Talk:General Data Protection Regulation

A news item involving General Data Protection Regulation was featured on Wikipedia's Main Page in the In the news section on 26 May 2018.

This article has not yet been rated on Wikipedia's content assessment scale. It is of interest to the following WikiProjects:

Please add the quality rating to the {{WikiProject banner shell}} template instead of this project banner. See WP:PIQA for details. Articles for creation This article was reviewed by member(s) of WikiProject Articles for creation. The project works to allow users to contribute quality articles and media files to the encyclopedia and track their progress as they are developed. To participate, please visit the project page for more information.Articles for creationWikipedia:WikiProject Articles for creationTemplate:WikiProject Articles for creationAfC This article was accepted on 8 January 2013 by reviewer Andrewman327 (talk · contribs). Please add the quality rating to the {{WikiProject banner shell}} template instead of this project banner. See WP:PIQA for details. Business Low‑importance This article is within the scope of WikiProject Business, a collaborative effort to improve the coverage of business articles on Wikipedia. If you would like to participate, please visit the project page, where you can join the discussion and see a list of open tasks.BusinessWikipedia:WikiProject BusinessTemplate:WikiProject BusinessWikiProject Business Low This article has been rated as Low-importance on the project's importance scale. Please add the quality rating to the {{WikiProject banner shell}} template instead of this project banner. See WP:PIQA for details. Computing Low‑importance This article is within the scope of WikiProject Computing, a collaborative effort to improve the coverage of computers, computing, and information technology on Wikipedia. If you would like to participate, please visit the project page, where you can join the discussion and see a list of open tasks.ComputingWikipedia:WikiProject ComputingTemplate:WikiProject ComputingComputing Low This article has been rated as Low-importance on the project's importance scale. Please add the quality rating to the {{WikiProject banner shell}} template instead of this project banner. See WP:PIQA for details. European Union Mid‑importance This article is within the scope of WikiProject European Union, a collaborative effort to improve the coverage of the European Union on Wikipedia. If you would like to participate, please visit the project page, where you can join the discussion and see a list of open tasks.European UnionWikipedia:WikiProject European UnionTemplate:WikiProject European UnionEuropean Union Mid This article has been rated as Mid-importance on the project's importance scale. Please add the quality rating to the {{WikiProject banner shell}} template instead of this project banner. See WP:PIQA for details. Internet Mid‑importance This article is within the scope of WikiProject Internet, a collaborative effort to improve the coverage of the Internet on Wikipedia. If you would like to participate, please visit the project page, where you can join the discussion and see a list of open tasks.InternetWikipedia:WikiProject InternetTemplate:WikiProject InternetInternet Mid This article has been rated as Mid-importance on the project's importance scale. Please add the quality rating to the {{WikiProject banner shell}} template instead of this project banner. See WP:PIQA for details. Law Mid‑importance This article is within the scope of WikiProject Law, an attempt at providing a comprehensive, standardised, pan-jurisdictional and up-to-date resource for the legal field and the subjects encompassed by it.LawWikipedia:WikiProject LawTemplate:WikiProject Lawlaw Mid This article has been rated as Mid-importance on the project's importance scale. Please add the quality rating to the {{WikiProject banner shell}} template instead of this project banner. See WP:PIQA for details. Mass surveillance Low‑importance General Data Protection Regulation is within the scope of WikiProject Mass surveillance, which aims to improve Wikipedia's coverage of mass surveillance and mass surveillance-related topics. If you would like to participate, visit the project page, or contribute to the discussion.Mass surveillanceWikipedia:WikiProject Mass surveillanceTemplate:WikiProject Mass surveillanceMass surveillance Low This article has been rated as Low-importance on the project's importance scale.

This article is written in Singaporean English, which has its own spelling conventions (colour, realise, centre, analyse) and some terms that are used in it may be different or absent from other varieties of English. According to the relevant style guide, this should not be changed without broad consensus.

Archives (Index)

2015 2017 2018 2019 2020 2021

This page is archived by ClueBot III.

The current summary (shown below) does not seem appropriate.

"The proposed new EU data protection regime extends the scope of the EU data protection law to all foreign companies processing data of EU residents. It provides for a harmonization of the data protection regulations throughout the EU, thereby making it easier for non-European companies to comply with these regulations; however, this comes at the cost of a strict data protection compliance regime with severe penalties of up to 4% of worldwide turnover."

While it may seem like a general description of the regulation it is in fact a description from 2012 which was referenced in this article. Please update the summary to reflect the regulation as it was passed. — Preceding unsigned comment added by 149.161.197.247 (talk) 16:21, 23 October 2017 (UTC)[reply]

Note that the regulation does not discuss residence in the EU at all. While processors and data controllers have interpreted the regulation as being limited to those residing in the EU, it is not apparent that it excludes EU citizens residing abroad. 65.198.98.16 (talk) 16:42, 28 April 2021 (UTC)Arch[reply]

The entire section of law relating to right of rectification is missing from the article.

I am removing the following text, which is not appropriate to the summary section of an article on the EU GDPR (Even if it might make sense in a section on effects of Brexit on the GDPR, or in an article on English, Scottish or Northern Irish Data Protection law, it's not particularly relevant to the GDPR itself).

Also, it's not true - at least not as currently written (I believe intermediate edits have mangled the sense somewhat). The UK will presumably be subject to the GDPR, along with the rest of EU law, until 2 years after the UK's Article 50 notice to leave the EU (possibly longer depending on the nature of any regulatory equivalence which may be negotiated). - Paul (talk) 17:10, 8 December 2017 (UTC)[reply]

In the summary ...

To some, "personally identifiable information" (PII) will have a specific meaning, particularly with regard to the US legal definition. Reading the personally identifiable information page itself makes this distinction a bit clearer. The GDPR definition of "personal data" is broader in scope than that of PII.

While the term is sometimes used ubiquitously to refer to a broad range of personal information (granted that a search on Wiki for "personal data" will redirect to the PII page) I think in this context it is better sense to refer solely to "personal data", here in the summary and anywhere else on the page — in particular because the scope of the GDPR does have an impact on firms in the US who might have EU customers. Views?

+1, and very much so. The PII page itself states multiple times that "personal data" is (substantially) wider than PII; hence, the two cannot and should never be used as meaning the same thing. --User:Haraldmmueller 10:34, 11 September 2018 (UTC)[reply]

Very true, Haraldmmueller. ♫ RichardWeiss talk contribs 12:23, 11 September 2018 (UTC)[reply]

Ok, I have made that change. Different.joy (talk) 11:04, 12 September 2018 (UTC)[reply]

Someone added that section - with only links to GDPR articles, but no secondary source. This alone is not really ok. However, "B2B" implies that both (or all) involved parties are not persons, but "businesses" - so prima facie, the GDPR should not at all be relevant for B2B. So why would one claim this, and support it with paragraphs from the GDPR, which only refer to "natural persons"? I argue that this section should be removed, unless some proff can be given that GDPR professionals (lawyers) regards B2B in the context of the GDPR. --User:Haraldmmueller 10:00, 18 May 2018 (UTC)[reply]

... has been removed. Thanks! --User:Haraldmmueller 17:02, 14 October 2019 (UTC)[reply]

Section Restrictions currently states: "The following cases are not covered by the regulation: ... Statistical and scientific analysis"

This is untrue. The exceptions are limited: an exemption to Article 9(1) by Article 9(2)(j), and a provision that Member States can "provide exemptions, derogations, conditions or rules in relation to specific processing activities".

Article 89, Recital 156, and Recital 159 refer explicitly to the way statistical and scientific analysis is regulated.

Additionally with the only citation being marked Page Needed, I'm doubtful about the rest of that section.

I am going to mark the section Disputed. Please indicate so that we can reach consensus as editors and seek to rewrite it or remove.

Golightlys (talk) 18:59, 26 May 2018 (UTC)[reply]

Over a year later, and this needs action. Claims that science isn't covered is clearly false: "(156) The processing of personal data for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes should be subject to appropriate safeguards for the rights and freedoms of the data subject pursuant to this Regulation. [...] (159) Where personal data are processed for scientific research purposes, this Regulation should also apply to that processing." All this can be verified on https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=celex:32016R0679 and it would be nice if this section were accurate. Certainly a researcher wanting a quick overview of this huge regulation would likely come to Wikipedia first. 174.52.240.90 (talk) 16:34, 13 February 2020 (UTC)[reply]

I've started contributing to the GDPR fines and notices page. Would it be appropriate to add a link to this page under the Sanctions section? And if so, what would be the appropriate text for such a reference? — Preceding unsigned comment added by Rkranendonk (talk • contribs) 14:18, 24 June 2019 (UTC)[reply]

According to https://www.theregister.co.uk/2019/08/09/gdpr_identity_thief/ it appears that there is at least anecdotal evidence that GDPR has made it *easier* for (possibly malicious) 3rd parties to extract private information from online services. This may be worth starting a "Criticism" section, as this is a vulnerability apparently worsened by GDPR. Tantek (talk) 23:29, 16 August 2019 (UTC)[reply]

The tools section feels like spam/advertising. It's just an arbitrary list of 4 software tools. I think it should be removed, but didn't want to edit the article without asking.

If anyone else agrees, I'd vouch for removing it.

Grocko1 (talk) 11:34, 23 August 2019 (UTC)[reply]

I removed all. Actually, there are tools that might be more "objective", namely those provided by the authorities (we use one in Germany that is provided by the French office for data protection; and which is favored here in Bavaria). But I would have to research that area before I'd feel confident to add them here on WP. --User:Haraldmmueller 13:50, 30 August 2019 (UTC)[reply]

Hello, where do I find a map for age of consent in the EU?

Which is issued by Ingrida Milkaite and Eva Lievens at Ghent University. [1] --TaleofTalisman (talk) 22:27, 12 September 2019 (UTC)[reply]

Here's are my list that limits younger people to gain access data in European Union:

EU country	Age required
Belgium	13
Denmark	13
Estonia	13
Finland	13
Latvia	13
Malta	13
Portugal	13 (16 for Google accounts)
Sweden	13
United Kingdom	13
Austria	14
Bulgaria	14
Cyprus	14
Italy	14
Lithuania	14
Spain	14
Czech Republic	15 (same as age of consent)
France	15 (same as age of consent)
Croatia	16
Germany	16
Greece	16 (15 for age of consent)
Hungary	16
Ireland	16
Luxembourg	16
Netherlands	16
Poland	16
Romania	16
Slovakia	16
Slovenia	16 (15 for age of consent)

However, San Marino is not member of the European Union and/or European Economic Area. Instead, the minimum age of consent is 16 for Google accounts.

Source: [2]

--TaleofTalisman (talk) 08:13, 24 September 2019 (UTC)[reply]

Sometimes it's instructive to hear how some random person off the street views an endeavor. I came here wondering why US citizens have to comply with EU laws? And there's no explanation in the article, or did I miss it? It's a simple matter but I bet many people will have the same question. Friendly Person (talk) 22:51, 4 October 2019 (UTC)[reply]

But there is. See the paragraph under "Impact" on "international law" and the "Brussels effect"; and, additionally, the paragraph on "extraterritorial effects". That's about what can be said (unless you are a US citizen in the EU - then of course you have to comply with national, as well as EU law of the state where you are). --User:Haraldmmueller 20:18, 5 October 2019 (UTC)[reply]

https://mirrors.tuna.tsinghua.edu.cn/ (see bottom:根据相关法律法规，本站不对欧盟用户提供服务。)

Tsinghua mirror site declared it will not serve EU citizens, despite it's an open source mirror site + doesn't make any explicit data requests. (This line was quietly added, no appearance in https://mirrors.tuna.tsinghua.edu.cn/news/)

From the article: Article 48 states that any judgement of a court or tribunal and any decision of an administrative authority of a third country requiring a controller or processor to transfer or disclose personal data may not be recognized or enforceable in any manner unless based on an international agreement, like a mutual legal assistance treaty in force between the requesting third (non-EU) country and the EU or a member state.

Does that mean for any country/region which legal system is not mutually-endorsed with EU's, all entities there cannot simultaneously satisfy its own country's laws and GDPR effectively has EU blocking them, even if they have no intention to abuse the data?

Hi, I work with GDPR from 2017 as consultant and trainer and have a CIPP/E and CIPM certifications in the field. Recently I discovered that the the wiki-article devoted to General Data Protection Regulation is full of misleading statements that might cause serious problems for the audience. Examples from the first 3 paragraphs:

• wrong statement that only processors must put in place appropriate technical and organizational measures,
• confusion between consent and other lawful bases,
• misguided statement that GDPR protects just EU citizens

I tried to correct them. There been back and forth with MrOllie around whether I can refer to specific articles and exact paragraphs from unofficial gdpr website (GDPR-text.com) . So after a number of unsuccessful attempts I had to delete any references and offered the edit just limited to correcting the falsehoods in the text: https://en.wikipedia.shisu.cf/enwiki/w/index.php?title=General_Data_Protection_Regulation&diff=934590602&oldid=934507736 Unfortunately, MrOllie continues to undo my edits and to restore misleading information. Any suggestions? — Preceding unsigned comment added by Privacypro (talk • contribs) 12:29, 7 January 2020 (UTC)[reply]

Doing what you started here: Explain the problems on the discussion page to try to create consent. I appreciate your last edit - it makes some aspects clearer, so I would like to have the change permanent. --User:Haraldmmueller 14:05, 7 January 2020 (UTC)[reply]

• Privacypro, You replaced a source, data.consilium.europa.eu, with many from gdpr-text.com, which adds nothing except some explanatory text from, and links to, data-privacy-office.com, where the co-founder's qualifications and experience match those you've declared as your own. This is pretty clearly WP:REFSPAM in which you're trying to conceal advertising links for your business in references. It's not an acceptable use of Wikipedia. Cabayi (talk) 16:17, 7 January 2020 (UTC)[reply]

Isn't there a list of examples where GDPR was misused? --SvenAERTS (talk) 03:21, 4 December 2020 (UTC)[reply]

The article currently has : "The United Kingdom granted royal assent to ...".

The United Kingdom does not do that. Royal Assent is granted by the Reigning Monarch (except when some form of proxy or deputy, such as I suppose the Prince Regent [1811-1820], has of necessity been formally appointed). 94.30.84.71 (talk) 17:10, 6 January 2021 (UTC)[reply]

When the EU describes the GDPR (https://gdpr.eu/what-is-gdpr/), they list seven principles that form the basis:

Data protection principles. 
If you process data, you have to do so according to seven protection and accountability principles outlined in Article 5.1-2:

Lawfulness, fairness and transparency — Processing must be lawful, fair, and transparent to the data subject.
Purpose limitation — You must process data for the legitimate purposes specified explicitly to the data subject when you collected it.
Data minimization — You should collect and process only as much data as absolutely necessary for the purposes specified.
Accuracy — You must keep personal data accurate and up to date.
Storage limitation — You may only store personally identifying data for as long as necessary for the specified purpose.
Integrity and confidentiality — Processing must be done in such a way as to ensure appropriate security, integrity, and confidentiality (e.g. by using encryption).
Accountability — The data controller is responsible for being able to demonstrate GDPR compliance with all of these principles.

The current section on "principles" pulls from Article 6, which is framed by the EU as being about "Lawfulness of processing". I think the prinicples section should cover Article 5, and don't know how important it is to cover Article 6. ★NealMcB★ (talk) 21:29, 29 September 2021 (UTC)[reply]

In July 2021 the Eu Parliament approved Chatcontrol, a regulation that allowed for the following three years Internet Service Providers to scan extensively the e-mail of their private users in order to prevent child abuses. They don't need of any specific authorization. The regulation derogates GDPR (sources: [3], [4]). — Preceding unsigned comment added by 151.82.218.171 (talk) 15:13, 8 October 2021 (UTC)[reply]

At the beginning of the article it says: "The regulation became a model for many national laws outside the EU, including United Kingdom, Turkey, Mauritius, Chile, Japan, Brazil, South Korea, Argentina and Kenya. The California Consumer Privacy Act (CCPA), adopted on 28 June 2018, has many similarities with the GDPR." the reference for that is number 2 which is an article on the sites advisera.com titled "The differences between the California Consumer Privacy Act and the GDPR" about the CCPA but as far as I could see doesn't mention any other nations. Did I miss something in that article or is there another source to support this claim? I believe it is true but would like to see a solid reference for it. --MadScientistX11 (talk) 23:16, 15 October 2021 (UTC)[reply]

Content at General Data Protection Regulation#Risk-based approach has been imported from Draft:Risk-based approach in the GDPR by an inexperienced editor without any annotation in the edit summary. Advice has been left at User talk:Elena2341#Marking edits as minor, and a new section at Draft talk:Risk-based approach in the GDPR.--Rocknrollmancer (talk) 21:42, 5 May 2022 (UTC)[reply]