logo

Privacy IQ

  • My Organization
  • Jurisdictions

Privacy Hub

  • Dashboard
  • Frameworks

European Union

General Data Protection Regulation (GDPR)

overview

applicability

exemptions

full text

Supervisory Authority

Name: European Data Protection Board (EDPB)

Address: Rue Wiertz 60, 1047 Brussels, Belgium

European Data Protection Board

History

The General Data Protection Regulation (GDPR) is a comprehensive data protection law enacted by the European Union. It officially came into force on May 25, 2018, replacing the Data Protection Directive 95/46/EC. The GDPR was introduced to strengthen and unify data protection for individuals within the EU, reflecting advancements in technology and the growing importance of data privacy. It aims to harmonize data protection laws across Europe, enhance individual rights, and impose stricter obligations on organizations handling personal data. The GDPR represents a significant update to data protection practices and establishes a framework for global data transfers.

Scope

The GDPR applies to the processing of personal data by organizations within the EU, as well as to organizations outside the EU if they offer goods or services to, or monitor the behavior of, individuals in the EU. Personal data is defined as any information relating to an identified or identifiable natural person. The regulation covers a wide range of data processing activities, including collection, storage, use, and dissemination of personal data. It applies to both public and private sector organizations.

Definitions

  1. ‘personal data’ means any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person;

  2. ‘processing’ means any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction;

  3. ‘pseudonymisation’ means the processing of personal data in such a manner that the personal data can no longer be attributed to a specific data subject without the use of additional information, provided that such additional information is kept separately and is subject to technical and organisational measures to ensure that the personal data are not attributed to an identified or identifiable natural person;

  4. ‘controller’ means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data; where the purposes and means of such processing are determined by Union or Member State law, the controller or the specific criteria for its nomination may be provided for by Union or Member State law;

  5. ‘processor’ means a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller;

  6. ‘data concerning health’ means personal data related to the physical or mental health of a natural person, including the provision of health care services, which reveal information about his or her health status;

Enforcement Structure

The enforcement of the GDPR is managed by national data protection authorities (DPAs) in each EU member state, working in coordination with the European Data Protection Board (EDPB). Each DPA has the authority to investigate complaints, conduct audits, and take action to ensure compliance with the GDPR. The GDPR provides for substantial financial penalties for non-compliance. Fines can reach up to €20 million or 4% of the total annual global turnover of the preceding financial year, whichever is higher. The fines are tiered based on the nature and severity of the violation, with different levels for various types of infringements. The GDPR also allows for other corrective measures, such as warnings and orders to comply.