The GDPR is not an initiative, it's a law enforced by the largest trading bloc in the world.
It doesn't need to be combined with anything else and you need a legal means or explicit consent to process it.
If you don't have this, and you control the data of a Natural Person residing in the EU that you acquired from your establishment in the EU(a website served from Bangalore and Pune but accessible in the EU would count) then woe betide you.
You outsource it to another processor without BCR, Third country adequacy etc - someone tips off a Supervisory Authority or Max Schrems goes after you, or you get a SAR you ignore, or you have a breach of personal data and don't inform within 72 hours - welcome to administrative fines. You don't play ball, the SA goes after your establishment.
OK, let's say you have no business in the EU at all, but you still processed that data and you have a bad breach. Do you need consumer trust for your business? Sorry, you don't have that anymore as you just got dragged through the European legal system, backward by the collar with every consumer advocacy group kicking you on the way. Any legal agreements between your country and EU? They use those. No legal, diplomatic, doesn't work economics. You are in tatters, Equifax Sqaured.
Bottom line, the name is enough, and you have all of the agencies represented by WP29 who can go after you, and they all want a kill in MAy or shortly after.
Apologies but the EU GDPR is applicable to all identifiable natural persons (no distinction between deceased or living) : always go to the authentic source of the EU GDPR please so no mistakes are made http://eur-lex.europa.eu/legal-content/EN/TXT/?uri=uriserv:OJ.L_.2016.119.01.0001.01.ENG&toc=OJ:L:20...
@marcvael It doesn't need to it's implicit due to the fact a 'Natural Person' is living not dead person, with 'sense of self', 'limited lifespan' etc. Once you are dead GDPR no longer applies to that data as you don't really have any rights or liberties to protect.
Happy to be persuaded away from this viewpoint, but that's a long march.
OK, the third time I tried to post... apologies if they all come through at once...
@marcvael the term 'Natural Person' pretty defines a living person - that is one with a limited lifespan and one that is conscious, can think an make choices. Dead people can't do any of these things.
So it's implicit when that term is used and doesn't need to reference living in the text.
Wow, tough to reply to this thread... Fourth time lucky?
'Natural Person' as an entity specifically defines them as having choice, free will, possessing a limited lifespan will die one day.ving
Zombies do not have their personal data protected under the GDPR, nor do dead people.
Deceased people's privacy can not be abused by any organisation or other people. Relatives inherit the privacy rights of a deceased person. Dead people have (privacy) rights even beyond when they lived.
Others posting on this thread have made the point that the best place to go for guidance is the EU (look up the Article 29 Working Party - it stems from article 29 of the Data Protection Directive, but its guidance on the GDPR is viewed as the nearest thing we have to definitive at the moment) and/or your local data protection regulator. It's helpful to bear in mind that the law is rooted in the human rights of EU citizens and not in the data themselves. Can your organisation identify a living EU citizen from the data either directly or by cross-reference with others? If so, then they're personal.
Remember that the law attaches to the data subject and not to the data - it matters not a jot where you are processing them, though it's way easier to demonstrate compliance if you do it within the European Economic Area. The burden is on the data controller to prove compliance, and that is something to which many of us simply aren't accustomed. We're just going to have to learn to deal with it.
There's a sort of analogy with money, which has been regulated for some time. If my bank can't show where my money is, what it's doing with it or it can't hand it back to me when I ask then it's breaking the law. We're heading that way now with personal data so if you use, copy or share them you need to know where, how and why, and if needs be you have to be able to correct them and stop processing or storing them unless you need them in order to comply with other legislation.
If that doesn't seem hard to do, then it's likely that you're missing something!
Maybe, but not under the GDPR, and they are not natural persons.
Recital 27 is really very specific on this.
'This Regulation does not apply to the personal data of deceased persons. Member States may provide for rules regarding the processing of personal data of deceased persons.'
So in summary, dead people are not natural people, and outside of what a natural person is defined as(not dead) the GDPR specifically excludes dead people and allows individual countries a free hand.