GDPR - The General Data Protection Regulation

What does GDPR stand for?

GDPR is the acronym for the General Data Protection Regulation. The EU regulation came into force on 25 May 2016. After a two-year transition period, the GDPR has been mandatory for all EU member states since 25 May 2018.

It contains provisions on the protection of personal data and the privacy of EU citizens.

Compliance with the GDPR is crucial to gaining the trust of customers and business partners, as well as avoiding hefty fines. Businesses should ensure that they fully understand and implement the requirements of the GDPR to ensure adequate data security.

Where does the GDPR apply?

The GDPR applies to all companies and organisations that process the personal data of EU citizens, regardless of their size or location. This means that both businesses within the European Union and businesses outside the EU that process the personal data of EU citizens are covered by the regulation.

Who needs to implement the GDPR?

All companies and organizations, as well as public institutions such as public authorities or government agencies that process personal data of EU citizens. In addition, data processors who process personal data on behalf of a company must also comply with the GDPR. This could be, for example, an IT service provider who has access to personal data.

It is the responsibility of each company and organization to ensure that the processing of personal data complies with the requirements of the GDPR. Companies and organizations that violate the regulation may be subject to heavy fines.

The GDPR is particularly relevant to the internet and websites, as IP addresses are personal data. Data processing already takes place when the data is collected, with the possible knowledge of a recipient by a provider.

What happens if the GDPR is violated?

Violations of the General Data Protection Regulation (GDPR) can result in hefty fines. The amount depends on a number of factors, including the type of breach, the amount of personal data involved, and the severity of the breach. The maximum fine is typically up to 4% of the company's annual global turnover, and can be as high as 20 million Euro.

In addition, companies and organizations that violate the GDPR may be required to take steps to address the data breach and ensure compliance with the GDPR. These include

• Implementing technical and organizational measures to improve data security
• Restricting or stopping data processing
• Deletion or correction of personal data

The main articles of the GDPR

The General Data Protection Regulation (GDPR) contains a total of 99 articles. Some of the most important articles are listed below:

Article 5: Principles relating to processing of personal data - This article outlines the principles to be observed when processing personal data, including lawfulness, purpose limitation, data minimization, accuracy, storage limitation, integrity and confidentiality.

Article 6: Lawfulness of processing - This article sets out the conditions under which the processing of personal data is lawful, including consent, performance of a contract, legal obligation, vital interests, public interest and legitimate interest.

Article 9: Processing of special categories of personal data - This article sets out the conditions under which the processing of sensitive personal data, such as health data or political opinions, is permitted.

Article 13: Information to be provided when personal data are collected - This Article sets out the requirements for informing data subjects when personal data are collected, including the purpose of the processing, the categories of personal data and the duration of storage.

Article 17: Right to erasure (right to be forgotten) - This article regulates the right of the data subject to request the erasure of his or her personal data when they are no longer needed or the processing is unlawful.

Article 25: Data protection by design and by default - This article specifies that data protection principles must be taken into account in the development of products and services and that default data protection settings must be in place.

Article 32: Security of processing - This article specifies the requirements for data security, including the implementation of technical and organizational measures to ensure an adequate level of protection.