What is the General Data Protection Regulation (GDPR)?
The General Data Protection Regulation (GDPR) is a European Union data protection law that unifies EU member states under a single data protection regime. It requires organizations to safeguard personal data and uphold the privacy rights of anyone in the EU or Iceland, Liechtenstein, and Norway.
Who does the GDPR apply to?
- Any company or organization with an establishment or "stable arrangement" in the European Economic Area (EEA), made up of EU member states plus Iceland, Liechtenstein, and Norway.
- Companies doing business with EEA residents or organizations, in particular those offering goods and services to customers there.
- Companies monitoring the behavior of people in the EEA as far as the behavior takes place there.
What is the scope under the GDPR?
The GDPR applies to the processing of personal data and protects only data relating to an identified or identifiable person. The law does not protect data relating to a legal entity, e.g., trade secrets or corporate confidential information. However, the definition of personal data is very broad (for example, online identifiers and IP addresses are generally personal data as well).
"Processing" is also defined broadly. Almost everything done with data, including collection, storage, use and transmission, is covered. So is the transfer of personal data within group companies, which also covers mere access.
What are the GDPR's key principles?
The GDPR outlines seven principles for the lawful processing of personal data, including:
- Lawfulness, fairness and transparency, i.e., personal data may be processed only if the data subject has given consent or if there is a legal justification. In addition, the data subject needs to be informed about the processing of his or her personal data.
- Purpose limitation, i.e., personal data may only be collected for specified, explicit and legitimate purposes, and companies must ensure that personal data is not used for purposes other than for what the data had been collected.
- Data minimization, i.e., processing of personal data must be adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed.
- Accuracy, i.e., processing of personal data must be accurate and up to date. Companies must take all reasonable steps to ensure the personal data they hold is not incorrect or misleading as to any matter of fact.
- Storage limitation, i.e., personal data must be kept in a form that permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed.
- Integrity and confidentiality (security), i.e., personal data must be processed in a manner that ensures appropriate security of the personal data.
- Accountability, i.e., companies are not only responsible for complying with the GDPR but must also be able to demonstrate their compliance.
Who can issue fines, and what are the penalties?
Any member state's data protection authority can enforce the GDPR. The maximum penalty is €20 million or 4% of global revenue, whichever is higher. Authorities or courts can also impose a temporary or definitive limitation including a ban on data processing.
Apart from compensation of material damage, claims for nonmaterial damages by data subjects are on the rise.
What fines have already been imposed by European data protection authorities?
The authorities are becoming more and more active and are imposing heavy fines, for example:
- €225m fine against an international messaging platform mainly for alleged nontransparent customer notices.
- €150m fine against Google for wrongful use of cookies.
- €60m fine against an international social media platform for wrongful use of cookies.
- €22m fine against a British airline for having insufficient technical and organizational measures to ensure information security.
- €50m fine against Google for failing to inform its users transparently about the use of their personal data as well as to demonstrate valid consent for the processing of their data for advertising purposes.
The first years of GDPR enforcement have shown that authorities focus on topics such as marketing, information obligations and on whether companies have taken sufficient technical and organizational measures.
What are the key themes of the GDPR and in-scope activities?
- Determination of lawful basis of processing
- Determine the territorial scope
- Cross-border data transfers (in particular, after Schrems 2.0)
- Identifying personal data (in particular, special categories of data)
- High consent requirements under the GDPR
- Cookie banners and online tracking
- Sufficient observance of data subject rights
- Complying with breach notification requirements
- Fulfilment of data security
- Engagement of service providers
- Policies and organizations within a company
- Keeping records, on the one hand, and timely deletion, on the other hand
- Conducting internal audits and assessments
Use our GDPR Readiness Assessment Tool to identify – at a high level – your state of GDPR compliance.
This FAQ was first published in April 2021. It was updated in August 2022.