OP. ED.

The European Union (EU) continues to be a significant market for the IT/BPO industry in India[1]. Currently, India’s Data Protection Bill, 2019[2] (“the Bill”) is still not enacted into a law, there are many challenges that India is facing while entering into data processing agreements with EU. EU has been one of the biggest markets for the Indian outsourcing sector and India’s relatively weak data protection laws make us less competitive than other outsourcing markets in this space. Further, Article 3 (Territorial scope) of the General Data Protection Regulation (GDPR) makes it clear that the regulation will be applicable regardless of whether or not the processing takes place in the EU. This means no business for Indian companies that do not comply with the GDPR or increased compliance costs for those who do and the risk of huge penalties on failing to do so[3]. The focus of this article is on transfer of data outside EU to India and India’s approach in dealing with such data transfer with respect to its obligation and extent of its liability.

Data transfer and GDPR

Legitimacy of data transfer regarding personal data of data subjects under GDPR involves two stages[4]:

  1. Data transfer itself must be legal.
  2. Whether transfer to third country is permitted.
  • DATA TRANSFER ITSELF MUST BE LEGAL

Where a processor is situated in a third country, there must be separate mention that allocates the obligations of the controller and processor in every data processing agreement.The reason being that Article 82 of GDPR clearly states that a person who has suffered material or non-material damage as a result of an infringement of this Regulation shall have the right to receive compensation from the controller or processor for the damage suffered. A controller involved in processing shall be liable for the damage caused by processing which infringes the regulations given under GDPR. A processor shall be liable for the damage caused by processing only where it has not complied with obligations of this Regulation specifically directed to processors or where it has acted outside or contrary to lawful instructions of the controller.

The protection of the rights and freedoms of data subjects as well as the responsibility and liability of controllers and processors, also in relation to the monitoring by and measures of supervisory authorities, requires a clear allocation of the responsibilities under this Regulation, including where a controller determines the purposes and means of the processing jointly with other controllers or where a processing operation is carried out on behalf of a controller[5].

Obligations of the Controller

Consent

Processing personal data is generally prohibited, unless it is expressly allowed by law, or the data subject has consented to the processing[6]. The obligation is on the controller to show that consent of the data subject has been obtained as required under Article 7 of GDPR. Article 82 read with Article 7 of GDPR mandates the controller to be held liable for damages to the data subject in case of infringement of Article 7 of GDPR.

Lawfulness and means of processing

Article 4(7) of GDPR defines controller as one who ascertains the purposes and means of the processing of personal data. The obligations of the controller as stated under Article 24 of GDPR are to be read with Article 5 of GDPR. Thus apart from lawfulness of processing and obtaining consent of the data subjects extended responsibilities which are imposed on the controller, for which the controller shall be held accountable, shall be fair and transparent processing, data collected must be for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes. Also, personal data shall be adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed and accurate and, where necessary, kept up to date; every reasonable step must be taken to ensure that personal data that are inaccurate. Such data must have regard to the purposes for which they are processed, are erased or rectified without delay, kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed, processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage by using appropriate technical or organisational measures[7]. The controller must ensure, in selecting the processor, that it has implemented sufficient technical and organisational measures to ensure that processing meets the requirements of the Regulation[8].

Obligations of the Processor

What are the obligations and liability of the Processor is the next question

It is the responsibility of both the controller and processor to implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk[9]. Further, the processor and any person acting under the authority of the controller or of the processor, who has access to personal data, shall not process those data except on instructions from the controller, unless required to do so by Union or Member State law[10]. If a processor infringes this Regulation by determining the purposes and means of processing, the processor shall be considered to be a controller in respect of that processing[11].

In a controller-processor relationship, the latter is only allowed to process personal data based on the documented instructions from the controller. The processor cannot engage another processor to help fulfil a specific contract, without the prior specific or general written authorisation of the respective controller[12]. Thus the carrying-out of processing by a processor should be governed by a contract or other legal act under Union or Member State law, binding the processor to the controller, setting out the subject-matter and duration of the processing, the nature and purposes of the processing, the type of personal data and categories of data subjects, taking into account the specific tasks and responsibilities of the processor in the context of the processing to be carried out and the risk to the rights and freedoms of the data subject. After the completion of the processing on behalf of the controller, the processor should, at the choice of the controller, return or delete the personal data, unless there is a requirement to store the personal data under Union or Member State law to which the processor is subject[13].

Further, it is the responsibility of both the controller and the processor to maintain records of processing activities under their responsibility[14].

  • WHETHER TRANSFER TO THIRD COUNTRY IS PERMITTED?

If the intended data transfer meets the general requirements, one must check in a second step whether transfer to the third country is permitted. There is a differentiation between secure and unsecure third countries[15].

GDPR allows transfer of personal data of data subjects situated in EU to countries outside EU for the purpose of processing and does not prohibit such transfer per se, whether it is a secure third country that has attained ‘adequacy’ status or an unsecure third country with no data protection law at all as in case of India. The principles embodied under the GDPR recognises the importance of international trade and cooperation in order to achieve economic growth. The Regulation tries to balance economic growth with individual privacy and national security.

The secured third countries for the purpose of data transfer do not require any specific authorisation[16]. As India (third country) does not yet have a separate law dealing with data protection and is regarded as an unsecure third country by EU, the agreements with EU countries consist of a standard contractual clauses as per notifications by the EU Commission which Indian entities abide while dealing with processing of personal data. These standard contractual clauses cannot be amended to contradict the notification. The parties are free to add clauses so long as it is consonance with the standard contractual clauses as given in the notification.

The EU Commission’s decision dated 5 February 2010 deals with standard contractual clauses for the transfer of personal data to processors established in third countries under Directive 95/46/EC of European Parliament and of the Council which is still to be followed under the GDPR laws. This Notification C(2010) 593 applies to as given under Recital Point 2 stating:

Member States may authorise, subject to certain safeguards, a transfer or a set of transfers of personal data to third countries which do not ensure an adequate level of protection. Such safeguards may in particular result from appropriate contractual clauses.

Thus along with other agreed terms between a controller situated in EU and a processor processing data in India, the standard contractual clauses stated in the Notification C(2010) 593 are required to be followed by India. These additional obligations are followed by Indian companies as India does not have a Data Protection Act in place.

What’s next for India?

Is India Chapter V of GDPR compliant? 

For the purpose of data transferred from a controller situated in EU and processed in India i.e. data transfer, without any necessary safeguard provisions, it is necessary that the Indian Data Protection Bill, 2019 comply with Chapter V of GDPR and be regarded as those countries providing adequate protection. India is gearing up to seek ‘adequacy’ status with the European Union‘s General Data Protection Regulation[17] .

In conclusion, the author states that the purpose of this article is to create awareness among the processors regarding their obligations and subsequently its liability. A processor cannot be held liable for all data privacy breaches. Thus it’s necessary to understand the obligations of the controller and the processor and separately allocate each entity their responsibility in the agreement entered between them. This article will also assist the data subjects who have been aggrieved by data privacy breach to approach the right entity and claim relief.


* Advocate

[1] India gets ready for EU’s new data regime, Rahul Kumar, 25 April 2017, https://www.cioandleader.com/article/2017/05/02/india-gets-ready-eu%e2%80%99s-new-data-regime

[2] Personal Data Protection Bill, 2019 

[3] How can Indian organisations prepare for the GDPR regime?, Sivarama Krishnan

[4] General Data Protection Regulation, Key Issue, Third Country 

[5] General Data Protection Regulation, Recital 79, Allocation of Responsibilities, https://gdpr-info.eu/recitals/no-79/

[6] General Data Protection Regulation, Key Issue, Consent

[7] Article 5 of General Data Protection Regulation, 2018

[8] General Data Protection Regulation, Key Issue, Processing, https://gdpr-info.eu/issues/processing/

[9] Article 32 of General Data Protection Regulation, 2018

[10] Article 29 of General Data Protection Regulation, 2018

[11] Article 28(10) of General Data Protection Regulation, 2018

[12] General Data Protection Regulation, Key Issue, Processing, https://gdpr-info.eu/issues/processing/

[13] General Data Protection Regulation, Recital 81, The Use of Processors, https://gdpr-info.eu/recitals/no-81/

[14] Article 30 of General Data Protection Regulation, 2018

[15] General Data Protection Regulation, Key Issue, Third Country, https://gdpr-info.eu/issues/third-countries/

[16] Article 45 of General Data Protection Regulation, 2018

[17] India to seek EU’s approval on GDPR compliance for ‘adequacy’ status, Abhimanyu Ghoshal, https://thenextweb.com/asia/2019/07/30/india-to-seek-eus-approval-on-gdpr-compliance-for-adequacy-status/


[Image Credits: analyticsindiamag.com]

OP. ED.

In the present day modern digital era, privacy has attracted the attention of many policymakers, Judges, and scholars. The digital environment has granted access to the entire world on a click, but has also exposed us to snooping eyes of the government and private individuals. It is in this context that the right to privacy plays a crucial role. With the aim of having a regulatory policy in place to protect all European Union (EU) citizens from any violation of personal data and privacy, the EU Parliament enacted the General Data Protection Regulation[1] (GDPR) on 14-4-2016[2], repealing the previous Directive 95/46/EC (old Directive).

This article aims to discuss the provisions of the GDPR and explore the impact on the Indian businesses. GDPR is important to be studied in the Indian context carefully for two reasons. Firstly, it has extraterritorial application (discussed below), thereby, affecting the interests of several Indian businesses operating within the EU. Secondly, GDPR has set international standards with respect to data protection regime in the global digital era. The principles embodied in the GDPR have been referred extensively in the judgment of K.S. Puttaswamy v. Union of India (Privacy judgment).[3] Even the Data (Privacy and Protection) Bill, 2017[4] introduced in the Lok Sabha follows the same framework as the GDPR and can be seen as the “summary” of GDPR.

Justice Chandrachud, in his judgment, acknowledged the internet usage to have increased exponentially and the individuals leave “electronic tracks”.[5] The tracks (including food habits, preferences), even though “inconsequential”, he notes that disclose who the user is and his/her interests. The age of information and its concomitants such as cookies, big data, data mining, and has given birth to complex issues for privacy. He focused on the centrality of individual’s autonomy, consent, and transparency. Similarly, Justice Kaul stressed on increasing invasion of privacy due to new technology, and gave support to principle in GDPR with respect to restrictions on “profiling” and “right to be forgotten”.[6]

This article is divided into four parts. In Part I, we discuss the categories of information covered under the phrase “personal data” and protected under the GDPR. In Part II, we discuss the scope of the GDPR and how Indian businesses would be covered due to the extraterritorial application of GDPR. In Part III, we talk about the extensive number of obligations imposed on the covered entities. Finally, in Part IV, we analyse the other impacts of the GDPR on the non-EU businesses.

I. Information covered under “personal data”

GDPR affords protection to information that falls within the ambit of “personal data”. “Personal data” was given a very broad definition in the old direction and the same has been carried forward in the GDPR. It is defined as “any information relating to an identified or identifiable natural person”[7]. A person can be identified by way of “a name, an identification number, location data, an online identifier or … factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person”[8]. The definition covers both “objective” (e.g., biometric data, presence of a substance in a patient’s blood) and “subjective” data (e.g., individual’s opinion, assessment of an employee, assessment of the reliability of borrowers). The data can be either false or true. It can be in any format (e.g. alphabetical, numerical, graphical, photographical or acoustic). For example, customer preferences, customer’s recorded voice in telephone banking, images taken by video surveillance, etc., they all constitute “personal data”. The only qualifier is that the data (or its combination) in the possession of the entity must be comprehensive enough to “identify” an individual. For instance, ordinarily, a very common family name might not to be sufficient to identify anyone, but the same family name used within a specific organisation (for example, a school) might be sufficient to identify the individual.[9] However, it is worth noting that anonymous or anonymised data is not “personal data” and hence is not covered by data protection regime, therefore, allowing free exchange of data where identification of individual is not possible.

II. Scope of GDPR

GDPR covers all EU “established” entities and certain non-EU “established” entities. Under the former, if an entity is operating in the EU through one of its “establishment[s]” (e.g. sales office or representative), and is processing the data of EU data subjects, irrespective of whether the processing is occurring in the EU or not, is covered under the ambit of the GDPR.[10] Under the extraterritorial application, a non-EU “established” entities, would be covered only if it is performing either of the following—

1.Offering goods and services to EU subjects

If a non-EU entity is directing its business activities towards the EU residents, and, in the process of doing so, is collecting personal data of the data subjects, then the entity would be covered under GDPR. The test is whether the entity envisages to offer goods and services to an EU resident. In deciding whether the activities are “directed” at EU residents or not, various factors would have to be considered, such as the intention of the non-EU entity, currency of the trade and the language used (with the possibility of placing the order in the local language of the target EU resident). Setting up a website merely accessible to EU residents is not covered.[11] This approach reflects the decision taken by the European Court of Justice in Weltimmo Sro v. Nemzeti Adatvédelmi és Informácioszabadsag Hatoság, where the Court factored in the use of the Hungarian language on the website.[12]

2. Monitoring behaviour of EU data subjects

This condition is, especially, designed to cover those entities that collect personal data on the internet for the purposes of profiling individuals, taking decisions regarding him/her, or for analysis or prediction of their personal preferences, attitudes and usage behaviours. As per the recitals of GDPR, under certain circumstances, personal data would also cover “cookie”[13] identifiers and IP addresses[14]. This can have widespread ramification for numerous entities that use cookies on their websites to gauge customer preference and usage pattern. A decision from the UK High Court in Vidal-Hall v. Google Inc. exemplifies similar understanding.[15] The Court in this case had held that browser-generated information (BGI) included IP addresses, websites visited, advertisements opened, among other things collected by Google through cookies constituted “personal data”.[16] This would have a huge impact on “how [businesses] collect, use and store private information, and what risk management controls are in place to protect them against potentially costly litigation”.[17]

III. Obligations on controller and/or processors under GDPR

GDPR classifies the entities into two categories — controller and processor. A controller is an entity that “determines the purposes and means of the processing of personal data”.[18] An entity processing the personal data on behalf of a controller is a processor.[19]

The majority of the obligations are imposed on the controller, however, it might be required to discharge these obligations through the processor. For instance, a controller employs another entity (processor) to process the consumer data collected by it. Now, if a data subject requests the controller to have access to the information relating to him, then the controller would direct the processor retrieve the data and send the same to the controller. The processor would be obliged to adhere to the controller’s directions.

Few of the important obligations that have been imposed on controller/processor to regulate privacy are mentioned below—

1. Strengthened consent requirements

GDPR has strengthened the requirements of consent, giving the data subjects control over whether or not their personal data will be processed. Consent from a data subject must be free, specific, informed, and with an explicit indication of their wishes (either by a statement or clear affirmative action).[20] The data subject has the right to withdraw their consent at any time,[21] and hence command a high degree of control. One of the major changes introduced is that it puts the burden of proof on the controller to prove that the data subject had given consent of data processing for a specified purpose.[22] Further, if the consent is obtained through a contractual agreement, then the consent for data processing must be distinguishable in appearance with the other parts of the agreement.[23]

2. Requirement of providing information to data subjects

If a controller is collecting information of a data subject, then an information notice must be provided to the latter. This notice must specify identity and contact details of the controller, purpose of data processing, period for which the data will be sorted, existence of various rights, recipients of the personal data, any other information necessary to guarantee fair processing of personal data, etc.[24] These conditions do not differ substantially from the old Directive.

3. Breach and notification

In case of personal data breach, the controller is responsible to report the matter to the appropriate supervisory authority without any delay and where feasible within 72 hours from the time of being aware of the same.[25] This obligation is not applicable if it is unlikely to result in a risk to the rights and freedoms of natural persons. If the breach poses high risk to the rights and freedoms of the individuals, then the controller has the obligation to inform the data subjects regarding the same “without any undue delay” after first becoming aware of the data breach.[26]

However, an obligation to inform the data subjects does not arise in three cases.[27] First, where the controller adopts technological protection measures, rendering the information breached as incomprehensible to the unauthorised person. Second, when the controller has undertaken certain measures to eliminate the risk; for instance, the controller immediately identifies and takes an action against the person concerned.[28] Third, in case the controller is required to be involved in a “disproportionate effort” (indicative factors such as number of subjects and age of the data), then a public notice or similar measures must be issued to inform the data subjects of the breach.[29]

4. Stronger rights given to data subjects

GDPR has strengthened the existing rights of the data subjects and introduced new rights as well. The subjects have a right to access the data possessed by the controller. The controllers must, upon request, confirm if they are processing an individual’s personal data, provide a copy of the data, and provide supporting explanatory materials. In certain circumstances, the subjects have the right to object to specific types of processing such as for research/statistical purposes, and for direct marketing, among others. The subjects have a new right of data portability, making it easier to transmit personal data between service providers.[30] GDPR not only fortifies the right to be forgotten, as recognised in Google Spain case[31] but also expressly acknowledges the counterbalance aspects and factors such as freedom of expression.[32]

5. Duty to undertake data protection measures

The controller/processor is required to implement appropriate technical and organisational measures, such as pseudonymisation[33] and encryption[34], in an effective manner and to integrate necessary safeguards in the processing to comply with the GDPR obligations and protect the rights of data subjects.[35]

6. Data protection impact assessment

Similar to the old Directive, GDPR mandates the controller to conduct an impact assessment for new technologies that pose high risk to the rights and freedoms of data subjects. This obligation is triggered only in cases where there is a systematic and extensive processing activities based on automated processing, large scale processing of sensitive data or criminal convictions, and monitoring of public areas. The controller is obliged to conduct an impact assessment of the envisaged processing on the protection of personal data.[36]

7. Appointment of Data Protection Officer

The business entities (controllers and processors) covered under GDPR are required to appoint a Data Protection Officer (DPO). This obligation is triggered if, (i) the core activities of the entity (as defined below) involves processing operations engaged in regular and systematic monitoring of data subjects; or (ii) there is large scale processing of special categories of data or data regarding criminal conviction. The Working Party 29 Guidelines[37] indicate that the core activities also include businesses whose data processing operations are “inextricable” to its core activities (e.g. processing of patients’ information by a hospital). However, if the processing is merely “necessary” or “essential” to the organisation, then it does not have the obligation to appoint DPO (e.g. storing information of salaries of an organisation’s employees). The designated representative will be the point of contact for the organisation including being subject to enforcement proceedings in the event of non-compliance by the controller or processor. However, this does not mean that the DPO will be personally liable for non-compliance of the duties of controller/processor.

8. Obligations specific to the processor

The processors will have to abide by the contract with the controller and comply with any other EU or member State’s law. The contract between the two must state that the processor can only carry out processing activities on the basis of written instructions from the controller. Processor has the responsibility to see that the personnel authorised to process the data has signed confidentiality agreements. The contract obliges the processor to delete/return the data to the controller after expiry of the contract. The processor must also provide all requisite information to the controller for demonstrating compliance with all its obligations.

IV. Other impacts on non-EU (including Indian) businesses

1. Allowing businesses to expand across borders

GDPR will help Indian businesses to expand their business operations from one or few EU countries to other member States. Under the old Directive, if an Indian company having its operations in Germany wanted to expand to another member State such as France, then the proprietor would have to deal with different regulators, within the local laws (French), for various data processing activities. This would add costs of obtaining legal advice and possibly make changes to business models in order to enter the new market. This had a prohibitive effect, especially in cases where few member States required the businesses to pay notification fees for processing data.

To ease business operations, GDPR has implemented a “one-stop-shop” mechanism. If an entity is engaging in cross-border processing of personal data (i.e. processing or its effect on data subjects takes place in more than one member State), it would have to identify one “lead” supervisory authority for the purposes of compliance. This selection would depend on the place where the main decisions regarding purpose and means of processing is taken, constituting its central administration, that will act as the lead supervisory authority.[38]

2. GDPR will help in the growth of new and small entrants in the market

As per GDPR, the citizens have a right to data portability.[39] It will allow them to move their personal data from one service provider to another. For instance, earlier if a new business wanted to enter in a specific market where there were big corporations already in place, the consumers might not want to shift to the new service provider, as their entire data is registered on the previous existing service providers’ database. Due to the data portability right now being available, the consumers would be able to easily shift to new service providers.

3. GDPR will help in improvement of international cooperation

GDPR has streamlined the process of data transfer to other countries. It provides for an “adequacy decision” — an acknowledgement given at EU level to a non-EU country that adequate protection is afforded to data subjects in its domestic law or international commitments.[40] If an adequacy decision has not been passed in favour of a country, then data transfer can take place on the basis of binding corporate rules. The standard corporate rules incorporate provisions requiring the data recipient to adhere to the EU standards of data protection. If there is neither an adequacy decision nor any binding corporate rules, data transfer can take place on the basis of very narrow exceptions. These exceptions cannot be invoked on a regular basis. They can only be used for a limited amount of data and number of subjects, and for compelling legitimate interests of the controller.[41]

4. Enhanced responsibility on knowledge process outsourcings

Under the GDPR, certain differentiated responsibilities have been imposed on both, controllers and processors. Under the old Directive, the data subjects had no right of remedy against the processors. However, GDPR provides that if the processor violates any of the provisions, then it will be deemed to be a controller in respect of the liability provisions.[42] These provisions puts numerous Indian businesses engaging in knowledge process outsourcing (KPO) at risk for liability.

GDPR is bound to give jitters to Indian businesses looking to expand their operations to the EU. In the long term, one can expect these norms to be imported to India as GDPR has taken the lead by setting high industry standards. The Privacy judgment[43] is just a start towards a safer tomorrow for the data subjects and a tougher one for the businesses.

——————————-

* 5th year students, BBA LLB, O.P. Jindal Global University, Sonipat.

[1]  Regulation on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation), Regulation (EU) 2016/679.

[2]  The GDPR will come into force on 25-5-2018.

[3]  (2017) 10 SCC 1, p. 252 of Justice Chandrachud’s judgment. The Report of group of experts referred to by Justice Chandrachud heavily relies on the EU Data Protection Regimes.

[4]  The Data (Privacy and Protection) Bill, 2017, Bill No. 100 of 2017, available at <http://164.100.47.4/BillsTexts/LSBillTexts/Asintroduced/889LS%20AS.pdf>.

[5]  Justice Chandrachud, (2017) 10 SCC 1, 196, 197.

[6]  Justice Kaul, (2017) 10 SCC 1, p. 7, 8, 35, 36.

[7]  Art. 4 of the GDPR.

[8]  Art. 4 of the GDPR.

[9]  Art. 29, Data Protection Working Party, Opinion 4/2007 on the concept of Personal Data, 01248/07/EN.

[10]  Google Spain SL v. Agencia Española de Protecci?n de Datos, 2014 QB 1022 : (2014) 3 WLR 659, also available at <http://eur-lex.europa.eu/legal-content/EN/TXT/HTML/?uri=CELEX: 62012CJ0131&from=EN>.

[11]  Recital 23 of the GDPR.

[12]  (2016) 1 WLR 863, also available at <http://curia.europa.eu/juris/document/document.jsf?docid =168944&doclang=EN>.

[13]  Cookie is a message that is stored in the browser of the person who is storing a particular website. This message is sent to the server of the same website every time the person visits it again. Cookies are used to modify the content of the website in accordance with the previous behaviour of the person.

[14]  Recital 30 of the GDPR.

[15]  (2015) 1 WLR 4934 : 2015 EWCA Civ 311, available at <https://www.judiciary.gov.uk/wp-content/uploads/2015/03/google-v-vidal-hall-judgment.pdf>.

[16]  Para 115 of the judgment.

[17]  Aon Risk Solutions, Data privacy: New ruling may change the game for companies’ cyber exposures, available at <http://www.aon.com/attachments/risk-services/Google-vs-Vidal-Hall-Cyber-News-Alerts-Final.pdf>.

[18]  Art. 4(7) of the GDPR.

[19]  Art. 4(8) of the GDPR.

[20]  Art. 4(11) of the GDPR.

[21]  Art. 7(3) of the GDPR.

[22]  Art. 7(1) of the GDPR.

[23]  Art. 7(2) of the GDPR.

[24]  Art. 13(1) of the GDPR.

[25]  Art. 33(1) of the GDPR.

[26]  Art. 34(1) of the GDPR.

[27]  Art. 34(3) of the GDPR.

[28]  Guidelines on personal data breach notification under Regulation 2016/679.

[29]  Art. 34(3) of the GDPR.

[30]  Art. 17 of the GDPR.

[31]  2014 QB 1022 : (2014) 3 WLR 659, also available at: <http://eur-lex.europa.eu/legal-content/EN/TXT/HTML/?uri=CELEX:62012CJ0131&from=EN>.

[32]  Art. 17(3)(a) of the GDPR.

[33]  “Pseudonymisation” of data means substituting any of the identifying characteristics of data with a pseudonym, which prevents the data subject to be directly identified.

[34]  Encryption converts the data into a secret code. To access the data, a password is required.

[35]  Art. 32(1) of the GDPR.

[36]  Art. 35 of the GDPR.

[37]  The guidelines were formed under the previous EU data Regulation of 1995. It has continued to exist under GDPR as well.

[38]  Art. 51(3) of the GDPR.

[39]  Art. 20 of the GDPR.

[40]  Art. 45 of the GDPR.

[41]  Recital 113 of the GDPR.

[42]  Art. 28(10) of the GDPR.

[43]  (2017) 10 SCC 1.