The General Data Protection Regulation (GDPR) is a landmark regulation enacted by the European Union (EU) that governs data protection and privacy for individuals within the EU and the European Economic Area (EEA). Effective since May 25, 2018, GDPR sets strict guidelines for collecting, processing, storing, and transferring personal data, aiming to give individuals greater control over their personal information.
Details the repeal of Directive 95/46/EC and the transitional provisions for GDPR
Describes the relationship between GDPR and Directive 2002/58/EC on privacy in electronic communications
Addresses the delegated acts issued by the European Commission under GDPR
Details the implementing powers of the European Commission related to GDPR
Addresses implementing acts related to standard contractual clauses for data transfers
Defines the conditions under which implementing acts are immediately applicable
Outlines the principles of subsidiarity and proportionality in the context of GDPR implementation
Addresses the processing of personal data for journalistic, academic, artistic, or literary purposes
Establishes the principle of public access to official documents under GDPR
Provides guidelines for processing personal data within the employment context
Defines rules for processing data for archiving, research, or statistical purposes
Addresses the use of information from registries and scientific research under GDPR
Sets out rules for processing personal data for archiving purposes
Defines rules for processing personal data for scientific research purposes
Provides guidelines for processing personal data for historical research purposes
Addresses consent requirements for participating in clinical trials
Sets out rules for processing personal data for statistical purposes
Addresses the production of statistics at both European and national levels
Details professional or secrecy obligations that are equivalent to GDPR protections
Ensures GDPR compliance does not prejudice the status of churches and religious associations
Addresses legal proceedings related to data protection violations and their management
Grants individuals the right to lodge complaints with supervisory authorities regarding data protection violations
Provides the right for individuals to seek judicial remedies for violations of their data protection rights
Allows individuals to choose the venue for legal proceedings related to data protection violations
Allows data subjects to authorize not-for-profit bodies or organizations to lodge complaints on their behalf
Outlines the provisions for indemnity related to data protection violations
Defines the jurisdictional aspects for data protection legal proceedings
Establishes the framework for imposing penalties for GDPR violations
Specifies penalties related to infringements of national data protection rules
Outlines the imposition of administrative fines for GDPR non-compliance
Details the application of administrative fines specifically in Denmark and Estonia
Defines the sanctions powers of member states within the GDPR framework
Outlines the binding decisions and opinions issued by the European Data Protection Board (EDPB)
Addresses the process for joint decisions made by supervisory authorities on cross-border data processing
Defines the process for supervisory authorities to participate in joint operations for data protection enforcement
Establishes the consistency mechanism to ensure uniform application of GDPR across the EU
Details the procedure for handling urgent cases requiring immediate attention from supervisory authorities
Defines the powers and responsibilities of the lead supervisory authority in cross-border cases
Outlines the process for considering and handling complaints lodged with supervisory authorities
Describes the role and functions of the European Data Protection Board (EDPB)
Details the role and functions of the Secretariat and staff supporting the European Data Protection Board
Provides for the establishment of independent supervisory authorities in each Member State
Outlines the requirements for monitoring the performance of supervisory authorities
Addresses the organization and coordination among multiple supervisory authorities within a Member State
Defines the key features and responsibilities of supervisory authorities under GDPR
Guarantees the independence of supervisory authorities to prevent external influence on their operations
Defines the responsibilities and duties of supervisory authorities in overseeing GDPR compliance
Designates a lead supervisory authority for cross-border processing activities involving multiple Member States
Requires organizations to provide local supervisory authorities with information on data processing activities
Outlines the supervisory authorities' role in overseeing processing activities conducted in the public interest
Encourages cooperation between supervisory authorities and the European Commission to ensure consistent GDPR enforcement
Requires supervisory authorities to engage in awareness-raising activities to promote GDPR compliance
Provides for mutual assistance and provisional measures between supervisory authorities to address urgent issues
Enables supervisory authorities to take provisional measures to address immediate risks or non-compliance
Defines the tasks and powers granted to supervisory authorities for enforcing GDPR
Encourages supervisory authorities to attempt an amicable settlement of disputes before formal action
Establishes principles for transferring personal data to countries outside the EU, ensuring adequate protection
Addresses the role of international agreements in ensuring an adequate level of data protection for cross-border transfers
Requires that data transfers to countries with adequacy decisions ensure an adequate level of protection
Sets criteria for determining whether a non-EU country provides adequate data protection for international transfers
Considers international agreements when determining adequacy of data protection for cross-border transfers
Requires ongoing monitoring and review of data protection levels to ensure continued adequacy for international transfers
Provides procedures for amending, revoking, or suspending adequacy decisions if data protection levels change
Requires the implementation of appropriate safeguards for international data transfers when no adequacy decision is in place
Allows the use of Standard Contractual Clauses (SCCs) for ensuring adequate protection in international data transfers
Permits the use of Binding Corporate Rules (BCRs) for data transfers within a corporate group to ensure adequate protection
Addresses situations where third country rules conflict with GDPR requirements
Defines exceptions where international data transfers are allowed despite general restrictions
Permits data transfers based on significant public interest, even if they do not meet standard conditions
Allows transfers that are not repetitive and involve a limited number of data subjects under certain conditions
Ensures that data subjects' rights and obligations are protected even without an adequacy decision
Controllers must maintain records of all data processing activities
Controllers must implement technical and organizational measures to protect personal data
Provides guidelines on how to conduct risk assessments for data processing activities
Controllers must assess risks to the rights and freedoms of individuals when processing personal data
Controllers must assess the risks associated with their data processing activities
The GDPR defines clear responsibilities for controllers and processors
Personal data must be processed in a manner that ensures security
Controllers must notify the supervisory authority of data breaches
Controllers must report data breaches promptly, within the defined timeframe
Subcontrol (88) focuses on the requirements for the format and procedures of notifying personal data breaches. It outlines the necessary content, structure, and procedural aspects that controllers and processors must follow when reporting breaches to supervisory authorities and data subjects.
Subcontrol (86) addresses the obligations of data controllers to notify data subjects when a personal data breach occurs. This subcontrol ensures that affected individuals are informed of breaches in a manner that enables them to take necessary actions to protect themselves from potential harm.
Requires evaluation of risks to personal data and impact assessments to mitigate those risks
Removes the blanket requirement for reporting all processing activities, focusing on significant risks
Requires conducting Data Protection Impact Assessments (DPIAs) for processing activities that are likely to result in high risk
Mandates the necessity of a DPIA for processing activities that pose high risks to data subjects
Addresses the need for comprehensive DPIAs covering broader processing activities with significant impact
Requires authorities to conduct DPIAs for their own processing activities
Requires controllers to consult with the supervisory authority if DPIAs indicate high risk
Obligates processors to assist controllers in fulfilling their GDPR obligations, including DPIAs and risk assessments
Requires consultation with the supervisory authority during the development of new legislation affecting data protection
Requires the appointment of a Data Protection Officer (DPO) for organizations engaging in significant data processing
Encourages organizations and associations to prepare codes of conduct to demonstrate compliance with GDPR
Requires consultation with stakeholders and data subjects when developing codes of conduct
Allows for certification mechanisms to demonstrate compliance with GDPR
The GDPR takes into consideration the specific challenges faced by small businesses
Controllers must ensure that processors comply with GDPR requirements
Non-EU controllers must appoint a representative within the EU to handle GDPR-related matters
The controller is responsible for ensuring GDPR compliance and is liable for violations
Controllers must conduct a DPIA when processing operations are likely to result in a high risk to individuals
Rights of data subjects may be restricted under certain conditions
The EDPB provides guidance on the proper use of profiling under GDPR
Data subjects have the right not to be subject to decisions based solely on automated processing, including profiling
Individuals can object to the processing of personal data for direct marketing purposes
Data subjects have the right to object to the processing of their personal data
Allows data subjects to request the restriction of the processing of their data under certain conditions
Allows individuals to obtain and reuse their personal data across different services
Extends the right to erasure, allowing individuals to request deletion of their data under certain circumstances
Requires that data processing be conducted in a transparent manner
Requires procedures to allow data subjects to exercise their GDPR rights
Requires controllers to provide data subjects with detailed information about data processing
Specifies when information must be provided to data subjects
Allows exceptions to the obligation to provide information to data subjects
Provides data subjects with the right to access their personal data
Requires verification of the identity of the data subject requesting access
Provides data subjects with the right to have inaccurate personal data corrected or deleted
Establishes the basic principles for data processing
Requires data processing to have a lawful basis
Processing must be based on a legal basis or specific legislation
Establishes the burden of proof for obtaining consent
Defines the conditions for freely given consent
Allows data processing when necessary for contract performance
Allows data processing to meet legal obligations
Allows processing in the vital interest of the data subject
Allows processing based on a legitimate interest that overrides the data subject’s interests
Defines legitimate interest within a corporate group
Allows processing for network and information security purposes as a legitimate interest
Further processing for purposes other than the original purpose requires specific conditions to be met
Repeals the old Data Protection Directive (95/46/EC) and establishes transitional measures for GDPR implementation
Outlines specific conditions for obtaining valid consent
Allows for more flexible consent for scientific research
Provides extra protection for processing children's data
Applies special protection for sensitive personal data categories
Allows for exceptions to the prohibition of processing special category data
Establishes specific rules for processing health-related data in the public health sector
Allows processing for public interest purposes by religious authorities
Allows political parties to process personal data relating to political opinions under strict conditions
Allows processing of additional data if needed for identification purposes
Ensures the GDPR principles are adopted into national legislation
Establishes a clear regulatory framework for personal data protection
Emphasizes that data protection is a fundamental right for individuals in the EU
Ensures that data protection respects all fundamental rights and freedoms, balancing them with other needs
Aligns data protection laws across the EU with the principles established in Directive 95/46/EC
Requires that the protection of personal data be balanced with other fundamental rights
Facilitates cooperation between EU Member States regarding personal data exchange
Mandates a high level of data protection across the EU, setting global standards
Corrects the uneven implementation of Directive 95/46/EC
Aims for a uniform level of data protection regardless of national scope
Standardizes the powers of data protection authorities (DPAs) and enforcement measures
Provides legal authorization for the GDPR from the European Parliament and Council
Acknowledges the challenges faced by smaller businesses in complying with GDPR
Clarifies that GDPR applies to natural persons, not legal entities
The GDPR is designed to be technologically neutral and adaptable to future advancements
Excludes national security and common security activities from GDPR scope
Aligns GDPR with Regulation (EC) No 45/2001, applying data protection standards to EU institutions
Exempts personal or household activities from the GDPR
Excludes activities related to criminal prosecution from GDPR scope
GDPR respects the independence of the judiciary, not applying to court activities
GDPR does not affect liability rules for intermediary service providers
Specifies that GDPR does not apply to personal data of deceased individuals
Defines the applicability of GDPR based on where processing takes place
Extends GDPR to non-EU processors targeting EU residents
Applies GDPR to non-EU processors profiling EU residents
International law governs non-EU processors targeting EU data
GDPR applies regardless of technology used
Special protections for processing sensitive health and social sector data
GDPR does not apply to anonymized data
Promotes pseudonymisation as a security measure
Pseudonymised data can be processed by the same controller
Regulates the use of online identifiers for profiling
Exempts public authorities from GDPR for official tasks
Defines protections for genetic data under GDPR
Protects health-related personal data under GDPR