The GDPR sets out detailed requirements for companies and organisations on collecting, storing and managing personal data. It applies both to European organisations that process personal data of individuals in the EU, and to organisations outside the EU that target people living in the EU.
The GDPR applies if:
Non-EU based businesses processing EU citizen's data have to appoint a representative in the EU.
The GDPR does not apply if:
Personal data is any information about an identified or identifiable person, also known as the data subject. Personal data includes information such as their:
You may not process personal data about someone's:
During processing, personal data can pass through various different companies or organisations. Within this cycle there are two main profiles that deal with processing personal data:
The Data Protection Officer (DPO), who may have been designated by the company, is responsible for monitoring how personal data is processed and to inform and advise employees who process personal data about their obligations. The DPO also cooperates with the Data Protection Authority (DPA), serving as a contact point towards the DPA and individuals.
Your company is required to appoint a DPO when:
For example, if you process personal data to target advertising through search engines based on people's online behaviour, you are required to have a DPO. If, however, you only send your clients promotional material once a year, then you will not need a DPO. Likewise, if you are a doctor who collects data on patients' health, a DPO is probably not needed. But if you process personal data on genetics and health for a hospital, then a DPO will be required.
The DPO may be a staff member of your organisation or may be contracted externally on the basis of a service contact. A DPO can be an individual or part of an organisation.
A data controller can only use a data processor who offers sufficient guarantees, these should be included in a written contract between the parties involved. The contract must also contain a number of mandatory clauses, e.g. that the data processor will only process personal data when instructed to do so by the data controller.
When personal data is transferred outside the EU, the protection offered by the GDPR should travel with the data. This means that if you export data abroad, your company must ensure one of the following measures are adhered to:
EU data protection rules mean you should process data in a fair and lawful manner, for a specified and legitimate purpose and only process the data necessary to fulfil this purpose. You must ensure that you fulfil one of the following conditions to process the personal data; you:
The GDPR applies strict rules for processing data based on consent. The purpose of these rules is to ensure that the individual understands what he or she is consenting to. This means that consent should be freely given, specific, informed and unambiguous by way of a request presented in clear and plain language. Consent should be given by an affirmative act, such as checking a box online or signing a form.
When someone consents to the processing of their personal data, you can only process the data for the purposes for which consent was given. You must also give them the opportunity to withdraw their consent.
You must clearly provide individuals with information on who is processing the personal data about them and why. The following should be included as a minimum:
In some cases, the information you provide must also state:
You should present this information in clear and plain language.
If you're collecting personal data from a child based on consent, for example using a social media account or a download account, you must get parental consent first, e.g. by sending a notification to a parent or guardian. The age until which someone is considered to be a child differs depending on where they live, but is between 13 and 16 years old.
You must ensure that individuals have the right to access their personal data, free of charge. If you receive such a request you have to:
When the processing is based on consent or a contract, the individual can also ask for you to return their personal data to them or transmit it to another company. This is known as the right to data portability. You should provide the data in a commonly used and machine-readable format.
If an individual believes that their personal data is incorrect, incomplete or inaccurate, they have the right to have it rectified or completed without undue delay.
If this is the case, you should notify all data recipients if any of the personal data you shared with them has been changed or deleted. If any personal data you shared was incorrect, you may also have to inform anyone who has seen it that this was the case (unless this is deemed to require a disproportionate effort).
An individual may also object - at any time - to the processing of their personal data for a particular use when your company processes it on the basis of your legitimate interest, or for a task in the public interest. Unless you have a legitimate interest that overrides the interest of the individual, you must stop processing the personal data.
Likewise, an individual can ask to have the processing of their personal data restricted while it is determined whether or not your legitimate interest overrides their interest. However, in the case of direct marketing, you are always obliged to stop processing the personal data if requested by the individual.
In some circumstances, an individual can ask the data controller to erase their personal data, for example if the data is no longer needed to fulfil the processing purpose. However, your company is not obliged to do so if:
Individuals have the right not to be subject to a decision that is based solely on automated processing. However, there are some exceptions to this rule, such as when they have given their explicit consent to the automated decision. Except where the automated decision is based on a law, your company must:
For example, if a bank automates its decision of whether or not to grant a loan to a certain individual, that individual should be informed of the automated decision and given the opportunity to contest the decision and request human intervention.
A data breach is when the personal data you are responsible for is disclosed, either accidentally or unlawfully, to unauthorised recipients or is made temporarily unavailable or is altered.
If a data breach does occur and the breach poses a risk to individual rights and freedoms, you should notify your Data Protection Authority within 72 hours after becoming aware of the breach.
Depending on whether or not the data breach poses a high risk to those affected, your company may also be required to inform all individuals affected.
If your company receives a request from an individual who wants to exercise their rights, you should respond to this request without undue delay and in any case within 1 month of receiving the request. This response time may be extended by 2 months for complex or multiple requests, as long as the individual is informed about the extension. Requests should be dealt with free of charge.
If a request is rejected, then you must inform the individual of the reasons for doing so and of their right to file a complaint with the Data Protection Authority.
Conducting a Data Protection Impact Assessment (DPIA) is mandatory whenever the intended processing would pose a high risk to the rights and freedoms of individuals, e.g. when new technologies are used.
There is such a high risk when:
Note: Data Protection Authorities may also consider other categories of data processing as high risk.
If the measures indicated in the DPIA fail to remove all the identified high risks, the Data Protection Authority must be consulted before the intended data processing takes place.
You must be able to prove that your company acts in accordance with the GDPR and fulfils all applicable obligations — particularly upon request or inspection from the Data Protection Authority.
One way to do this is to keep detailed records on such things as the:
Your company should also keep — and regularly update — written procedures and guidelines and make them known to your employees.
If your company is an SME Open as an external link or smaller, you do not need to keep records of your processing activities as long as they:
Data protection by design means that your company should take data protection into account at the early stages of planning a new way of processing personal data. In accordance with this principle, a data controller must take all necessary technical and organisational steps to implement the data protection principles and protect the rights of individuals. These steps could include, for example, using pseudonymisation.
Data protection by default means that your company should always make the most privacy friendly setting the default setting. For example, if two privacy settings are possible and one of the settings prevents personal data from being accessed by others, this should be used as the default setting.
Failure to comply with the GDPR may result in significant fines of up to EUR 20 million or 4 % of your company's global turnover for certain breaches. The Data Protection Authority may impose additional corrective measures, such as ordering you to stop processing personal data.
Get in touch with specialised assistance services
Get help and advice
Do you have questions on operating a business cross-border, for example exporting or expanding to another EU country? If so, the Enterprise Europe Network can give you free advice.
You can also use the assistance service finder to find the right help for you.