 17)
 Also known as right to erasure, this right provides the data subject with the ability to ask for the
deletion of their data. This will generally apply to situations where a customer relationship has
ended. It is important to note that this is not an absolute right, and depends on your retention
schedule and retention period in line with other applicable laws.
 Implement a process and the technical capabilities to:
a) track all data relating to requestor in your systems,
b) vet a right to erasure request,
c) erase all data in the request, and
d) confirm that erasure to the requestor
e) automatically delete data after a determined retention period
f) Inform other processors to whom data was passed of the request.

Right to Restrict Processing(Art. 12, 18)
 A data subject has the right to block or suppress personal data being processed or used.
 This includes implementation of a process and the technical capabilities to:
a) track all data relating to requestor in our systems,
b) vet a right to restriction of processing request,
c) pause processing without erasing the data, and
d) confirm the restriction in processing to the requestor.

Right for Data Portability (Art. 12, 20)
 This right provides the data subject with the ability to ask for transfer of his or her personal data. As
part of such request, the data subject may ask for his or her personal data to be provided back (to
him or her) or transferred to another controller. When doing so, the personal data must be provided
or transferred in a machine-readable electronic format.
 A data subject has the right to move, copy, or transfer personal data from one data controller to
another, in a safe and secure way, in a commonly used and machine-readable format.
 Wherever technically possible, this also includes the right to have the data transferred directly from
one controller to another without the data subject having to handle the data

Right to object to Processing (Art.12, 21)
 Individuals can object to the processing of personal data that is collected on the grounds of
legitimate interests or the performance of a task in the interest/exercise of official authority.
Organisations must stop processing information unless they can demonstrate compelling legitimate
grounds for the processing that overrides the interests, rights and freedoms of the individual or if the
processing is for the establishment or exercise of defence of legal claims.
 A data subject has the right to object to being subject to public authorities or companies processing
their data without explicit consent.
 A data subject also has the right to stop personal data from being included in direct marketing
databases.

Rights Related to Automated Decision-making(Art. 12, 22)
 A data subject has the right to demand human intervention, rather than having important decisions
made solely by algorithm.
 A data controller must implement a process and the technical capabilities to:
a) track all data relating to requestor in our systems,
b) vet an Article 22 request,
c) revert the algorithmic decision, and
d) provide all information to a human decision-maker

Exemptions
 The GDPR release controllers from the obligation to
comply with certain of the rights of data subjects,
where the controller is able to demonstrate that it is
not in a position to identify the data subject.
 Recital 63 notes that this could extend to protection
of intellectual property rights and trade secrets (for
example, if release of the logic of automated decision
taking would involve release of such information).
However, the recital also notes that a controller
cannot refuse to provide all information, on the basis
that access may infringe others’ rights.
 Exercising the right of freedom of expression (the
processing of personal data carried out for
journalistic purposes or the purpose of artistic or
literary expression)
 Reasons of public interest in the area of public health
(such as cross-border health threats)
 For historical, statistical and scientific research
purposes
 For compliance with a legal obligation to a Union or
Member State law
GDPR
Exemptions
Legal
Obligation
to a Member
State Law
Right to
Freedom of
Expression
Data
Subject
unidentified
Protection
of IPR &
Trade
Secretcs
Research
Purposes
Public
Health

THANK YOU