GDPR: Frequently Asked Questions

April.12.2021

What is the General Data Protection Regulation (GDPR)?

The General Data Protection Regulation (GDPR) is a European Union data protection law that unifies EU member states under a single data protection regime. It requires organizations to safeguard personal data and uphold the privacy rights of anyone in the EU or Iceland, Liechtenstein, and Norway.

Who does the GDPR apply to?

Any company or organization with an establishment or "stable arrangement" in the European Economic Area (EEA), made up of EU member states plus Iceland, Liechtenstein, and Norway.
Companies doing business with EEA residents or organizations, in particular those offering goods and services to customers there.
Companies monitoring the behavior of people in the EEA as far as the behavior takes place there.

What is the scope under the GDPR?

The GDPR applies to the processing of personal data and protects only data relating to an identified or identifiable person. The law does not protect data relating to a legal entity, e.g., trade secrets or corporate confidential information. However, the definition of personal data is very broad (for example, online identifiers and IP addresses are generally personal data as well).

"Processing" is also defined broadly. Almost everything done with data, including collection, storage, use and transmission, is covered. So is the transfer of personal data within group companies, which also covers mere access.

What are the GDPR's key principles?

The GDPR outlines seven principles for the lawful processing of personal data, including:

Lawfulness, fairness and transparency, i.e., personal data may be processed only if the data subject has given consent or if there is a legal justification. In addition, the data subject needs to be informed about the processing of his or her personal data.
Purpose limitation, i.e., personal data may only be collected for specified, explicit and legitimate purposes, and companies must ensure that personal data is not used for purposes other than for what the data had been collected.
Data minimization, i.e., processing of personal data must be adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed.
Accuracy, i.e., processing of personal data must be accurate and up to date. Companies must take all reasonable steps to ensure the personal data they hold is not incorrect or misleading as to any matter of fact.
Storage limitation, i.e., personal data must be kept in a form that permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed.
Integrity and confidentiality (security), i.e., personal data must be processed in a manner that ensures appropriate security of the personal data.
Accountability, i.e., companies are not only responsible for complying with the GDPR but must also be able to demonstrate their compliance.

Who can issue fines, and what are the penalties?

Any member state's data protection authority can enforce the GDPR. The maximum penalty is €20 million or 4% of global revenue, whichever is higher. Authorities or courts can also impose a temporary or definitive limitation including a ban on data processing.

Apart from compensation of material damage, claims for nonmaterial damages by data subjects are on the rise.

What fines have already been imposed by European data protection authorities?

The authorities are becoming more and more active and are imposing heavy fines, for example:

€225m fine against an international messaging platform mainly for alleged nontransparent customer notices.
€150m fine against Google for wrongful use of cookies.
€60m fine against an international social media platform for wrongful use of cookies.
€22m fine against a British airline for having insufficient technical and organizational measures to ensure information security.
€50m fine against Google for failing to inform its users transparently about the use of their personal data as well as to demonstrate valid consent for the processing of their data for advertising purposes.

The first years of GDPR enforcement have shown that authorities focus on topics such as marketing, information obligations and on whether companies have taken sufficient technical and organizational measures.

What are the key themes of the GDPR and in-scope activities?

Determination of lawful basis of processing
Determine the territorial scope
Cross-border data transfers (in particular, after Schrems 2.0)
Identifying personal data (in particular, special categories of data)
High consent requirements under the GDPR
Cookie banners and online tracking
Sufficient observance of data subject rights
Complying with breach notification requirements
Fulfilment of data security
Engagement of service providers
Policies and organizations within a company
Keeping records, on the one hand, and timely deletion, on the other hand
Conducting internal audits and assessments

Use our GDPR Readiness Assessment Tool to identify – at a high level – your state of GDPR compliance.

This FAQ was first published in April 2021. It was updated in August 2022.

Authors

Dr. Christian Schröder Partner, Cyber, Privacy & Data Innovation, Technology Transactions

Düsseldorf

See my bio

D:+49 211 3678 7269
E: cschroeder@orrick.com

Practice:

Technology & Innovation Sector
Cyber, Privacy & Data Innovation
Technology Transactions
Technology Companies Group
White Collar
Strategic Advisory & Government Enforcement (SAGE)

vCard

See full bio

Dr. Christian Schröder Partner

Düsseldorf

Christian helps clients consider the privacy and artificial intelligence implications of new technology, supports their compliance programs, and helps them stay ahead of enforcement trends. One particular focus of his work deals with internal data transfer agreements, external data transfers with external providers, and product launches that comply with international data protection standards, as well as privacy requirements for connected cars. Furthermore, Christian provides guidance on privacy and data protection considerations for developing, acquiring, using, licensing and selling technology, data and intellectual property, including M&A transactions and IP focused joint ventures. He supports companies on the set-up of webshops, outsourcings, license agreements, in cases of trademark or unfair and deceptive trade practice issues, as well as on hard and software license and information technology (IT) project agreements.

Christian maintains strong working relationships with German data protection authorities and EU regulatory authorities with jurisdiction over privacy and data security matters. He effectively defends companies in cybersecurity and privacy-related investigations initiated by EU regulatory authorities. He also engages with authorities on behalf of clients and helps clients avoid proceedings and possible litigation. When litigation can't be avoided, Christian vigorously defends his clients.

For companies facing global cybersecurity incidents, Christian helps with crisis mitigation, including counseling on notification requirements, coordinating media strategies, and representing clients before data protection authorities in related regulatory investigations.

Christian regularly contributes practical thought leadership to global privacy industry publications and German privacy books and journals. Christian authors the Chapter V (international data transfers) of Germany’s leading GDPR commentary Kühling/Buchner (4th ed.) and is co-author to the Corporate Privacy Handbook (Betrieblicher Datenschutz). As an active member of the Sedona Conference, Christian drives the development and understanding of cross border privacy. He also participates in, hosts and moderates speaking programs with fellow private practitioners, EU data protection authorities, and academics focused on privacy and data security. Legal 500 Germany named Christian one of the top 15 practitioners in 2023 and noted that he is "a pioneer in the legal field, a data protection guru." They also recognized Christian and Orrick as "truly global" and how that it is "vital as they require the various leaders of each region to participate and bring issues to the table as a forum".

Prior to working in private practice, Christian interned with the German Federal Data Protection Commissioner and www.epic.org.

Shannon Yavorsky Partner, Cyber, Privacy & Data Innovation, Technology Transactions

San Francisco; London

See my bio

D:+1 415 773 5731
E: syavorsky@orrick.com

Practice:

Technology & Innovation Sector
Cyber, Privacy & Data Innovation
Technology Transactions
Global Compliance & Regulatory
Government Investigations and Enforcement Actions
Responsible Business
Strategic Advisory & Government Enforcement (SAGE)

vCard

See full bio

Shannon Yavorsky Partner

San Francisco; London

She advises public and private companies across several sectors, including life sciences and health technology, financial services, private equity, insurance, social media and technology on a range of EU and U.S. federal and state privacy laws. Shannon’s strategic counseling advice includes, but is not limited to:

Advertising and payment card processing self-regulatory frameworks
Controlling the Assault of Non-Solicited Pornography And Marketing Act (CAN-SPAM)
Electronic Communications Privacy Act (ECPA)
EU AI Act
EU e-Privacy Directive (EPD)
EU General Data Protection Regulation (GDPR)
Fair Credit Reporting Act (FCRA)
Gramm–Leach–Bliley Act (GLBA)
Health Insurance Portability and Accountability Act (HIPAA)
National Institute of Standards and Technology (NIST) AI Risk Management Framework (AIRMF)
Telephone Consumer Protection Act (TCPA)
U.S. state breach notification laws
U.S. state privacy laws in California, Colorado, Connecticut, Utah, Virginia and other states

Shannon also helps clients undertake comprehensive privacy, cybersecurity and AI risk assessments, evaluates privacy, security and AI risks in corporate transactions and drafts and negotiates data-related contracts. She advises clients on cross-border data transfers, data breaches and developing global privacy and AI compliance programs.