The European Union (EU) General Data Protection Regulation (the GDPR) contains data protection requirements that Victorian businesses and organisations with links to the EU may need to comply with.
The primary aims of the GDPR are to:
- give individuals control over their personal data
- foster transparent information handling practices and business accountability around data handling
- simplify the regulatory environment for businesses and organisations by unifying the regulation within the EU.
For business and organisations within the scope of the GDPR, it imposes explicit recordkeeping requirements and an emphasis on records for accountability and record retention periods.
Is my agency affected?
Organisations which come under the scope of the GDPR include those which:
- have an 'establishment' in the EU
- are outside the EU but offer goods or services in the EU, or
- are outside the EU but monitor the behaviour of individuals in the EU.
Examples of organisations that may fit this criteria include organisations:
- with an office in the EU
- whose website targets or mentions users in the EU
- which track individuals in the EU on the internet and uses data processing techniques to profile individuals to analyse and predict personal preferences, behaviours and attitudes.
Potential Victorian agencies to which GDPR may apply could include research, higher education and health institutions where they conduct activities or receive data from the EU.
Please note that The Office of the Australian Information Commissioner (OAIC) has advised:
There is some legal complexity involved in assessing whether the GDPR applies or is intended to apply to Australian government agencies. Foreign states are generally entitled to be granted immunity from the jurisdiction of the courts of another state. Exceptions depend on the laws of the particular jurisdiction, and may include commercial transactions of a foreign state.
Agencies that consider that the GDPR may apply to their activities, particularly where those activities are of a commercial nature, are encouraged to seek their own legal advice.
The GDPR applies to both ‘data controllers’ and ‘data processors’.
|Who||Definition (Article 4)|
|Data Controller||The natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data.|
|Data Processor||A natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller.|
The Privacy and Data Protection Act 2014 (PDPA) sets out what Victorian Government agencies must do under Victorian law when collecting personal information. While there are similarities under the GDPR and the PDPA in terms of the responsibilities of an organisation that collects personal data, they are two separate and distinct legislative regimes, and a Victorian Government agency might be subject to both. Agencies may wish to consult the Office of the Victorian Information Commission (OVIC) online factsheet aimed at Victorian agencies which provides a table comparing provisions between the two regimes.
What kind of data does the GDPR apply to?
The GDPR applies to ‘personal data’, meaning ‘any information relating to an identified or identifiable natural person’ (Article 4). This includes pseudonymised data but not anonymous data.
Under Article 9 of the GDPR, additional protections apply to the processing of ‘special categories’ of personal data, which includes personal data revealing a person’s:
- racial or ethnic origin
- political opinions
- religious or philosophical beliefs
- trade union membership
- the processing of genetic data
- biometric data for the purpose of uniquely identifying a natural person
- data concerning health or data concerning a natural person’s sex life or sexual orientation.
What does the GDPR require?
The GDPR sets out a suite of requirements aimed at protecting the rights of individuals.
To support these requirements, relevant agencies may have to:
- implement and manage different recordkeeping systems and functionalities
- generate new types of records
- demonstrate compliance with the relevant provisions.
The GDPR provides for enforcement and the imposition of penalties. Individuals may lodge complaints against controllers and processors and be compensated for damage resulting from non-compliance. Those requirements potentially most relevant to Victorian Government agencies and how they may affect their recordkeeping responsibilities are summarised below.
Data controllers must demonstrate that the individual has consented to the processing of their personal information. The definition of consent under (Article 4(11)) states that it must be:
- freely given
- an unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing.
Individuals must be given right to withdraw their consent at any time and must be informed of this right before providing their consent.
Data controllers must maintain a record regarding how and when consent was given.
Right to be informed
The GDPR protects the right to be informed. Data controllers are required to provide individuals notice of, amongst other things, the:
- purpose of and legal basis for processing the data
- categories of personal data being collected
- arrangements for sharing or transfers of data
- retention period(s) for personal data.
Right to access, correct and erase personal data
Individuals may access their personal data and can correct incomplete or inaccurate information, including by means of providing a supplementary statement.
Individuals can request to have their data erased and prevent processing where:
- the data is no longer necessary for the original purpose for which it was collected
- the individual withdraws their consent and there is no other legal basis for processing the data
- the individual objects to further processing of their data and there is no overriding legitimate interests to continue processing
- the data is unlawfully processed
- erasure is necessary to comply with legal obligation
- the data is related to offer of “information society services” to a child.
If a data controller has made the data public, it must take reasonable steps to inform other controllers that the individual has requested erasure. Any third party which has received data disclosed by the data controller must be notified unless it would be impossible or would involve disproportionate effort. The right to erase data is not absolute and can be set aside on the basis of ‘legitimate interests’ – for achieving purposes in the public interest, scientific or historical research purposes or statistical purposes. The right to erase data may also be set aside it is in conflict and is outweighed by the right to freedom of expression and information.
Individuals can request data controllers stop processing their personal data on the basis that:
- they contest the accuracy of the personal data
- the processing is unlawful and the individual opposes the erasure of the personal data and requests the restriction of use instead
- the data is no longer necessary for the original purpose for which it was collected but is required by the individual for the establishment, exercise or defence of legal claims
- the individual has objected to processing and is awaiting verification of whether the data controller has legitimate grounds which override those of the individual.
Right to data portability
Individuals have the right to obtain and reuse personal data easily on different services for personal data the individual has provided to the controller, when the processing is:
- based on consent or performance of a contract and
- is carried out by automated means (no paper records).
This right requires data controllers to provide data in structured, commonly used, and machine-readable formats.
Records of processing activities
Data controllers must keep records of:
- their name and contact details and, where applicable, a joint controller
- the purposes of the processing
- a description of the categories of personal data and the individuals
- the categories of recipients to whom the personal data has been or will be disclosed including recipients in third countries or international organisations
- where applicable, transfers of personal data to a third country or international organisation
- data retention periods, where possible
- a general description of the technical and organisational security measures, where possible.
Data processes must keep records of:
- the name and contact details of each controller on behalf of which the processor is acting
- the categories of processing carried out on behalf of each controller
- where applicable, transfers of personal data to a third country or international organisation
- a general description of the technical and organisational security measures where possible.
Data security and breach notification
Data controllers and processors must implement appropriate technical and organisational security measures. In assessing the appropriate level of security, they must take into account the risks that are presented by processing, in particular from accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed.
Data controllers must notify their supervisory authority of any personal data breach ‘not later than 72 hours after having become aware of it’.
Data Processors must notify controllers of any breach ‘without undue delay.' When the personal data breach is likely to result in a high risk to the rights and freedoms of individuals, the controller must communicate the personal data breach to the individual ‘without undue delay.’ Data controllers must document personal data breaches to demonstrate compliance.
More information on the requirements under the GDPR can be found on the website of the Office of the Australian Information Commissioner and the Victorian Information Commission.