Safer, Higher Quality, More Competitive

English Germany

GDPR

GDPR

The General Data Protection Regulation (GDPR) is a regulation in European Union (EU) law that governs how organizations handle personal data. It was implemented on May 25, 2018, to give individuals more control over their personal data and to establish clear rules for organizations on how to collect, store, process, and share that data. Here are the key aspects:

Key Principles of GDPR:

  • Lawfulness, Fairness, and Transparency: Data must be processed lawfully, fairly, and in a transparent manner.
  • Purpose Limitation: Data should only be collected for specified, legitimate purposes and not processed further.
  • Data Minimization: Only the minimum amount of data necessary for the intended purpose should be collected.
  • Accuracy: Data must be accurate and kept up to date.
  • Storage Limitation: Data should be kept only for as long as necessary to fulfill its purpose.
  • Integrity and Confidentiality: Data must be processed in a way that ensures its security, including protection against unauthorized or unlawful processing, accidental loss, destruction, or damage.
  • Accountability: Organizations must take responsibility for complying with these principles and be able to demonstrate their compliance.

Key Rights under GDPR:

  • Right to Access: Individuals have the right to access their personal data and know how it’s being used.
  • Right to Rectification: Individuals can request that inaccurate or incomplete data be corrected.
  • Right to Erasure (Right to be Forgotten): Individuals can request the deletion of their data under certain conditions.
  • Right to Restriction of Processing: Individuals can ask for their data to be processed only in limited circumstances.
  • Right to Data Portability: Individuals can request that their data be transferred to another service provider.
  • Right to Object: Individuals can object to the processing of their data in certain situations.
  • Right Not to Be Subject to Automated Decisions: Individuals can opt out of decisions based solely on automated processing (like profiling).

Obligations for Organizations:

  • Data Protection Officer (DPO): Certain organizations must appoint a DPO to oversee GDPR compliance.
  • Data Breach Notification: Organizations must notify the relevant authorities of a data breach within 72 hours if it affects personal data.
  • Privacy by Design and by Default: Data protection should be integrated into the design of systems and processes.
  • Data Protection Impact Assessment (DPIA): For certain high-risk activities, organizations must assess the impact of their processing on individuals’ privacy.

Penalties for Non-Compliance:

Organizations that fail to comply with GDPR can face hefty fines:

  • Up to €20 million or 4% of global annual turnover (whichever is higher).

GDPR applies not only to organizations based in the EU but also to those outside the EU if they process the personal data of individuals within the EU.

E-newsletter Access campaigns and announcements faster with e-bulletin subscription!