The GDPR is the primary source of data protection regulations in the European Union. Since then, uniform rules have been applied in all EU member states on the subject of data protection and data security.
This means more uniformity and clarity regarding global trade lines, but it also poses some challenges for companies. Companies have more obligations to fulfill due to the GDPR, and consumers have more rights. Fines have also been increased, making it even more imperative for companies to implement data protection regulations properly.
But what exactly is the content of the GDPR? Which obligations affect your company? How do you implement them correctly? And what rights do data subjects have? We answer the most critical questions about the GDPR in this article.
The General Data Protection Regulation, which came into force in May 2018, affects all countries in the EU. It applies to all companies whose products are sold to consumers in the EU and whose personal data is stored, processed, or transferred for this purpose.
Good to know: The GDPR also applies to companies based outside the EU or EEA but offering and selling goods within the European Union. The EU regulation thus ensures that the personal data of EU citizens is protected holistically.
There is no distinction between personal data in public, work-related, or private sectors. For example, the data of employees in a company is also covered by the GDPR, as is data in the B2B sector when business partners exchange personal data with each other. This means that almost all companies operating in the EU must comply with the provisions of the General Data Protection Regulation in principle.
The GDPR aims to protect natural persons when processing personal data. At the same time, a secure, responsible exchange of data is to be ensured. The previously applicable EU Data Protection Directive had not achieved this goal, so the European legislator felt compelled to issue a regulation.
Excursus: The GDPR is a legal act in the form of a regulation. Unlike directives, regulations apply directly to all EU member states. On the other hand, directives must be implemented by the individual member states in their own law. Nevertheless, in the case of regulations, members can retain or supplement their own rules.
Personal data refers to all information that allows conclusions to be drawn about a natural person. This includes, in particular
Data that is sensitive from the legislator’s point of view is subject to special protection. This includes religion, health, trade union membership, sexuality, ethnic origin, or political beliefs.
Processing in this context means any data processing, e.g., with computers, scanners, digital cameras, or smartphones, as well as analog data collections such as files. However, this affects most areas and data collections in companies and public authorities, so the GDPR is omnipresent.
Dealing with personal data is always characterized by responsibility towards natural persons. Anyone who wants to work with this data must accept that certain obligations also accompany data processing.
In this context, the obligations can be very diverse. Explaining them all in detail would go beyond the scope of this article. In our knowledge center, you will find extensive articles and information on all the obligations imposed on companies by the GDPR.
Companies must take technical and organizational measures to best protect the data of the data subject. These vary depending on the industry, data categories, risk factors, and types of processing.
It is a matter of weighing up which measures are necessary and useful to protect the collected data in the best possible way. For this purpose, it is required to maintain a record of processing activities and, if necessary, to carry out impact assessments.
A data protection officer must be appointed regardless of the number of employees when the company or the processor processes data that require a data protection impact assessment or processes data for transfer (e.g., for research purposes).
The basis for all organizational measures, and a functioning data protection concept in general, is the inventory. The GDPR provides a record of processing activities (ROPA) for this purpose.
Companies check their activities and processes with such a record to see whether personal data are collected, stored, or processed. All processes in which this is the case are listed and documented in the ROPA.
The following information must be recorded:
The ROPA is not a public record; no one can access its information. Finally, the internal records also contain trade secrets and confidential processes that must be protected. However, the record must be shown to the responsible supervisory authority upon request.
Suppose a processing operation has an increased risk to the rights and freedoms of data subjects due to its technology, form, or manner. In that case, a data protection impact assessment must be carried out.
An impact assessment analyzes whether extensive processing is necessary, the risks to data subjects and whether the purpose and risk are balanced. Only if such a risk assessment is in favor of the processing may it be carried out.
If the companies do not perform the data processing themselves but have it carried out by external parties, a processing contract must always be concluded with the third party. This contract must specify how data is processed, which protection mechanisms apply and how data may be stored.
The rules of the GDPR must be included and complied with in this contract.
If a data leak or data breach occurs, companies should have emergency plans that employees are familiar with. This ensures that the requirements of the General Data Protection Regulation can be met again as quickly as possible in an emergency.
The relevant supervisory authorities must be informed within 72 hours if there is a high risk to data subjects.
Not only have the obligations for companies become more diverse, but data subjects have also gained more rights. This is mainly due to the principle of informational self-determination. It states that every person is free to decide what information they disclose about themselves and what they do not.
The GDPR thus gives consumers, customers, suppliers, and employees more control over their own personal information. The opacity of the companies that use or collect this data is thus reduced, and the procedures become more transparent. Companies that want to work with personal information will then also have to comply with this.
The most important rights of data subjects include the following:
The GDPR applies in the EU member states and beyond. In the countries concerned, the GDPR takes precedence. However, precedence does not necessarily mean that the GDPR supersedes national laws.
As in many regulations, there are also clauses in the GDPR that allow states to make their own regulations or specify existing regulations. Thus, despite the uniform legal basis, they can further regulate individual areas and independently specify the GDPR.
It is also important to note that the GDPR is not only relevant for companies based in the EU. The so-called marketplace principle provides information about the scope of the GDPR: All personal data related to sales and services within the European Union may only be processed by the processing entity within the rules of the GDPR.
Platforms such as Google, Facebook, or other social media channels must also comply with the GDPR if they wish to monitor the behavior of EU citizens, for example, to use this data for advertising purposes.
In principle, all companies that store, process, or transfer personal data within the EU must comply with the rules of the GDPR. This means that basically every public authority and every company is affected by the regulations of the GDPR.
The GDPR does not affect personal or family activities (so-called household exemption). Private conversations, email contacts, or chats are not subject to GDPR obligations. On the other hand, you should be careful when sharing private photos on public platforms. Here, the GDPR again applies, with the consequence that all data subjects must consent to the publication.
Activities that are not covered by EU law in the first place may also be excluded. This applies, for example, to activities that arise in the area of common foreign and security policy, such as law enforcement. There are also separate rules for EU institutions.
The GDPR provides many measures and rules to protect personal data in the best possible way. For companies, this means much work that is best handled with a system like the Priverion Data Protection Platform. The GDPR requires that a record of processing activities is created at the outset, i.e., a kind of inventory is first taken from existing processes.
In addition to the many efforts involved, the GDPR also offers the opportunity to review existing structures in the company and make them more efficient and data-friendly. This not only reduces the risk of a data breach and, thus, of damage to the company’s image and fines but also ensures better and simpler workflows that can even increase sales. Companies should therefore also see the GDPR as an opportunity to reform and improve their business.