The General Data Protection Regulation (GDPR) is an EU regulation that has been in effect in all member states since May 25, 2018, and regulates the protection of personal data. It was introduced to strengthen the privacy of citizens in the European Union and create a uniform legal framework for data protection. Personal data includes information that can identify a person, such as names, addresses, dates of birth, IP addresses, or health data.
The main points of the GDPR:
1. Legal bases for data processing
Companies, authorities, and other organizations may only collect and process personal data under certain conditions. This can be the case when the data subject has given their consent, the data is necessary for the fulfillment of a contract, or legal obligations must be met. All collected data may only be used for the specified purpose and stored for as long as necessary.
2. Rights of data subjects
The GDPR aims to strengthen citizens’ rights by giving them comprehensive control over their data:
- Right of access: Citizens have the right to know what data is stored about them.
- Right to rectification: Incorrect data must be corrected upon request.
- Right to erasure (right to be forgotten): Individuals can request that their data be deleted under certain circumstances.
- Right to data portability: Users can have their data transferred to another provider.
- Right to object: Citizens can object to the processing of their data, especially when used for advertising.
3. Obligations for companies
Companies must ensure that personal data is stored and processed securely. They are obligated to report data breaches within 72 hours if personal data is affected. Additionally, they must observe the principle of data security and data minimization – data should only be collected to the extent necessary.
4. Data Protection Officer
Companies that process large amounts of or particularly sensitive data must appoint a Data Protection Officer. This person monitors compliance with the GDPR and serves as a contact point for data protection issues.
5. Penalties for violations
Non-compliance with the GDPR can result in high penalties. Companies face fines of up to 20 million euros or 4 percent of their global annual turnover if they violate the regulations.
Data transfer to third countries
A special aspect of the GDPR is data processing in third countries, i.e., outside the EU. Personal data may only be transferred to countries outside the EU if these countries offer an adequate level of data protection. This is determined by the EU Commission. Countries like Switzerland and Canada meet these criteria, while others, such as the USA, are considered problematic due to insufficient control over intelligence services and inadequate data subject rights. In the “Schrems II” ruling, the European Court of Justice declared the “Privacy Shield” data protection agreement between the EU and the USA invalid, making it more difficult to transfer data to the USA. Companies must now use alternative legal bases such as standard contractual clauses to transfer data to unsafe third countries.
