Under the General Data Protection Regulation (the GDPR), the UK Privacy Act 2018 and other data protection regulations around the world, GDPR training for employees is mandatory. Employers are obliged to deliver data protection training for staff and to record the results of that training.
Maintaining a public register. Judicial functions. Processing personal information without an automated system such as a computer. Since 1 April 2019, members of the House of Lords, elected representatives and prospective representatives are also exempt.
The GDPR covers all the European Union member states: Austria, Belgium, Bulgaria, Croatia, Cyprus, Czech Republic, Denmark, Estonia, Finland, France, Germany, Greece, Hungary, Ireland, Italy, Latvia, Lithuania, Luxembourg, Malta, the Netherlands, Poland, Portugal, Romania, Slovakia, Slovenia, Spain, and Sweden.
Information which is truly anonymous is not covered by the GDPR. If information that seems to relate to a particular individual is inaccurate (ie it is factually incorrect or is about a different individual), the information is still personal data, as it relates to that individual.
The GDPR only applies to organizations engaged in “professional or commercial activity.” So, if you're collecting email addresses from friends to fundraise a side business project, then the GDPR may apply to you. The second exception is for organizations with fewer than 250 employees.
GDPR Exemptions
- Freedom of expression and information.
- Public access to official documents.
- National identification numbers.
- Employee data.
- Scientific and historical research purposes or statistical purposes.
- Archiving in the public interest.
- Obligations of secrecy.
- Churches and religious associations.
General Data Protection Regulation
The GDPR applies to processing carried out by organisations operating within the EU. It also applies to organisations outside the EU that offer goods or services to individuals in the EU.
The General Data Protection Regulation (GDPR) does not only apply to businesses in the European Union (EU). Instead, companies from all over the world may have to comply with the GDPR when processing personal data because of the new scope of European data protection legislation.
The EU GDPR (General Data Protection Regulation) sets a maximum fine of €20 million (about £18 million) or 4% of annual global turnover – whichever is greater – for infringements.
The short answer is, yes it is personal data. GDPR will apply to how personal data, including email addresses, is processed, while PECR gives further guidance on how that data can be used for electronic and telephone marketing purposes.
Whenever you make any disclosure of personal data, it must be fair, transparent and lawful. In some cases, it may be appropriate to seek the views of individuals before sharing their personal data with the police. However, in many cases this will be inappropriate, both for practical and legal reasons.
In other words, individuals need a mechanism that requires a deliberate action to opt in, as opposed to pre-ticked boxes. Although the GDPR doesn't specifically ban opt-out consent, the ICO (Information Commissioner's Office) says that opt-out options “are essentially the same as pre-ticked boxes, which are banned”.
You can automatically withhold information because an exemption applies only if the exemption is 'absolute'. This may be, for example, information you receive from the security services, which is covered by an absolute exemption. However, most exemptions are not absolute but require you to apply a public interest test.
