General Data Protection Regulation (GDPR)
The General Data Protection Regulation (EU) 2016/679 (GDPR) is a regulation in European Union law on data protection and privacy for all individuals within the EU.
The above diagram summarises these themes:
- The lawful purposes are:
- The data subject has given consent to the processing of his or her personal data;
- To fulfil contractual obligations with a data subject;
- To comply with a data controller’s legal obligations;
- To protect the vital interests of a data subject or another individual;
- To perform a task in the public interest or in official authority;
- For the legitimate interests of a data controller or a third party, unless these interests are overridden by interests of the data subject.
- The data subject rights are the right to access, to correct, to erasure and for data portability.
- A register of the internal personal data activities must be set up and maintained.
- Scope: the regulation also applies to organisations if they collect or process personal data of individuals located inside the EU.
- Within the accountabilities, the data controller must implement measures which meet the principles of data protection by Design and by Default. All processing contracts with subcontractors must include provisions to ensure compliance with the regulation. In specific cases, a Data Protection Officer (DPO) must be designated to assist the controller or processor in monitoring their internal compliance.
- Data protection impact assessments (DPIAs) have to be conducted when specific risks occur to the rights and freedoms of data subjects.
- Data protection should be ensured through the implementation of appropriate organisational and technical information security measures.
- All information about the processing of personal data must be provided to the data subjects. The data controller is under a legal obligation to notify the Data Protection Authority without undue delay, unless the breach is unlikely to result in a risk to the rights and freedoms of the individuals.
- Administrative sanctions (warnings or interdiction to treat personal data) and financial fines (up to 2% or 4% and 20 or 40 million Euro in case of infringements).