The General Data Protection Regulation (GDPR) is a globally recognized and stringent law for privacy and security. Enforced by the European Union (EU), it ensures the protection of personal information and imposes strict regulations on organizations processing data of EU citizens. The GDPR's comprehensive framework includes substantial fines, with penalties reaching up to tens of millions of euros.
GDPR Controller vs Processor
Within the GDPR, it is essential to understand the roles of "controller" and "processor":
- Controller: A controller, typically a business entity, is responsible for determining the purpose and means of processing personal data and making decisions related to processing activities.
- Processor: A processor, usually another business entity, is responsible for processing personal data on behalf of the controller.
The term "data subject" refers to individuals whose personal data is processed, including their name, personal identification numbers, address, email, genetic and mental health data, and cultural or social identity.
For detailed definitions, refer to Gdpr.eu Chapter 3 and Chapter 4.
GDPR Overview
The foundation of GDPR lies in the European Convention on Human Rights of 1950, which established safeguards for personal privacy. In 1995, the EU introduced the European Data Protection Directive to ensure minimum security and privacy standards. Recognizing the need for a comprehensive approach to data protection, the EU embarked on updating the directive, resulting in the GDPR.
As of May 25, 2018, all organizations must comply with the GDPR.
Who Needs to Comply with GDPR
According to Article 3 of the GDPR:
- The GDPR applies to controllers and processors involved in processing personal data of EU citizens, regardless of whether the processing occurs within the EU.
- If personal data processing is related to the exchange of goods and services or the monitoring of individuals' behavior within the EU, the GDPR covers controllers and processors, even if they are not based within the EU, as long as Member State law applies.
GDPR Rights of the Data Subject
Chapter 3 of the GDPR (Art. 12-23) outlines the rights of data subjects:
- Transparent information, communication, and modalities for exercising data subject rights (Art. 12)
- Information to be provided when personal data is collected from the data subject (Art. 13)
- Information to be provided when personal data is not obtained from the data subject (Art. 14)
- Right of access by the data subject (Art. 15)
- Right to rectification (Art. 16)
- Right to erasure ("right to be forgotten") (Art. 17)
- Right to restriction of processing (Art. 18)
- Notification obligation regarding rectification, erasure, or restriction of processing (Art. 19)
- Right to data portability (Art. 20)
- Right to object (Art. 21)
- Automated individual decision-making, including profiling (Art. 22)
- Restrictions on data subject rights (Art. 23)
Breakdown of GDPR Chapters
The GDPR consists of 11 chapters, each containing a range of articles:
- Chapter 1 (Art. 1-4): General provisions
- Chapter 2 (Art. 5-11): Principles
- Chapter 3 (Art. 12-23): Rights of the data subject
- Chapter 4 (Art. 24-43): Controller and processor
- Chapter 5 (Art. 44-50): Transfers of personal data to third countries or international organizations
- Chapter 6 (Art. 51-59): Independent supervisory authorities
- Chapter 7 (Art. 60-76): Cooperation and consistency
- Chapter 8 (Art. 77-84): Remedies, liability, and penalties
- Chapter 9 (Art. 85-91): Provisions relating to specific processing situations
The GDPR sets a high standard for privacy and data protection, ensuring the rights of individuals in the European Union. The GDPR establishes a robust framework for organizations to handle personal data responsibly. Compliance with the GDPR is essential for organizations processing the personal information of EU citizens, regardless of their location, fostering trust and privacy in the digital age.
Content found within this document is based on Carbide’s understanding of and the information provided by the official website and documentation of the GDPR