Below is an overview of General Data Protection Regulation (GDPR) requirements under the Horizon Europe programme.
What is GDPR?
GDPR is a comprehensive data privacy law that came into effect on May 25, 2018, in the European Union (EU). It aims to give individuals control over their personal data and simplify the regulatory environment for international business by unifying regulations within the EU.
Key aspects of this law include data protection rights for individuals, obligations for data processors and controllers, and stringent data breach notification requirements.
Key principles
The regulation is founded on a set of key principles about the handling of personal data:
- Lawfulness, fairness, and transparency: Data processing must be lawful, fair, and transparent.
- Purpose limitation: Data must be collected for specified, explicit and legitimate purposes, and not used for any other purpose.
- Data minimization: Data collection must be adequate, relevant, and limited to what is necessary for the project.
- Accuracy: Personal data must be accurate and, where necessary, kept up to date.
- Storage limitation: Data must be kept in a form that only allows identification of subjects during the project's duration. Criteria on when and how to delete or dispose of data must be established.
- Integrity and confidentiality: Personal data must be used in a manner that ensures appropriate security.
- Accountability: The person managing personal data must show how they comply with these principles
- Right to erasure: Also known as "the right to be forgotten," data subjects have the right to have their personal data erased.
Rights of the individuals
GDPR guarantees rights to individuals regarding their personal data, including:
- The right to be informed
- The right of access
- The right to rectification
- The right to be forgotten
- The right to data portability
- The right to object
- Rights related to automated decision making and profiling
To whom does GDPR apply?
GDPR applies to organizations located within the EU as well as organizations located outside the EU that offer goods or services to, or monitor the behaviour of EU data subjects. It applies to all companies that process and hold the personal information of data subjects residing in the EU, regardless of the company's location.
It covers a wide range of information, whether used alone or in combination with other data to identify a person. This includes names, photos, email addresses, bank details, social networking posts, medical information, genetic information, biometric information or a computer IP address.
GDPR and Horizon Europe
Canadian entities that participate in initiatives within the EU, like Horizon Europe, may need to comply with GDPR. GDPR applies to organizations outside the EU if they offer goods or services to or monitor the behaviour of EU residents whose data they use (data subjects). Below are the key considerations for Canadian entities:
- Data processing activities: If the personal data of EU residents is processed as part of the Horizon Europe programme, it will likely need to comply with GDPR. This could include data processing related to research activities, collaboration with EU entities, or any other activity involving the personal data of EU residents.
- Data transfer, storage and disposal: GDPR compliance is also necessary when personal data collected in the EU is transferred to Canada or stored on Canadian servers.
- Collaborative nature of the programme: Horizon Europe's focus on cross-border collaboration means Canadian entities may act as data controllers or processors in partnership with EU-based institutions. This requires GDPR compliance for data protection agreements, data subject rights, and other related responsibilities.
- Technology and data use: Given the programme's emphasis on innovation and technology, Canadian entities should know GDPR's requirements for the use of new technologies and data science. This includes obligations related to data protection by design and by default, and conducting Data Protection Impact Assessments (DPIAs) when necessary.
Data protection officer requirement
According to the GDPR, it is mandatory to appoint a data protection officer (DPO) under specific conditions:
- Large-scale processing of sensitive data: The controller or the processor's core activities include operations that require regular and systematic monitoring of data subjects on a large scale. This includes large-scale processing of special categories of data (such as data that reveals racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, and genetic and biometric data that uniquely identifies information on an individual's health, sex life or sexual orientation) or data related to criminal convictions and offenses.
- Core activities requiring large-scale, regular, and systematic monitoring: A DPO must be appointed if the institution's core activities involve large-scale, regular, and systematic monitoring of individuals (for example, online behavior tracking).
Not every Canadian entity will need to appoint a DPO under GDPR. If an entity's data processing activities do not meet the above criteria, a DPO may not be necessary. However, it is still considered good practice for institutions that process personal data to appoint a DPO. This ensures compliance with data protection laws and provides a point of contact for supervisory authorities and individuals whose data is processed.
Examples of large-scale processing
- Processing patient data in the regular course of business by a hospital
- Processing travel data of individuals using public transit (e.g. tracking via travel cards)
- Processing customer data in the regular course of business by an insurance company or a bank
- Processing personal data for behavioural advertising by a search engine
- Processing data (content, traffic, location) by telephone or Internet service providers
How does GDPR compare to Canadian privacy laws?
The GDPR and Canadian privacy laws, specifically the Personal Information Protection and Electronic Documents Act (PIPEDA), share several principles and objectives. Both laws aim to safeguard individuals' privacy and personal data. There are, however, some significant differences between these laws and regulations. These stem from GDPR's wider scope, strict requirements, and robust enforcement mechanisms. Below are the key differences:
Scope and applicability:
- GDPR has a broad territorial reach, extending to EU-based organizations and those outside the EU that offer goods or services to EU residents or monitor their behavior.
- PIPEDA applies to private-sector organizations across Canada that collect, use, or disclose personal information during commercial activities. It does not apply in provinces whose privacy laws are substantially similar to PIPEDA's.
Consent:
- GDPR requires clear, specific, and informed consent, with a positive opt-in. Silence or inactivity does not constitute consent. It also makes it easy for individuals to withdraw their consent.
- PIPEDA also prioritizes informed consent, but the GDPR's requirements for obtaining and revoking consent are stricter.
Rights of individuals:
- GDPR provides extensive rights to individuals: the rights to access, to rectification, to erasure (right to be forgotten), to restrict processing, to data portability, and to object.
- PIPEDA provides rights to access and rectification, but does not include rights equivalent to erasure, data portability, or the explicit right to object to processing the way GDPR does.
Data breach notifications:
- GDPR requires organizations to report specific types of data breaches to the relevant supervisory authority within 72 hours of becoming aware of them. They must also notify affected individuals immediately if there is a high risk to their rights and freedoms.
- PIPEDA requires organizations to report data breaches to the Privacy Commissioner of Canada and notify affected individuals. However, the timelines and thresholds for notification are less strict than those of GDPR.
Fines and penalties:
- GDPR allows for fines of up to €20 million or 4% of the worldwide annual revenue of the previous financial year, whichever is higher, for non-compliance.
- PIPEDA allows for fines of up to $100,000 for certain violations, significantly less than those under GDPR.
Accountability and governance:
- In certain circumstances, GDPR mandates that organizations appoint a DPO, conduct DPIAs for high-risk processing, and implement privacy by design and by default.
- PIPEDA encourages accountability and the appointment of a person responsible for privacy compliance. However, the requirements for DPOs, DPIAs, and privacy by design are not as explicitly defined as under GDPR.
International data transfers:
- GDPR places strict conditions on the transfer of personal data outside the EU, requiring adequate levels of protection or specific safeguards.
- PIPEDA allows international data transfers, provided that the organization ensures comparable protection through contracts or other means.