background

GDPR

GDPR

GDPR

The General Data Protection Regulation (GDPR) is a landmark regulation enacted by the European Union (EU) that governs data protection and privacy for individuals within the EU and the European Economic Area (EEA). Effective since May 25, 2018, GDPR sets strict guidelines for collecting, processing, storing, and transferring personal data, aiming to give individuals greater control over their personal information.

Controls:

  • (171) Repeal of Directive 95/46/EC and transitional provisions

    Details the repeal of Directive 95/46/EC and the transitional provisions for GDPR

  • (173) Relationship to Directive 2002/58/EC

    Describes the relationship between GDPR and Directive 2002/58/EC on privacy in electronic communications

  • (166) Delegated acts of the Commission

    Addresses the delegated acts issued by the European Commission under GDPR

  • (167) Implementing powers of the Commission

    Details the implementing powers of the European Commission related to GDPR

  • (168) Implementing acts on standard contractual clauses

    Addresses implementing acts related to standard contractual clauses for data transfers

  • (169) Immediately applicable implementing acts

    Defines the conditions under which implementing acts are immediately applicable

  • (170) Principle of subsidiarity and principle of proportionality

    Outlines the principles of subsidiarity and proportionality in the context of GDPR implementation

  • (153) Processing of personal data solely for journalistic purposes or for the purposes of academic, artistic or literary expression

    Addresses the processing of personal data for journalistic, academic, artistic, or literary purposes

  • (154) Principle of public access to official documents

    Establishes the principle of public access to official documents under GDPR

  • (155) Processing in the employment context

    Provides guidelines for processing personal data within the employment context

  • (156) Processing for archiving, scientific or historical research or statistical purposes

    Defines rules for processing data for archiving, research, or statistical purposes

  • (157) Information from registries and scientific research

    Addresses the use of information from registries and scientific research under GDPR

  • (158) Processing for archiving purposes

    Sets out rules for processing personal data for archiving purposes

  • (159) Processing for scientific research purposes

    Defines rules for processing personal data for scientific research purposes

  • (160) Processing for historical research purposes

    Provides guidelines for processing personal data for historical research purposes

  • (161) Consenting to the participation in clinical trials

    Addresses consent requirements for participating in clinical trials

  • (162) Processing for statistical purposes

    Sets out rules for processing personal data for statistical purposes

  • (163) Production of European and national statistics

    Addresses the production of statistics at both European and national levels

  • (164) Professional or other equivalent secrecy obligations

    Details professional or secrecy obligations that are equivalent to GDPR protections

  • (165) No prejudice of the status of churches and religious associations

    Ensures GDPR compliance does not prejudice the status of churches and religious associations

  • (144) Related proceedings

    Addresses legal proceedings related to data protection violations and their management

  • (141) Right to lodge a complaint

    Grants individuals the right to lodge complaints with supervisory authorities regarding data protection violations

  • (143) Judicial remedies

    Provides the right for individuals to seek judicial remedies for violations of their data protection rights

  • (145) Choice of venue

    Allows individuals to choose the venue for legal proceedings related to data protection violations

  • (142) The right of data subjects to mandate a not-for-profit body, organisation or association

    Allows data subjects to authorize not-for-profit bodies or organizations to lodge complaints on their behalf

  • (146) Indemnity

    Outlines the provisions for indemnity related to data protection violations

  • (147) Jurisdiction

    Defines the jurisdictional aspects for data protection legal proceedings

  • (148) Penalties

    Establishes the framework for imposing penalties for GDPR violations

  • (149) Penalties for infringements of national rules

    Specifies penalties related to infringements of national data protection rules

  • (150) Administrative fines

    Outlines the imposition of administrative fines for GDPR non-compliance

  • (151) Administrative fines in Denmark and Estonia

    Details the application of administrative fines specifically in Denmark and Estonia

  • (152) Power of sanction of the Member States

    Defines the sanctions powers of member states within the GDPR framework

  • (136) Binding decisions and opinions of the Board

    Outlines the binding decisions and opinions issued by the European Data Protection Board (EDPB)

  • (126) Joint decisions

    Addresses the process for joint decisions made by supervisory authorities on cross-border data processing

  • (134) Participation in joint operations

    Defines the process for supervisory authorities to participate in joint operations for data protection enforcement

  • (135) Consistency mechanism

    Establishes the consistency mechanism to ensure uniform application of GDPR across the EU

  • (138) Urgency procedure

    Details the procedure for handling urgent cases requiring immediate attention from supervisory authorities

  • (125) Competences of the lead authority

    Defines the powers and responsibilities of the lead supervisory authority in cross-border cases

  • (130) Consideration of the authority with which the complaint has been lodged

    Outlines the process for considering and handling complaints lodged with supervisory authorities

  • (139) European Data Protection Board

    Describes the role and functions of the European Data Protection Board (EDPB)

  • (140) Secretariat and staff of the Board

    Details the role and functions of the Secretariat and staff supporting the European Data Protection Board

  • (117) Establishment of supervisory authorities

    Provides for the establishment of independent supervisory authorities in each Member State

  • (118) Monitoring of the supervisory authorities

    Outlines the requirements for monitoring the performance of supervisory authorities

  • (119) Organization of several supervisory authorities of a Member State

    Addresses the organization and coordination among multiple supervisory authorities within a Member State

  • (120) Features of supervisory authorities

    Defines the key features and responsibilities of supervisory authorities under GDPR

  • (121) Independence of the supervisory authorities

    Guarantees the independence of supervisory authorities to prevent external influence on their operations

  • (122) Responsibility of the supervisory authorities

    Defines the responsibilities and duties of supervisory authorities in overseeing GDPR compliance

  • (124) Lead authority regarding processing in several Member States

    Designates a lead supervisory authority for cross-border processing activities involving multiple Member States

  • (127) Information of the supervisory authority regarding local processing

    Requires organizations to provide local supervisory authorities with information on data processing activities

  • (128) Responsibility regarding processing in the public interest

    Outlines the supervisory authorities' role in overseeing processing activities conducted in the public interest

  • (123) Cooperation of the supervisory authorities with each other and with the Commission

    Encourages cooperation between supervisory authorities and the European Commission to ensure consistent GDPR enforcement

  • (132) Awareness-raising activities and specific measures

    Requires supervisory authorities to engage in awareness-raising activities to promote GDPR compliance

  • (133) Mutual assistance and provisional measures

    Provides for mutual assistance and provisional measures between supervisory authorities to address urgent issues

  • (137) Provisional measures

    Enables supervisory authorities to take provisional measures to address immediate risks or non-compliance

  • (129) Tasks and powers of the supervisory authorities

    Defines the tasks and powers granted to supervisory authorities for enforcing GDPR

  • (131) Attempt of an amicable settlement

    Encourages supervisory authorities to attempt an amicable settlement of disputes before formal action

  • (101) General Principles for International Data Transfers

    Establishes principles for transferring personal data to countries outside the EU, ensuring adequate protection

  • (102) International Agreements for an Appropriate Level of Data Protection

    Addresses the role of international agreements in ensuring an adequate level of data protection for cross-border transfers

  • (103) Appropriate Level of Data Protection Based on an Adequacy Decision

    Requires that data transfers to countries with adequacy decisions ensure an adequate level of protection

  • (104) Criteria for an Adequacy Decision

    Sets criteria for determining whether a non-EU country provides adequate data protection for international transfers

  • (105) Consideration of International Agreements for an Adequacy Decision

    Considers international agreements when determining adequacy of data protection for cross-border transfers

  • (106) Monitoring and periodic review of the level of data protection

    Requires ongoing monitoring and review of data protection levels to ensure continued adequacy for international transfers

  • (107) Amendment, Revocation and Suspension of Adequacy Decisions

    Provides procedures for amending, revoking, or suspending adequacy decisions if data protection levels change

  • (108) Appropriate Safeguards

    Requires the implementation of appropriate safeguards for international data transfers when no adequacy decision is in place

  • (109) Standard Data Protection Clauses

    Allows the use of Standard Contractual Clauses (SCCs) for ensuring adequate protection in international data transfers

  • (110) Binding Corporate Rules

    Permits the use of Binding Corporate Rules (BCRs) for data transfers within a corporate group to ensure adequate protection

  • (115) Rules in Third Countries Contrary to the Regulation

    Addresses situations where third country rules conflict with GDPR requirements

  • (111) Exceptions for Certain Cases of international Transfers

    Defines exceptions where international data transfers are allowed despite general restrictions

  • (112) Data Transfers due to Important Reasons of Public Interest

    Permits data transfers based on significant public interest, even if they do not meet standard conditions

  • (113) Transfers Qualified as not Repetitive and that only Concern a Limited Number of data Subjects

    Allows transfers that are not repetitive and involve a limited number of data subjects under certain conditions

  • (114) Safeguarding of Enforceability of Rights and Obligations in the Absence of an Adequacy Decision

    Ensures that data subjects' rights and obligations are protected even without an adequacy decision

  • (82) Record of Processing Activities

    Controllers must maintain records of all data processing activities

  • (78) Appropriate Technical and Organisational Measures

    Controllers must implement technical and organizational measures to protect personal data

  • (77) Risk Assessment Guidelines

    Provides guidelines on how to conduct risk assessments for data processing activities

  • (75) Risks to the rights and freedoms of natural persons

    Controllers must assess risks to the rights and freedoms of individuals when processing personal data

  • (76) Risk Assessment

    Controllers must assess the risks associated with their data processing activities

  • (79) Allocation of the Responsibilities

    The GDPR defines clear responsibilities for controllers and processors

  • (83) Security of Processing

    Personal data must be processed in a manner that ensures security

  • (85) Notification Obligation of Breaches to the Supervisory Authority

    Controllers must notify the supervisory authority of data breaches

  • (87) Promptness of Reporting / Notification

    Controllers must report data breaches promptly, within the defined timeframe

  • (88) Format and Procedures of the Notification

    Subcontrol (88) focuses on the requirements for the format and procedures of notifying personal data breaches. It outlines the necessary content, structure, and procedural aspects that controllers and processors must follow when reporting breaches to supervisory authorities and data subjects.

  • (86) Notification of Data Subjects in case of Data Breaches

    Subcontrol (86) addresses the obligations of data controllers to notify data subjects when a personal data breach occurs. This subcontrol ensures that affected individuals are informed of breaches in a manner that enables them to take necessary actions to protect themselves from potential harm.

  • (84) Risk Evaluation and Impact Assessment

    Requires evaluation of risks to personal data and impact assessments to mitigate those risks

  • (89) Elimination of the general reporting requirement

    Removes the blanket requirement for reporting all processing activities, focusing on significant risks

  • (90) Data Protection Impact Assessment

    Requires conducting Data Protection Impact Assessments (DPIAs) for processing activities that are likely to result in high risk

  • (91) Necessity of a Data Protection Impact Assessment

    Mandates the necessity of a DPIA for processing activities that pose high risks to data subjects

  • (92) Broader Data Protection Impact Assessment

    Addresses the need for comprehensive DPIAs covering broader processing activities with significant impact

  • (93) Data Protection Impact Assessment at Authorities

    Requires authorities to conduct DPIAs for their own processing activities

  • (94) Consultation of the Supervisory Authority

    Requires controllers to consult with the supervisory authority if DPIAs indicate high risk

  • (95) Support by the Processor

    Obligates processors to assist controllers in fulfilling their GDPR obligations, including DPIAs and risk assessments

  • (96) Consultation of the Supervisory Authority in the Course of a Legislative Process

    Requires consultation with the supervisory authority during the development of new legislation affecting data protection

  • (97) Data Protection Officer

    Requires the appointment of a Data Protection Officer (DPO) for organizations engaging in significant data processing

  • (98) Preparation of codes of conduct by organisations and associations

    Encourages organizations and associations to prepare codes of conduct to demonstrate compliance with GDPR

  • (99) Consultation of stakeholders and data subjects in the development of codes of conduct

    Requires consultation with stakeholders and data subjects when developing codes of conduct

  • (100) Certification

    Allows for certification mechanisms to demonstrate compliance with GDPR

  • (13) Taking account of micro, small and medium-sized enterprises

    The GDPR takes into consideration the specific challenges faced by small businesses

  • (81) The Use of Processors

    Controllers must ensure that processors comply with GDPR requirements

  • (80) Designation of a Representative

    Non-EU controllers must appoint a representative within the EU to handle GDPR-related matters

  • (74) Responsibility and Liability of the Controller

    The controller is responsible for ensuring GDPR compliance and is liable for violations

  • (91) Necessity of a Data Protection Impact Assessment

    Controllers must conduct a DPIA when processing operations are likely to result in a high risk to individuals

  • (73) Restrictions of Rights and Principles

    Rights of data subjects may be restricted under certain conditions

  • (72) Guidance of the European Data Protection Board regarding profiling

    The EDPB provides guidance on the proper use of profiling under GDPR

  • (71) Profiling

    Data subjects have the right not to be subject to decisions based solely on automated processing, including profiling

  • (70) Right to Object to Direct Marketing

    Individuals can object to the processing of personal data for direct marketing purposes

  • (69) Right to Object

    Data subjects have the right to object to the processing of their personal data

  • (67) Restriction of Processing

    Allows data subjects to request the restriction of the processing of their data under certain conditions

  • (68) Right of Data Portability

    Allows individuals to obtain and reuse their personal data across different services

  • (66) Right to be forgotten

    Extends the right to erasure, allowing individuals to request deletion of their data under certain circumstances

  • (58) The Principle of Transparency

    Requires that data processing be conducted in a transparent manner

  • (59) Procedures for the Exercise of the Rights of the Data Subjects

    Requires procedures to allow data subjects to exercise their GDPR rights

  • (60) Information Obligation

    Requires controllers to provide data subjects with detailed information about data processing

  • (61) Time Of Information

    Specifies when information must be provided to data subjects

  • (62) Exceptions to the Obligation to Provide Information

    Allows exceptions to the obligation to provide information to data subjects

  • (63) Right Of Access

    Provides data subjects with the right to access their personal data

  • (64) Identity Verification

    Requires verification of the identity of the data subject requesting access

  • (65) Right of rectification and erasure

    Provides data subjects with the right to have inaccurate personal data corrected or deleted

  • (39) Principles of Data Processing

    Establishes the basic principles for data processing

  • (40) Lawfulness of Data Processing

    Requires data processing to have a lawful basis

  • (41) Legal basis or legislative measures

    Processing must be based on a legal basis or specific legislation

  • (42) Burden of Proof and Requirements for Consent

    Establishes the burden of proof for obtaining consent

  • (43) Freely Given Consent

    Defines the conditions for freely given consent

  • (44) Performance of a Contract

    Allows data processing when necessary for contract performance

  • (45) Fulfilment of Legal Obligations

    Allows data processing to meet legal obligations

  • (46) Vital Interests of the Data Subject

    Allows processing in the vital interest of the data subject

  • (47) Overriding Legitimate Interest

    Allows processing based on a legitimate interest that overrides the data subject’s interests

  • (48) Overriding Legitimate Interest within Group of Undertakings

    Defines legitimate interest within a corporate group

  • (49) Network and Information Security as Overriding Legitimate Interest

    Allows processing for network and information security purposes as a legitimate interest

  • (50) Further processing of personal data

    Further processing for purposes other than the original purpose requires specific conditions to be met

  • (171) Repeal of Directive 95/46/EC and transitional provisions

    Repeals the old Data Protection Directive (95/46/EC) and establishes transitional measures for GDPR implementation

  • (32) Conditions for Consent

    Outlines specific conditions for obtaining valid consent

  • (33) Consent to Certain Areas of Scientific Research

    Allows for more flexible consent for scientific research

  • (38) Special Protection of Children's Personal Data

    Provides extra protection for processing children's data

  • (51) Protecting Sensitive Personal Data

    Applies special protection for sensitive personal data categories

  • (52) Exceptions to the Prohibition on Processing Special Categories of Personal Data

    Allows for exceptions to the prohibition of processing special category data

  • (54) Processing of Sensitive Data in Public Health Sector

    Establishes specific rules for processing health-related data in the public health sector

  • (55) Public interest in processing by official authorities for objectives of recognized religious communities

    Allows processing for public interest purposes by religious authorities

  • (56) Processing personal data on people’s political opinions by parties

    Allows political parties to process personal data relating to political opinions under strict conditions

  • (57) Additional Data for Identification Purposes

    Allows processing of additional data if needed for identification purposes

  • (8) Adoption into national law

    Ensures the GDPR principles are adopted into national legislation

  • (7) Framework Based on Control and Certainty

    Establishes a clear regulatory framework for personal data protection

  • (1) Data Protection as a Fundamental Right

    Emphasizes that data protection is a fundamental right for individuals in the EU

  • (2) Respect of Fundamental Rights & Freedoms

    Ensures that data protection respects all fundamental rights and freedoms, balancing them with other needs

  • (3) Directive 95/46/EC harmonisation

    Aligns data protection laws across the EU with the principles established in Directive 95/46/EC

  • (4) Data Protection in Balance with Other Fundamental Rights

    Requires that the protection of personal data be balanced with other fundamental rights

  • (5) Cooperation between Member States to exchange personal data

    Facilitates cooperation between EU Member States regarding personal data exchange

  • (6) Ensuring a High level of Data Protection

    Mandates a high level of data protection across the EU, setting global standards

  • (9) Different standards of protection by the Directive 95/46/EC

    Corrects the uneven implementation of Directive 95/46/EC

  • (10) Harmonised level of data protection despite national scope

    Aims for a uniform level of data protection regardless of national scope

  • (11) Harmonisation of the powers and sanctions

    Standardizes the powers of data protection authorities (DPAs) and enforcement measures

  • (12) Authorization of the European Parliament and the Council

    Provides legal authorization for the GDPR from the European Parliament and Council

  • (13) Taking account of micro, small and medium-sized enterprises

    Acknowledges the challenges faced by smaller businesses in complying with GDPR

  • (14) Not applicable to legal persons

    Clarifies that GDPR applies to natural persons, not legal entities

  • (15) Technology neutrality

    The GDPR is designed to be technologically neutral and adaptable to future advancements

  • (16) Not applicable to activities regarding national and common security

    Excludes national security and common security activities from GDPR scope

  • (17) Adaptation of Regulation (EC) No 45/2001

    Aligns GDPR with Regulation (EC) No 45/2001, applying data protection standards to EU institutions

  • (18) Not applicable to personal or household activities

    Exempts personal or household activities from the GDPR

  • (19) Not applicable to criminal prosecution

    Excludes activities related to criminal prosecution from GDPR scope

  • (20) Respecting the independence of the judiciary

    GDPR respects the independence of the judiciary, not applying to court activities

  • (21) Liability rules of intermediary service providers shall remain unaffected

    GDPR does not affect liability rules for intermediary service providers

  • (27) Not applicable to data of deceased persons

    Specifies that GDPR does not apply to personal data of deceased individuals

  • (22) Processing by an Establishment

    Defines the applicability of GDPR based on where processing takes place

  • (23) Applicable to Processors not Established in the Union if Data Subjects within the Union are Targeted

    Extends GDPR to non-EU processors targeting EU residents

  • (24) Applicable to Processors not Established in the Union if Data Subjects within the Union are Profiled

    Applies GDPR to non-EU processors profiling EU residents

  • (25) Applicable to Processors Due to International Law

    International law governs non-EU processors targeting EU data

  • (15) Technology neutrality,(37) Enterprise group,(53) Processing of Sensitive Data in Health and Social Sector

    GDPR applies regardless of technology used

  • (26) Not applicable to anonymous data

    Special protections for processing sensitive health and social sector data

  • (28) Introduction of pseudonymisation

    GDPR does not apply to anonymized data

  • (29) Pseudonymisation at the same controller

    Promotes pseudonymisation as a security measure

  • (30) Online identifiers for profiling and identification

    Pseudonymised data can be processed by the same controller

  • (31) Not applicable to public authorities in connection with their official tasks

    Regulates the use of online identifiers for profiling

  • (34) Genetic data

    Exempts public authorities from GDPR for official tasks

  • (35) Health data

    Defines protections for genetic data under GDPR

  • (36) Determination of the main establishment

    Protects health-related personal data under GDPR