What is GDPR (General Data Protection Regulation) ?

How can we protect our privacy with GDPR?

The issue of Privacy in recent years, fortunately, has become increasingly a topic of debate. Although today those who surf the web are much more protected than in the past, our legislators have moved too late. The giants of the web are already almost 20 years (since the web has become a mass phenomenon) that offer their services in exchange for our data, giving us the impression of being able to use these services for free.
It was inevitable, therefore, that sooner or later the legislators, even better if in the ambit of European regulation, took the situation in hand. On of the first intervention in Europe took place with the Cookie Law aimed at ensuring that users can be informed that their private information is used for profit every time they access a website. A step forward has been made with the GDPR (General Data Protection Regulation) in force since May 2018. One thing to be reckoned with about the GDPR is the fact that being a Regulation is mandatory and directly applicable in all EU Member States European. If it had been a directive, a national transposition law would have been needed, but in this case it is not necessary.

Innovations in GDPR

One of the most innovative and interesting aspects is the introduction of the concept of data breach, or data loss, and what to do to reduce the risk of this happening. Another very interesting novelty is the principle of territoriality that allows every EU citizen to be protected regardless of where their data is located. In fact it does not matter if a company is located outside the European Union (eg: USA, Russia), if such a company offers services to people located in the European Union it is obliged to submit to the provisions of the GDPR. This means that although companies such as Facebook, Google (both American) or FaceApp (Russian) are not located within the European Union, if the data they manage refer to users belonging to the Union, these users are protected from the GDPR. In other words, what is true is the geographic position in which the treated data resides and not the geographical position of the person handling the data.

In the GDPR “personal data” mean any information that refers to a natural person and that makes it identifiable. Are personal data for example: name, surname, telephone number, e-mail address, residential address, etc. These type of data allow only the identification of a person. Other types of data concern the most intimate sphere of a person’s life, as for example: Religious Creed, Political Preferences, Medical Analysis.

The GDPR define some new rules, as the these:

• Data subject : The person to whom the personal data refers and therefore the data owner.
• Data Controller : Legal entity that (alone or with others) defines the purposes and tools of data processing.
• Data Processor: Natural or legal person appointed by the data controller to process the data.
• Data Protection Officer : Created ad hoc with various tasks such as informing and advising the Data Controller or Data Controller, monitoring compliance with the regulation and cooperating with any supervisory authority.
• Joint Controller : Figure that comes into play when several owners manage the same data but for different purposes.

Profiling and Consent

As already mentioned, the Cookie Law obliges websites to ensure that Internet users can be aware of how and which cookies are used, moreover each Internet user must have the possibility to accept or refuse the use of cookies. In other words, each Internet user must give their consent before a website can track the activities of the user. This activity is commonly called profiling.

In addition to speaking of profiling in the GDPR, reference is also made to the principle of consent . It is expressly requested that the privacy policy be clear, concise and written in an easy to understand language. The disclosure must explain well how the data is processed and for what purposes, as well as to request the visitor’s explicit consent for processing. About the consent the GDPR unequivocally clarifies that an Internet user cannot be obliged to give consent, in other words a necessary condition to ensure that the consent is valid is that this can be expressed freely (therefore teorically without blackmail).

GDPR gives a power to users

In the GDPR the tools made available to the user are called Rights of the interested party , some of these are the following:

• Access: Allows the data subject to access their data by requesting them from the data controller.
• Portability: It allows the data subject to access not only his own data but also to be able to save them in a format that can be transmitted to another data controller.
• Correction: Allows the data subject to request the correction of data if these are incorrect or out of date.
• Right to oblivion: Allows the data subject to request the removal of his personal data.
• Limitation: Allows the data subject to limit the processing of data only to certain very specific purposes.

Conclusions

It seems quite obvious that today in the information age, internet users’ data are more precious than gold or oil for some companies. Having a regulation that gives guarantees to Internet users with clear and precise rules and that everyone must respect, regardless of the geographical location in which those who hold those data are located, is a great step forward. Knowing what your rights are and how you can protect yourself is a duty of every citizen who surfs the web to allow this activity to be increasingly secure. Each Internet user must always remember that he / she is the owner of his / her own data and no one can use it other than the one provided through the consent that the Internet user must have previously been able to give.