The General Data Protection Regulation (EU) 2016/679 (GDPR) is the regulation in EU law on data protection and privacy in the European Union (EU) and the European Economic Area (EEA).
The GDPR’s main goal is to give individuals control over their personal data and to clearly establish and unify these particular rules across all EU country members. Moreover, GDPR also addresses the transfer of personal data outside the EU and EEA areas.
GDPR was adopted on 14 April 2016, and became enforceable on 25 May 2018. Because GDPR is a regulation, not a directive, it is directly binding and applicable, but does provide a certain level of flexibility for various aspects of the regulation to be adjusted by individual member states.
The General Data Protection Regulation applies to an organization if:
– The organization collects data from EU residents – also known as the data controller in this context;
– The organization processes data on behalf of a data controller – also known as the processor in this context;
– The data subject (person) is based in the EU.
A change most of us as EU citizens have noticed since GDPR became active, is that when we visit a web site we must be notified of data the site collects from us, usually via cookies which are small tokens which hold personal details such as preferences or site settings, and explicitly consent to this information-gathering, usually by clicking on an Agree button.
If this data is being placed or transferred outside the EU and EEA areas, it is once again our choice if we want to agree with this, or not.
Additionally, web site owners must also notify us as EU citizens in a timely way if any of our personal data held by the site has been compromised or breached.
Moreover, the GDPR does not impact only your online activity, but your offline one as well. For example, when you go to your bank to open a new account or get a credit, they need to ask for your permission first, before they process and store your data. Every organization that requests to hold and process your data needs to have your consent first.
There are 7 protection and accountability principles mentioned in Article 5.1-2 that must be respected:
- Lawfulness, fairness and transparency — Processing must be lawful, fair, and transparent to the data subject.
- Purpose limitation — You must process data for the legitimate purposes specified explicitly to the data subject when you collected it.
- Data minimization — You should collect and process only as much data as absolutely necessary for the purposes specified.
- Accuracy — You must keep personal data accurate and up to date.
- Storage limitation — You may only store personally identifying data for as long as necessary for the specified purpose.
- Integrity and confidentiality — Processing must be done in such a way as to ensure appropriate security, integrity, and confidentiality (e.g. by using encryption).
- Accountability — The data controller is responsible for being able to demonstrate GDPR compliance with all of these principles.
It is very important to keep in mind that not respecting the GDPR can result in large fines. Among some of the highest fines applied in the EU, we have 50,000,000 euro to Google Inc. in France on 2019-01-21 and 35,258,708 euro to H&M Hennes & Mauritz Online Shop A.B. & Co. KG in Germany at 2020-10-01, both for insufficient legal basis for data processing.
In Romania, the top 5 highest fines have been applied to companies from the financial and banking sector for insufficient technical and organisational measures to ensure information security, the highest fine being of 150,000 euro (quoted article – Art. 32 GDPR). The second highest fine consists of 130,000 euro (quoted article – Art. 25 (1) GDPR, Art. 5 (1) c) GDPR) and the third one of 100,000 euro (quoted article – Art. 5 (1) f) GDPR, Art. 32 (1), (2) GDPR).