I. INTRODUCTION
The General Data Protection Regulation (GDPR) established protections for the privacy and security of personal data regarding individuals in the European Economic Area countries (European Union or EU). The regulation, which became effective on May 25, 2018, may have implications for non-EU based organizations that conduct business or business communications in EU countries.
II. IMPORTANT DEFINITIONS
The GDPR contains the following definitions:
Data Controller - A natural or legal person, public authority, agency or another body which, alone or jointly with others, determines the purposes and means of the processing of personal data.
Data Subject – A person in the European Union, which may or may not be limited to EU citizens or residents.
Personal Data – Any information relating to an identified or identifiable natural person who is in the EU, regardless of the individual’s EU citizenship status. An individual is identified or identifiable if the individual can be “identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data and online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person” (e.g., items such as photos, email addresses and medical information, log in information, IP addresses and vehicle identification numbers).
Processor – A natural or legal person, public authority, agency or another body that processes personal data on behalf of the controller.
III. APPLICABILITY
The GDPR applies to EU data subjects and applies to all companies processing or holding the personal data of data subjects residing in the EU. To assist in determining whether GDPR affects your bank, you need to ascertain if your bank is offering services to data subjects in the EU or offering services only to US citizens that open accounts in the US and then travel abroad.
The GDPR regulation applies to:
The processing of personal data in the context of the activities of an establishment of a controller or processor in the European Union, regardless of whether the processing takes place in the Union or not;
The processing of personal data of data subjects who are in the Union by a controller or processor not established in the Union, where the processing activities are related to:
Offering of goods or services, regardless of whether a payment of the data subject is required, to such data subjects in the Union; or
Monitoring of their behavior as far as their behavior takes place within the Union (e.g., tracking individuals on a website through the use of cookies or logging IP addresses)
The processing of personal data by a controller not established in the Union, but in a place where Member State law applies by virtue of Public International law.
IV. CONSENT
The GDPR requires organizations to let individuals know how their data is being used and requires them to get individualized consent – in clear, specific language – before using their data. If the reason for using the data changes, the organization will need to obtain the individual’s consent again. (Consent must be in the form of a request separate from other terms and conditions and also requires a positive, opt-in).
V. RIGHT TO BE FORGOTTEN
Under the GDPR, individuals have the “right to be forgotten.” Individuals asserting this right are entitled to have all of their personal data erased immediately, provided the data is no longer needed for its original processing purpose, and there is no other reason for maintaining the data (e.g., record retention purposes).