General Data Protection Regulation | Enea Romania | 0LOVES1


We're not saying it's gonna be easy.
But we promise it's not gonna be boring.

We pride in providing new challenges all the time for our creative, rebellious engineers. This is the kind of place where we want to change the world with the right lines of code. Insane passion, curiosity and thirst for breaking barriers and rules feel like home here at Enea.

Would you feel like home?

General Data Protection Regulation


What is the General Data Protection Regulation, also known as GDPR?

The General Data Protection Regulation (EU) 2016/679 (GDPR) is the regulation in EU law on data protection and privacy in the European Union (EU) and the European Economic Area (EEA).

The GDPR’s main goal is to give individuals control over their personal data and to clearly establish and unify these particular rules across all EU country members. Moreover, GDPR also addresses the transfer of personal data outside the EU and EEA areas.

GDPR was adopted on 14 April 2016, and became enforceable on 25 May 2018. Because GDPR is a regulation, not a directive, it is directly binding and applicable, but does provide a certain level of flexibility for various aspects of the regulation to be adjusted by individual member states.

How do I know if GDPR applies to my organization?

The General Data Protection Regulation applies to an organization if:

– The organization collects data from EU residents – also known as the data controller in this context;

– The organization processes data on behalf of a data controller – also known as the processor in this context;

– The data subject (person) is based in the EU.

I am an EU citizen. How does this affect me?

A change most of us as EU citizens have noticed since GDPR became active, is that when we visit a web site we must be notified of data the site collects from us, usually via cookies which are small tokens which hold personal details such as preferences or site settings, and explicitly consent to this information-gathering, usually by clicking on an Agree button.

If this data is being placed or transferred outside the EU and EEA areas, it is once again our choice if we want to agree with this, or not.

Additionally, web site owners must also notify us as EU citizens in a timely way if any of our personal data held by the site has been compromised or breached.

Moreover, the GDPR does not impact only your online activity, but your offline one as well. For example, when you go to your bank to open a new account or get a credit, they need to ask for your permission first, before they process and store your data. Every organization that requests to hold and process your data needs to have your consent first.

Data protection principles

There are 7 protection and accountability principles mentioned in Article 5.1-2 that must be respected:

  1. Lawfulness, fairness and transparency — Processing must be lawful, fair, and transparent to the data subject.
  2. Purpose limitation — You must process data for the legitimate purposes specified explicitly to the data subject when you collected it.
  3. Data minimization — You should collect and process only as much data as absolutely necessary for the purposes specified.
  4. Accuracy — You must keep personal data accurate and up to date.
  5. Storage limitation — You may only store personally identifying data for as long as necessary for the specified purpose.
  6. Integrity and confidentiality — Processing must be done in such a way as to ensure appropriate security, integrity, and confidentiality (e.g. by using encryption).
  7. Accountability — The data controller is responsible for being able to demonstrate GDPR compliance with all of these principles.

Imposed fines and penalties

It is very important to keep in mind that not respecting the GDPR can result in large fines. Among some of the highest fines applied in the EU, we have 50,000,000 euro to Google Inc. in France on 2019-01-21 and 35,258,708 euro to H&M Hennes & Mauritz Online Shop A.B. & Co. KG in Germany at 2020-10-01, both for insufficient legal basis for data processing.

In Romania, the top 5 highest fines have been applied to companies from the financial and banking sector for insufficient technical and organisational measures to ensure information security, the highest fine being of 150,000 euro (quoted article – Art. 32 GDPR). The second highest fine consists of 130,000 euro (quoted article – Art. 25 (1) GDPR, Art. 5 (1) c) GDPR) and the third one of 100,000 euro (quoted article – Art. 5 (1) f) GDPR, Art. 32 (1), (2) GDPR).

Stay safe!

Related reads



Leave a Reply

Your email address will not be published. Required fields are marked *