The General Data Protection Regulation (GDPR) is an EU regulation that has been in effect in all member states since May 25, 2018, and regulates the protection of personal data. It was introduced to strengthen the privacy of citizens in the European Union and to create a uniform legal framework for data protection. Personal data includes information that can identify an individual, such as names, addresses, dates of birth, IP addresses, or health data.
Companies, authorities, and other organizations may only collect and process personal data under specific conditions. This may be the case if the data subject has given their consent, the data is necessary for the fulfillment of a contract, or legal obligations must be met. All collected data may only be used for the specified purpose and stored for as long as necessary, in accordance with GDPR.
Companies, authorities, and other organizations may only collect and process personal data under specific conditions. This may be the case if the data subject has given their consent, the data is necessary for the fulfillment of a contract, or legal obligations must be met. All collected data may only be used for the specified purpose and stored for as long as necessary, in accordance with GDPR.
According to GDPR, companies must ensure that personal data is securely stored and processed. They are obliged to report data breaches within 72 hours if personal data is affected. Furthermore, they must observe the principles of data security and data minimization – meaning data should only be collected to the extent necessary.
Companies that process large amounts of data or particularly sensitive data must appoint a Data Protection Officer. This person monitors compliance with GDPR and serves as a contact point for data protection inquiries.
Non-compliance with GDPR can result in severe penalties. Companies may face fines of up to 20 million Euros or 4 percent of their worldwide annual turnover if they violate the regulations.
A particular aspect of GDPR is data processing in third countries, i.e., outside the EU. Personal data may only be transferred to countries outside the EU if these countries offer an adequate level of data protection. This is determined by the EU Commission. Countries such as Switzerland and Canada meet these criteria, while others, like the USA, are considered problematic due to a lack of control over intelligence services and insufficient data subject rights. In the “Schrems II” ruling, the European Court of Justice declared the “Privacy Shield” data protection agreement between the EU and the USA invalid, which complicates data transfer to the USA. Companies must now use alternative legal bases, such as standard contractual clauses, to transfer data to insecure third countries.
