Frequently Asked Questions About the GDPR

April.12.2021

What is the General Data Protection Regulation (GDPR)?

The GDPR is a European Union (EU) data protection law that went into effect on May 25, 2018. The GDPR unifies the EU under a single data protection regime for all member states and requires organizations to safeguard personal data and uphold the privacy rights of anyone in the EU.

Who does the GDPR apply to?

Any company or organization with an establishment or "stable arrangement" in the EU.
Companies doing business with EU residents or organizations, in particular offering goods and services to customers located in the EU.
Companies monitoring behavior of persons in the EU, as far as the behavior takes place in the EU.

What is the scope under the GDPR?

The GDPR applies to the processing of personal data (Art. 2 GDPR). Thus, only data relating to an identified or identifiable natural person is protected. Data relating to a legal entity, e.g., trade secrets or corporate confidential information, is not protected. However, the definition of personal data is very broad (for example, online identifiers and IP-addresses are personal data).

"Processing" is also defined broadly as well. Almost everything that is done with data, including collection, storage, use and transmission is covered as well as the transfer of personal data within group companies.

What are the GDPR's key principles?

The GDPR outlines seven principles for the lawful processing of personal data, including:

Lawfulness, fairness and transparency, i.e., personal data may be processed only if the data subject has given consent or if there is a legal justification allowing the data processing. In addition, the data subject needs to be informed about the processing of his or her personal data.
Purpose limitation, i.e., personal data may only be collected for specified, explicit and legitimate purposes, and companies must ensure that personal data is not used for purposes other than for what the data had been collected.
Data minimization, i.e., processing of personal data must be adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed.
Accuracy, i.e., processing of personal data must be accurate and up to date. Companies must take all reasonable steps to ensure the personal data they hold is not incorrect or misleading as to any matter of fact.
Storage limitation, i.e., personal data must be kept in a form that permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed.
Integrity and confidentiality (security), i.e., personal data must be processed in a manner that ensures appropriate security of the personal data.
Accountability, i.e., companies are not only responsible for complying with the GDPR but must also be able to demonstrate their compliance.

Who can issue fines, and what are the penalties?

Any member state's data protection authorities can enforce the GDPR. The maximum penalty is €20 million or 4% of global revenue, whichever is higher. The authorities can also impose a temporary or definitive limitation including a ban on data processing.

In addition to such fines by the authorities, claims for nonmaterial damages by data subjects are on the rise.

What fines have already been imposed by European data protection authorities?

The authorities are becoming more and more active and are imposing heavy fines, for example:

€35.3m fine against a German clothing company for the alleged wrongful collection of data of a couple of hundred employees that related to their private life.
€27.8m fine against an Italian telecommunications operator for unlawful marketing activities.
€22m fine against a British airline for having insufficient technical and organizational measures to ensure information security.
€50m fine against Google for failing to inform its users transparently about the use of their personal data as well as to demonstrate valid consent for the processing of their data for advertising purposes.

The first years of GDPR enforcement have shown that the authorities focus on topics such as marketing, information obligations and on whether companies have taken sufficient technical and organizational measures.

What are the key themes of the GDPR and in-scope activities?

Determination of lawful basis of processing
Determine the territorial scope
Cross-border data transfers (in particular, after Schrems 2.0)
Identifying personal data (in particular, special categories of data)
High consent requirements under the GDPR
Cookie banners and online tracking
Sufficient observance of data subject rights
Complying with breach notification requirements
Fulfilment of data security
Engagement of service providers
Policies and organizations within a company
Keeping records, on the one hand, and timely deletion, on the other hand
Conducting internal audits and assessments

To identify (at a high level), your organization's current state of GDPR compliance, see our GDPR Readiness Assessment Tool.

Authors

Dr. Christian Schröder Partner, Cyber, Privacy & Data Innovation, Intellectual Property

Düsseldorf

See my bio

D: +49 211 3678 7269
E: [email protected]

Practice:

Technology & Innovation Sector
Cyber, Privacy & Data Innovation
Intellectual Property
Technology Companies Group
Copyright, Trademark & False Advertising
White Collar
Corporate
Internet of Things
Automotive Technology & Mobility
IP Licensing and Technology Transactions

vCard

See full bio

Dr. Christian Schröder Partner Cyber, Privacy & Data Innovation, Intellectual Property

Düsseldorf

Dr. Christian Schröder heads Orrick's IP/IT & Data Privacy Practice Group in Germany in Orrick’s Düsseldorf Office. Christian advises medium sized (Mittelstand) companies to large multinationals on IP, Unfair and Deceptive Trade Practices, E-Commerce, IT and Data Privacy/Data Protection.

He is listed in Germany's leading lawyer ranking magazine JUVE as frequently recommended data privacy expert and clients recommend him to JUVE for his "reliable and actionable advice". Christian and his practice are also ranked by The Legal 500 Germany and The Legal 500 EMEA as well as Germany’s business journals WiWo and Handelsblatt for being among the leading German and European IT and data privacy practices (2019 and 2020), clients referred to him and his team as "Top data privacy expert", "extremely knowledgeable", and "able to explain complex legal issues in an easily understandable way so that both legal and economic decisions can be made". Christian Schröder is recommended for his "data protection expertise and quick comprehension as well as his entrepreneurial acumen."

Christian provides IP/IT advice in M&A transactions and advises on IP focused joint ventures. He supports companies on the set-up of webshops, outsourcings, license agreements, in cases of trademark or unfair and deceptive trade practice issues as well as on hard and software license and IT project agreements.

As a core member of Orrick's global Cyber, Privacy & Data Innovation practice, Christian has a special focus on data privacy/data protection matters. In particular, Christian advises on privacy compliance programs, a risk-based approach to privacy, on implementing databases and new software applications, in particular, cloud based solutions. He advises on IT and data privacy contracts, internal data privacy policies, binding corporate rules, user agreements on BYOD, whistleblowing schemes, e-discovery, security breaches, and intra-group data sharing on a national and international basis. Christian regularly represents market leading clients in IT and data privacy contract negotiations and regularly defends companies against unfair access to their know-how by competitors and against unfair poaching of customers and employees.

Keily Blair Partner, Cyber, Privacy & Data Innovation, Government Investigations and Enforcement Actions

London

See my bio

D: +44 20 7862 4779
M: +44 7551 127701
E: [email protected]

Practice:

Technology & Innovation Sector
Cyber, Privacy & Data Innovation
Government Investigations and Enforcement Actions
Complex Litigation & Dispute Resolution
Internal Investigations

vCard

See full bio

Keily Blair Partner Cyber, Privacy & Data Innovation, Government Investigations and Enforcement Actions

London

Keily Blair heads up the Cyber, Privacy & Data Innovation practice in London. Keily works with her clients as a "strategic business partner" to navigate privacy and cyber security crises to achieve better commercial, regulatory and judicial outcomes.

Keily's litigation and enforcement background provides her a different perspective on cybersecurity and data privacy issues. She has led the response to investigations by the United Kingdom’s Information Commissioner’s Office (UK ICO), the Irish Data Protection Commission, the Competition and Markets Authority (CMA), the Financial Conduct Authority (FCA), the Serious Fraud Office (SFO), Parliamentary Select Committees and United States (U.S.) regulators, including the Department of Justice (DOJ), the Federal Bureau of Investigation (FBI) and the Securities and Exchange Commission (SEC). Keily has also acted as external legal counsel for privacy and financial service regulators.

On cybersecurity issues, Keily directs cybersecurity incidents and investigations across multiple jurisdictions and incident types from simple business email compromises, to enterprise-wide network intrusions and cyberattacks with national security implications. Keily has worked with national and international law enforcement and is called upon to act as external legal counsel to security and forensics firms when engaging with regulators.

In the civil arena, Keily has led on a number of high profile privacy litigation matters, including civil damages claims and collective actions following personal data breaches and privacy-related judicial reviews. She frequently counsels clients on the growing risk of privacy-related class actions and interventions by privacy advocates in the UK and the European Union.

Keily uses the insights from her litigation and enforcement practice to inform her advisory work, where she regularly advises stakeholders from legal, information security, privacy and the C-suite on a host of privacy and cybersecurity governance, risk mitigation and regulatory engagement strategies. This understanding of what matters to regulators and the courts is at the heart of her approach to privacy advisory and compliance work. According to clients Keily has the "subject matter expertise and ability to understand and interact with companies' culture and capabilities, recognising a one size fits all approach doesn't work".

She is ranked as a key practitioner in data protection, privacy and cybersecurity in The Legal 500 and has represented the private sector at the United Nations and the European Criminal Bar Association. Keily also sits on the Law360's 2020 Editorial Advisory Board on Cybersecurity & Privacy and leads the IAPP Cyber & Privacy Investigations, Enforcement & Litigation Affinity Group. She is committed to improving diversity and social mobility in the legal sector.

Prior to joining Orrick, Keily led the Contentious Data Privacy, Law & Strategy practice at PwC having been a litigator at two international law firms before this.

Shannon Yavorsky Partner, Cyber, Privacy & Data Innovation, IP Licensing and Technology Transactions

San Francisco

See my bio

D: +1 415 773 5731
E: [email protected]

Practice:

Technology & Innovation Sector
Cyber, Privacy & Data Innovation
IP Licensing and Technology Transactions
Global Compliance & Regulatory
Government Investigations and Enforcement Actions

vCard

See full bio

Shannon Yavorsky Partner Cyber, Privacy & Data Innovation, IP Licensing and Technology Transactions

San Francisco

Shannon K. Yavorsky is a leading authority on United States (U.S.) and European data privacy and security issues. She is uniquely qualified in California, England and Wales and Ireland, bringing a deep understanding of the increasingly complex global privacy and data security regulatory landscape.

Shannon advises clients on a broad range of U.S. and European data privacy and cybersecurity issues, including emerging issues surrounding the California Consumer Privacy Act (CCPA), the General Data Protection Regulation (GDPR) and the e-Privacy Directive. Shannon helps clients undertake comprehensive privacy and cybersecurity assessments worldwide, evaluates privacy and security risks in corporate transactions and drafts and negotiate data-related vendor and arrangement contracts. She also counsels clients on cross-border data transfers, data breaches and developing global privacy compliance programs. She has significant experience with model contract clauses, privacy policies, website terms and conditions, data processing agreements and privacy and security issues in corporate transactions.

In addition to the GDPR and CCPA, Shannon advises on an array of privacy and security laws and regulations, including the California Privacy Rights Act (CPRA), the Controlling the Assault of Non-Solicited Pornography And Marketing Act (CAN-SPAM), the Electronic Communications Privacy Act (ECPA), the Fair Credit Reporting Act (FCRA), the Gramm–Leach–Bliley Act (GLBA), the Health Insurance Portability and Accountability Act (HIPAA), the Telephone Consumer Protection Act (TCPA), state breach notification laws and advertising and payment card processing self-regulatory frameworks. Shannon also has an active general consumer protection practice and counsels clients on interest-based advertising, sweepstakes and marketing promotions, retail sales and e-commerce platforms.

Shannon’s clients are multinational clients across diverse industry sectors, with an emphasis on technology, financial services, retail, staffing, advertising, healthcare, and automotive.

Inga Maaske Associate, Cyber, Privacy & Data Innovation

Düsseldorf

See my bio

D: +49 2113678 7235
E: [email protected]

Practice:

Cyber, Privacy & Data Innovation

vCard

See full bio

Inga Maaske Associate Cyber, Privacy & Data Innovation

Düsseldorf

Inga Maaske advises on data privacy, IP and IT related matters as well as on unfair trade practices law.

With a fascination for new technologies and digitalization Inga understands the practical as well as legal needs of her clients. Pursuing this passion, she focused her legal studies on information and media law as well as intellectual property law and data protection law at the renowned Institute for Information, Telecommunications, and Media Law in Münster. Prior to working at Orrick, she also has conducted scientific research in the field of smart TV and data protection and has written her Ph.D on this subject.

As a privacy advisor, Inga advises on the implementation of the General Data Protection Regulation (GDPR), global privacy compliance programs, data privacy contracts, privacy policies and employee data protection.

As an intellectual property and technology advisor, Inga advises companies on their license agreements as well as on issues in relation to trademarks and unfair and deceptive trade practices.

During her legal clerkship, Inga worked for another leading international law firm as well as for one of the three largest German media groups.

Before joining Orrick, Inga practiced in the field of data privacy and intellectual property at another international law firm, while writing her Ph.D.

Related Areas

Cyber, Privacy & Data Innovation

Markets

United Kingdom