4 Personal Data Processing under the GDPR

4.1 Aim and Scope of the GDPR

The General Data Protection Regulation (GDPR) became effective in all member states of the European Union on May 25, 2018. The regulation aims to increase consumer privacy by (i) strengthening consumers’ control over their personal data (see Section 4.2 for the GDPR’s precise definition of personal data); and (ii) harmonizing EU member states’ existing national privacy laws via one regulation for all EU member states. The GDPR achieves these aims both by defining users’ rights with regard to their personal data (see Section 4.3) and by imposing obligations on firms that process such data (see Section 4.4). As elaborated in what follows, the GDPR defines the concept of personal data processing rather broadly—encompassing the collection of personal data, as well as the use and ultimate deletion of such data.

Unlike previous EU privacy laws, which only affected European firms, the GDPR applies not only to EU firms but also to firms outside the EU that process EU citizens’ personal data. The only case in which the GDPR treats European firms and non-European firms differently is with regard to the processing of personal data of non-EU citizens; in these cases, the GDPR applies to European firms but not to non-European firms, as outlined in Table 2.

Table 2: Applicability of the GDPR for EU and non-EU Firms Processing Personal Data of EU and non-EU Citizens

4.2 Definition of Personal Data

The GDPR defines personal data as follows (Article 4):

[…] any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.

According to this definition, and in contrast to prior regulations, which only considered information that directly identifies a consumer (e.g., name, address, birth date, or social security number) as personal data, the GDPR considers personal data to include any information that directly or indirectly identifies a user (Bleier, Goldfarb, Tucker 2020). Information that can indirectly identify a user includes online identifiers such as cookies and digital fingerprints. Therefore, firms that adopt such tracking techniques have to comply with the GDPR.

The GDPR strictly differentiates between pseudonymous data, to which the GDPR applies, and anonymous data, to which the GDPR does not apply. Personal data are considered pseudonymous if they do not directly identify a user but can be used to identify a user indirectly. For example, a customer number (e.g., “123456789”) does not, in itself, directly identify a user. However, when combined with information relating the customer number to an individual user (e.g., “123456789” represents user “X”), the customer number is considered pseudonymous data. Personal data are only considered anonymized if they do not identify a user at all (e.g., it is unknown which user the customer number “123456789” represents). Thus, firms that collect data from consumers and seek to avoid the GDPR cannot suffice with pseudonymizing user information but rather must anonymize it, which may be impractical and costly.

4.3 User Rights with Regard to Personal Data Processing

The GDPR provides users with eight rights related to the processing of their personal data. In what follows, and as summarized in Table 3, we classify these rights into three categories: rights that enable users to understand the processing of their personal data (Section 4.3.1); to change the processing of their personal data processing (Section 4.3.2), and to restrict the processing of their personal data (Section 4.3.3).

Table 3: Overview of User Rights and Their Aims under the GDPR

4.3.1 Rights Enabling Users to Understand the Processing of Their Personal Data

The “Right to Information” states that a user has a claim to information about any firm that processes the user’s personal data and about the firm’s personal data–processing activities. Such information includes the contact details of the firm, which types of personal data the firm processes, and the rationale behind the processing. For example, if a user shops on an online platform, and the platform processes data from the user, then the user has the right to obtain contact details of the online platform. Moreover, the user has the right to know if the firm has collected data about the products the user viewed and is using this information to recommend other products to the user. This information puts the user in the position to contact the firm and enables the user to evaluate whether she agrees to the personal data processing.

The “Right to Access” entitles users to obtain copies of their personal data and further information about the personal data processing. In our example, the user who shops on the online platform can ask for a copy of the personal data that the online platform has stored about her, and for information about all personal data processing activities. Notably, this right forces firms that process users’ personal data to document all of their processing activities. The Right to Access enables users to gain an in-depth understanding of which personal data the firm processes for what purpose, providing additional information that can assist them in evaluating whether to consent to having their personal data processed.

4.3.2 Rights Enabling Users to Change the Processing of Their Personal Data

The “Right to Rectification” provides a user with the opportunity to modify and correct potentially false or outdated personal data, which may harm the user otherwise. For example, in a situation in which a user’s financial information was processed for the purpose of determining credit eligibility, it may be that the user was not solvent and, thus, not eligible for credit. However, once the user becomes solvent, the user may rectify the personal data about the insolvency, potentially preventing the information from harming future credit applications.

The “Right to Erasure” enables the user to force the firm that has processed the user’s personal data to delete data that are not relevant for the purpose of the personal data processing. This right enables the user to negotiate with the firm about the relevance of personal data and puts the firm in the position to justify the personal data storage if the firm does not agree with the erasure. In our example, the user who became solvent may ask the firm to delete the past information about the user’s insolvency because this personal data may not be relevant to assess the user’s current solvency.

The “Right to Data Portability” enables the user to ask the firm to provide all personal data of the user to another firm in an accessible and machine-readable format. For example, a user may ask her current bank to transmit all her personal data to a new bank. This right decreases lock-in effects caused by so-called switching costs. Switching costs occur if the user faces costs caused by switching from one firm’s service to another firm.

4.3.3 Rights Enabling Users to Restrict the Processing of Their Personal Data

The “Right to Restriction of Processing” enables a user to stop the processing of her personal data (temporarily) if the user doubts (i) the necessity to use the personal data to fulfill the purpose of the processing, (ii) the accuracy of (some of) the personal data used to achieve the purpose of the processing, or (iii) the lawfulness of the processing. Therefore, this right enables the user to take actual control of her own personal data and requires the firm to justify (i) the necessity, (ii) the accuracy and (iii) the lawfulness of the personal data processing. For example, suppose a user applies for credit, and an algorithm decides, on the basis of the user’s personal data, whether the user should receive the credit. If the user determines that the personal data used to make this decision are unnecessary, incorrect, or illegally processed, then the user can demand that the website stops processing the personal data.

The “Right to Avoid Automated Decision-Making” ensures that the user has the right not to be subjected to a decision based solely upon automated processing, including profiling. This right applies primarily to cases in which decisions significantly impact the user, such as the refusal of an online credit application. More specifically, this right enables the user to demand that the data-processing firm assign humans to monitor decision-making processes that are otherwise carried out automatically, as humans may better detect mistakes in such processes. For example, if a user’s credit application is rejected on the basis of an automated decision, then the user can object to the automated decision-making process and request that the firm (partially) re-evaluate this decision via a human.

The “Right to Object” entitles the user to object to the processing of personal data for marketing purposes, including marketing-related profiling. More specifically, this right enables users to ensure that they do not receive content or ads based on their past browsing behavior, demographics or interests. Therefore, this right enforces the user’s fundamental right of informational self-determination. Returning to our example, suppose that the user who has applied for credit begins to receive advertisements based on the user’s solvency rating. In this case, the user can object to this targeting strategy and can demand to see untargeted ads, which do not relate to the user’s solvency rating. In order to override a user’s objection to the processing of personal data, a firm must demonstrate compelling legitimate grounds for doing so.

4.4 Obligations for Firms that Process Personal Data

4.4.1 The Role of the Firm: Data Controller or Data Processor

According to the GDPR, a firm that handles a user’s personal data is classified under one of two essential roles: “data controller” or “data processor.” Each role entails specific responsibilities and obligations with regard to the processing of personal data—where a data controller has more obligations than a data processor. It is possible for a firm to be a data controller in some cases and a data processor in others, but never both simultaneously.

4.4.1.1 Definition of Data Controller

The GDPR defines in Article 4 point (7) that a firm is a data controller if the firm has the obligation of deciding why and how to process the personal data (the “purposes” and “means” of processing). Under the GDPR, the data controller faces several obligations, which we discuss in Section 4.4.2 and Section 4.4.3.

4.4.1.2 Defintion of Data Processor

The GDPR outlines in Article 4 point (8) that a firm is a data processor if it processes personal data on behalf of a data controller. Thus, the data processor cannot decide why and how to process the personal data (the “purposes” and “means” of processing). We discuss the obligations of the data processor in Section 4.4.2.

4.4.1.3 Relationship Between Data Controller and Data Processor

By definition, a firm cannot be both a data controller and a data processor for the same personal data processing activity; it must be one or the other. Yet, a firm might be involved in multiple personal data processing activities (potentially even involving similar data)—and serve as a data processor in some activities and as a data controller in others.

For example, suppose that a demand-side platform (DSP) D receives a bid request from an ad exchange to bid on behalf of an advertiser A1 for a particular ad slot. That bid request comes with personal data such as the user ID (or cookie ID) for the user who will be exposed to the ad, the publisher P1 to which the ad slot belongs, and the information that the user is likely to be male. Concerning this bidding process, DSP D is a data processor because it processes personal data on behalf of the data controller (i.e., publisher P1, which sells the ad slot).

Assume further that DSP D also bids on behalf of another advertiser, advertiser A2, for an ad slot offered by a different publisher, P2. In this bidding process, advertiser A2 also receives personal data. DSP D remains a data processor for this bidding process because it processes personal data only on behalf of the data controller (i.e., publisher P2, which sells this ad slot).

However, DSP D turns into a data controller if it combines the personal information received from publishers P1 and P2. For example, DSP D could develop profiles about users that contain information that both publishers provided to sell these profiles to advertisers. The profiles are now the firm’s “own” data. Therefore, the firm becomes a data controller.

4.4.2 Shared Obligations for Both the Data Controller and Data Processor

The GDPR stipulates several obligations with which both types of actors—the data controller and the data processor—must comply in order to engage in a particular activity involving the processing of personal data. Table 4 outlines the most important ones.

Table 4: Overview of Obligations for both Data Controller and Data Processor under the GDPR

The first obligation—processing any personal data based on a legal basis—entails justifying the data processing activity by choosing an appropriate legal basis; the GDPR stipulates six arguments that constitute acceptable legal bases for personal data processing. The choice of a particular legal basis may be associated with additional requirements. Section 4.4.4 provides a detailed discussion of the various legal bases and the requirements associated with each one. While the data controller and data processor both need a legal basis, the choice of the legal basis is solely down to the controller. As such, the data processor relies on the legal basis chosen and established by the data controller.

The second obligation is for the actor to document all steps taken as part of the personal data processing activity, including the choice of a legal basis and the measures implemented to ensure compliance with all obligations. Third, the actor needs to implement appropriate technical and organizational measures to safeguard privacy by default and design. Finally, in the case of a data breach, the data controller is usually required to notify the personal data breach to the supervisory authority within 72 hours. In contrast, the data processor is required to notify the personal data breach to the data controller immediately.

For example, suppose that a firm has a database of customer email addresses (i.e., personal data), and it wants to send a newsletter to its customers to inform them about a sales event. To this end, the firm must “process” the email addresses, e.g., by gathering relevant email addresses from the database and sending the newsletter to these addresses. According to Table 4, the firm first needs a legal basis for this activity. Suppose that the firm chooses to rely on users’ explicit consent as its legal basis (see Section 4.4.4.2.2 for a detailed discussion of explicit consent as a legal basis for data processing). In that case, the firm has to collect users’ explicit consent to have their email addresses used for receiving newsletters. Moreover, once the firm has chosen explicit consent as its legal basis, it needs to fulfill all associated requirements stipulated in the GDPR—e.g., informing the user of the purpose of personal data processing prior to requesting consent.

Second, the firm needs to document all its activities with regard to the processing of users’ email addresses. Notably, in line with the user’s “Right to Access” (Section 4.3.1), if the user requests this documentation, the firm must provide it. Third, the firm must implement appropriate technical and organizational measures to safeguard personal data. For example, the firm could encrypt the files in the database to protect the email addresses from being stolen, or store more sensitive personal data about the users in a different database with pseudonymized email addresses. Fourth, the firm needs to inform the supervising authority in the case of a data breach.

If the firm hires a digital marketing agency to promote its sales event, then the marketing agency acts as a data processor. As such, it relies on the legal basis, i.e., explicit consent, chosen and established by the firm. However, similarly to the firm, the marketing agency needs to document all personal data processing activities, implement appropriate technical and organizational measures to safeguard personal data, and inform the data controller in case of a data breach.

4.4.3 Obligations for Data Controller but not Data Processor

The GDPR stipulates several obligations that apply to the data controller but not to the data processor. Table 5 outlines the most important ones.

Table 5: Overview of Obligations only for Data Controller and not for Data Processor

These additional obligations include a requirement for the data controller to select the purposes of processing personal data before processing the personal data. Continuing our previous example, for the firm processing consumers’ email addresses, the purpose of data processing might be “informing customers about a sales event.” An additional obligation that the data controller must fulfill is to justify the relevance of all personal data that the data controller processes. In our example, the firm needs to be able to justify the relevance of processing the email addresses and any other personal data involved in this processing activity, such as names. If the firm is unable to justify the relevance, then the user might rely on the “Right to Erasure” to have the irrelevant personal data deleted. Regarding the firm’s purpose to inform customers about a sales event, the firm might justify the processing of email addresses by referring to the requirement that the firm needs the customers’ email addresses to send them emails about the sales event. A further obligation for the data controller is to ensure the compliance of the data processor with the GDPR. So, if the firm relies on a marketing agency to inform its customers about the sales event, the data controller needs to make sure, that the data processor fulfills all obligations of the GDPR regarding the specific personal data processing activities.

4.7 Main Takeaways

The main takeaways from Section 4 are:

  • The GDPR is a privacy law of the European Union applicable to all European firms and all firms processing personal data of European citizens.

  • The GDPR aims to give users more control over their personal data by defining user rights to understand, change, and restrict the personal data processing.

  • The GDPR increases responsibilities for all actors who process personal data. For a given data-processing activity, the GDPR defines an actor as either a data processor or a data controller, where data controllers have more obligations than data processors do. Data controllers are also responsible for the legal compliance of the cooperating data processors.

  • The GDPR stipulates that in order to process personal data, a firm must specify a legal basis for personal data processing. For firms in the advertising industry, the two applicable legal bases are legitimate interest and consent.

  • Loosely speaking, legitimate interest represents the opt-out approach for getting permission for personal data processing, whereas consent represents an opt-in approach.

  • Even though the GDPR identifies both consent and legitimate interest as applicable legal bases for firms in the advertising industry, courts have reduced the applicability of legitimate interest, consequently favoring consent.