Frequently Asked Questions About the GDPR

April.12.2021

What is the General Data Protection Regulation (GDPR)?

The GDPR is a European Union (EU) data protection law that went into effect on May 25, 2018. The GDPR unifies the EU under a single data protection regime for all member states and requires organizations to safeguard personal data and uphold the privacy rights of anyone in the EU.

Who does the GDPR apply to?

Any company or organization with an establishment or "stable arrangement" in the EU.
Companies doing business with EU residents or organizations, in particular offering goods and services to customers located in the EU.
Companies monitoring behavior of persons in the EU, as far as the behavior takes place in the EU.

What is the scope under the GDPR?

The GDPR applies to the processing of personal data (Art. 2 GDPR). Thus, only data relating to an identified or identifiable natural person is protected. Data relating to a legal entity, e.g., trade secrets or corporate confidential information, is not protected. However, the definition of personal data is very broad (for example, online identifiers and IP-addresses are personal data).

"Processing" is also defined broadly as well. Almost everything that is done with data, including collection, storage, use and transmission is covered as well as the transfer of personal data within group companies.

What are the GDPR's key principles?

The GDPR outlines seven principles for the lawful processing of personal data, including:

Lawfulness, fairness and transparency, i.e., personal data may be processed only if the data subject has given consent or if there is a legal justification allowing the data processing. In addition, the data subject needs to be informed about the processing of his or her personal data.
Purpose limitation, i.e., personal data may only be collected for specified, explicit and legitimate purposes, and companies must ensure that personal data is not used for purposes other than for what the data had been collected.
Data minimization, i.e., processing of personal data must be adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed.
Accuracy, i.e., processing of personal data must be accurate and up to date. Companies must take all reasonable steps to ensure the personal data they hold is not incorrect or misleading as to any matter of fact.
Storage limitation, i.e., personal data must be kept in a form that permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed.
Integrity and confidentiality (security), i.e., personal data must be processed in a manner that ensures appropriate security of the personal data.
Accountability, i.e., companies are not only responsible for complying with the GDPR but must also be able to demonstrate their compliance.

Who can issue fines, and what are the penalties?

Any member state's data protection authorities can enforce the GDPR. The maximum penalty is €20 million or 4% of global revenue, whichever is higher. The authorities can also impose a temporary or definitive limitation including a ban on data processing.

In addition to such fines by the authorities, claims for nonmaterial damages by data subjects are on the rise.

What fines have already been imposed by European data protection authorities?

The authorities are becoming more and more active and are imposing heavy fines, for example:

€35.3m fine against a German clothing company for the alleged wrongful collection of data of a couple of hundred employees that related to their private life.
€27.8m fine against an Italian telecommunications operator for unlawful marketing activities.
€22m fine against a British airline for having insufficient technical and organizational measures to ensure information security.
€50m fine against Google for failing to inform its users transparently about the use of their personal data as well as to demonstrate valid consent for the processing of their data for advertising purposes.

The first years of GDPR enforcement have shown that the authorities focus on topics such as marketing, information obligations and on whether companies have taken sufficient technical and organizational measures.

What are the key themes of the GDPR and in-scope activities?

Determination of lawful basis of processing
Determine the territorial scope
Cross-border data transfers (in particular, after Schrems 2.0)
Identifying personal data (in particular, special categories of data)
High consent requirements under the GDPR
Cookie banners and online tracking
Sufficient observance of data subject rights
Complying with breach notification requirements
Fulfilment of data security
Engagement of service providers
Policies and organizations within a company
Keeping records, on the one hand, and timely deletion, on the other hand
Conducting internal audits and assessments

To identify (at a high level), your organization's current state of GDPR compliance, see our GDPR Readiness Assessment Tool.

Authors

Dr. Christian Schröder Partner, Cyber, Privacy & Data Innovation, IP Licensing and Technology Transactions

Düsseldorf

See my bio

D: +49 211 3678 7269
E: [email protected]

Practice:

Technology & Innovation Sector
Cyber, Privacy & Data Innovation
IP Licensing and Technology Transactions
Technology Companies Group
White Collar
Automotive Technology & Mobility

vCard

See full bio

Dr. Christian Schröder Partner Cyber, Privacy & Data Innovation, IP Licensing and Technology Transactions

Düsseldorf

Dr. Christian Schröder leads Orrick's Cyber, Privacy & Data Innovation Group in Europe and collaborates with team members in the United States (U.S.), Europe (EU), and Asia to provide support to global clients. As a technology-focused partner, Christian advises on cybersecurity and privacy regulatory compliance, incident response, regulatory investigations and enforcement, litigation and intellectual property licensing, and transactional matters.

Christian helps clients consider the privacy and artificial intelligence implications of new technology, supports their compliance programs, and helps them stay ahead of enforcement trends. One particular focus of his work deals with internal data transfer agreements, external data transfers with external providers, and product launches that comply with international data protection standards, as well as privacy requirements for connected cars. Christian provides guidance on privacy and data protection considerations for developing, acquiring, using, licensing and selling technology, data and intellectual property, including M&A transactions and IP focused joint ventures. He supports companies on the set-up of webshops, outsourcings, license agreements, in cases of trademark or unfair and deceptive trade practice issues, as well as on hard and software license and information technology (IT) project agreements.

Christian maintains strong working relationships with German data protection authorities and EU regulatory authorities with jurisdiction over privacy and data security matters. He effectively defends companies in cybersecurity and privacy-related investigations initiated by EU regulatory authorities. He also engages with authorities on behalf of clients and helps clients avoid proceedings and possible litigation. When litigation can't be avoided, Christian vigorously defends his clients.

For companies facing global cybersecurity incidents, Christian helps with crisis mitigation, including counseling on notification requirements, coordinating media strategies, and representing clients before data protection authorities in related regulatory investigations.

Christian regularly contributes practical thought leadership to global privacy industry publications and German privacy books and journals. Christian authors the Chapter V (international data transfers) of Germany’s leading GDPR commentary Kühling/Buchner (3rd ed.) and is co-author to the Corporate Privacy Handbook (Betrieblicher Datenschutz). As an active member of the Sedona Conference, Christian drives the development and understanding of cross border privacy. He also participates in, hosts and moderates speaking programs with fellow private practitioners, EU data protection authorities, and academics focused on privacy and data security. Legal 500 Germany noted that Christian is "a pioneer in the legal field, a data protection guru." They also recognized Christian and Orrick as "truly global" and how that it is "vital as they require the various leaders of each region to participate and bring issues to the table as a forum".

Prior to working in private practice, Christian interned with the German Federal Data Protection Commissioner and www.epic.org.

Shannon Yavorsky Partner, Cyber, Privacy & Data Innovation, IP Licensing and Technology Transactions

San Francisco; London

See my bio

D: +1 415 773 5731
E: [email protected]

Practice:

Technology & Innovation Sector
Cyber, Privacy & Data Innovation
IP Licensing and Technology Transactions
Global Compliance & Regulatory
Government Investigations and Enforcement Actions
Environmental, Social & Corporate Governance (ESG)

vCard

See full bio

Shannon Yavorsky Partner Cyber, Privacy & Data Innovation, IP Licensing and Technology Transactions

San Francisco; London

Shannon K. Yavorsky is a leading authority on United States (U.S.) and European data privacy and security issues. She is uniquely qualified in California, England and Wales and Ireland and helps clients navigate the increasingly complex global privacy and data security regulatory landscape.

Shannon Yavorsky is the head of Orrick's global Cyber, Privacy & Data Innovation Group. Shannon advises clients on a broad range of United States (U.S.) and European data privacy and cybersecurity issues, including emerging issues surrounding the California Privacy Rights Act (CPRA), the California Consumer Privacy Act (CCPA), the General Data Protection Regulation (GDPR) and the e-Privacy Directive. She helps clients undertake comprehensive privacy and cybersecurity assessments worldwide, evaluates privacy and security risks in corporate transactions and drafts and negotiate data-related vendor and arrangement contracts. She also counsels clients on cross-border data transfers, data breaches and developing global privacy compliance programs. She has significant experience with model contract clauses, privacy policies, website terms and conditions, data processing agreements and privacy and security issues in corporate transactions.

In addition to the GDPR, CPRA and CCPA, Shannon advises on an array of privacy and security laws and regulations, including:

Controlling the Assault of Non-Solicited Pornography And Marketing Act (CAN-SPAM)
Electronic Communications Privacy Act (ECPA)
Fair Credit Reporting Act (FCRA)
Gramm–Leach–Bliley Act (GLBA)
Health Insurance Portability and Accountability Act (HIPAA)
Telephone Consumer Protection Act (TCPA)
State breach notification laws
Advertising and payment card processing self-regulatory frameworks

Shannon also has an active general consumer protection practice and counsels clients on interest-based advertising, sweepstakes and marketing promotions, retail sales and e-commerce platforms. Her clients are multinational clients across diverse industry sectors, with an emphasis on technology, financial services, retail, staffing, advertising, healthcare, and automotive.

Frequently Asked Questions About the GDPR

What is the General Data Protection Regulation (GDPR)?

Who does the GDPR apply to?

What is the scope under the GDPR?

What are the GDPR's key principles?

Who can issue fines, and what are the penalties?

What fines have already been imposed by European data protection authorities?

What are the key themes of the GDPR and in-scope activities?

Also of Interest

Brexit Privacy Guide: Five Things You (Might) Have to Think About...

EDPB Tears Down Cookie Walls – Implementation of Cookies in Europe...

6 Key Things to Know about the New EDPB Guidance on International...