In today's digital world, personal data has become one of the most valuable and vulnerable things. Every day, millions of people leave their digital footprints by buying goods online, registering on social media, or simply using search engines.
What is GDPR—it is the General Data Protection Regulation, which became a legal revolution in the European Union. This document not only establishes the rules for working with information but also provides people with real leverage over how their data is used by businesses and government institutions.
Understanding GDPR (what GDPR is) is critically important for any company that works with European clients or plans to enter the EU market. This article details the essence of the regulation, its key principles, the rights of data subjects, and the obligations of organizations that process them.
GDPR: essence and role in personal data protection
GDPR, or General Data Protection Regulation, was adopted by the European Parliament in 2016 and came into force on May 25, 2018. This is the most comprehensive reform in the field of personal data protection in recent decades. The main goal of the regulation is to return control over personal information to citizens and to unify the rules for data processing in all EU member countries. Before the GDPR, each country had its own legislation, creating numerous barriers for businesses and confusion for citizens. The new regulation replaced the outdated Directive 95/46/EC, introducing uniform standards that apply directly in all EU states without the need for implementation through national legislation.
GDPR imposes strict requirements on the collection, storage, processing, and transfer of personal data. It defines what personal data is, who has the right to process it, under what conditions this can be done, and what the consequences for violations of the rules are. The regulation establishes the principle of accountability, under which organizations must not only comply with the rules but also prove this through documents, policies, and procedures.
Scope of GDPR: to whom the regulation applies
GDPR has a very wide scope that extends far beyond the European Union. The regulation applies to all companies and organizations that process personal data of individuals residing in the EU, regardless of where the company is located. This means that even a Ukrainian firm that offers goods or services to EU citizens or tracks their online behavior is required to comply with GDPR. The regulation applies to two main categories of subjects: data controllers and data processors. A controller is an individual or organization that independently determines the purposes and means of processing personal data. A processor is an organization that processes data on behalf of the controller, such as a cloud service or payment system. GDPR also applies to government authorities, non-governmental organizations, hospitals, schools, banks, insurance companies, and other institutions. However, the regulation has several important exceptions. It does not apply to data processing for purely personal or family purposes, nor to the activities of competent authorities in the field of crime prevention. Special attention is paid to cross-border data transfer, i.e., sending information outside the EU.
Key principles of personal data processing under GDPR
It is worth separately mentioning what the GDPR regulation is. The successful implementation of GDPR is impossible without understanding its key principles, which are the foundation of the entire data protection system. The first principle is legality, fairness, and transparency. Data processing must be carried out on lawful grounds, fairly concerning the data subject, and transparently—an individual must understand how and for what purpose their data is being used.
The second principle is purpose limitation. Data can only be collected for specific, explicit, and legitimate purposes, and they cannot be used for other tasks that are incompatible with them. The third principle is data minimization. Organizations must collect only those data that are necessary to achieve the stated purposes. Excessive information about the client cannot be required.
The fourth principle is data accuracy. Data must be accurate and, if necessary, updated. The controller is obliged to take all possible measures to ensure that inaccurate data is corrected or deleted. The fifth principle is storage limitation. Data must be stored in a form that allows the identification of data subjects no longer than is necessary for the purposes of their processing. The sixth principle is integrity and confidentiality. Data must be processed with an adequate level of security, including protection against unauthorized access, loss, destruction, or damage.
The seventh principle is accountability. The controller is responsible for complying with all the aforementioned principles and must have documentation to confirm this.
Rights of individuals whose data is processed
GDPR empowers individuals whose data is processed with a wide range of rights that were previously unavailable or had limited effect. The key right is the right of access. Everyone has the right to receive confirmation from the controller whether their personal data is being processed and, if so, to access it and information about the processing purposes, categories of data, retention periods, recipients, etc. The right to rectification allows individuals to demand that the controller correct inaccurate data about them or supplement incomplete data. The right to erasure, also known as the right to be forgotten, is one of the most powerful tools. It allows individuals to request the deletion of personal data if it is no longer needed for the purposes for which it was collected, if the subject withdraws consent, or if the data was processed unlawfully.
The right to restriction of processing allows individuals to temporarily suspend the processing of data, for example, when a person contests its accuracy. The right to data portability allows individuals to obtain their data in a structured, machine-readable format and transfer it to another controller without hindrance. This is particularly relevant for social networks, banks, and telecom operators. The right to object allows individuals to object to the processing of data based on public interest or legitimate interests of the controller, including profiling. Organizations must cease processing unless they demonstrate compelling legitimate grounds.
Obligations of companies and organizations processing data
GDPR imposes a number of obligations on companies and organizations, non-compliance with which carries huge fines. Controllers are required to implement technical and organizational measures to ensure data protection by design and by default. This means that privacy issues must be considered at the product or service development stage, rather than as an afterthought. An important obligation is maintaining a record of processing activities. If a company has more than 250 employees or processes special categories of data, it is obliged to keep a detailed record of all processing operations.
In the event of a data breach, the controller must notify the supervisory authority within 72 hours of becoming aware of the incident. If the breach poses a high risk to the rights and freedoms of individuals, the data subjects themselves must also be notified. Some organizations are required to appoint a designated data protection officer. This applies to public authorities, companies whose core activities involve large-scale monitoring, as well as those who process special categories of data in large volumes. Companies are also required to conduct data protection impact assessments for processing operations that may pose a high risk to the rights and freedoms of individuals. Furthermore, controllers must conclude written contracts with data processors, clearly outlining the conditions of processing, rights, and obligations of each party.
Legal basis for processing personal data under GDPR
GDPR requires that any processing of personal data must have a lawful basis. The regulation defines six such bases, none of which is universal or more important than the others. The first basis is the consent of the data subject. It must be freely given, specific, informed, and unambiguous. Consent can be withdrawn at any time.
The second basis is the necessity for the performance of a contract to which the data subject is a party. For example, an online store has the right to process the delivery address to fulfill an order.
The third basis is the necessity for compliance with a legal obligation under EU or member state law. The fourth basis is the necessity to protect the vital interests of the data subject or another individual. The fifth basis is the necessity for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller. The sixth basis is the legitimate interests of the controller or a third party, provided that they do not override the rights and freedoms of the data subject.
Monitoring and enforcement of GDPR compliance
To ensure compliance with GDPR requirements, independent supervisory authorities have been established in each EU country. They are responsible for monitoring the application of the regulation, examining citizen complaints, and imposing penalties on violators. Each member state has its own authority, such as the Data Protection Commissioner in Poland or the Federal Data Protection Commissioner in Germany. These authorities have broad powers. They can conduct audits, demand information, issue warnings, and temporarily or permanently restrict data processing. In addition to national authorities, there is also the European Data Protection Board, which brings together representatives of all supervisory authorities. It ensures uniform application of GDPR across the EU, issues clarifications, and recommendations. To facilitate citizens, a 'one-stop shop' principle has been introduced. This means that if a company processes data in several EU countries, a complaint can be filed with the supervisory authority of the country where the complainant resides. This authority will cooperate with other authorities to reach a joint decision. Supervisory authorities also maintain public registries of violations, which increases the transparency of their work. They are required to inform the public about typical violations and how to avoid them.
Liability and sanctions for violations of the regulation
GDPR introduces one of the strictest liability mechanisms in the world for violations of personal data protection rules. Sanctions are divided into two main categories depending on the severity of the violation. For less serious violations, such as failure to maintain a proper processing record or failure to notify the supervisory authority of a breach, a fine of up to 10 million euros or up to 2 percent of the company's total annual turnover for the previous financial year is imposed. For more serious violations, such as processing data without a lawful basis, insufficient protection of data subjects' rights, or illegal transfer of data to third countries, fines can reach 20 million euros or 4 percent of the annual global turnover.
It is important to understand that the higher of these amounts applies. For example, for a large multinational corporation, 4 percent of global turnover could amount to hundreds of millions of euros. These sanctions are aimed not so much at punishment as at encouraging businesses to voluntarily comply with the rules. In addition to administrative fines, violators are liable under civil law. Individuals who suffer material or moral damage as a result of GDPR violations have the right to compensation from the controller or processor. Damages may include legal assistance costs, lost income, and compensation for mental suffering, such as the loss of control over personal data.
Practical significance of GDPR for businesses and users
For ordinary citizens, GDPR has become a true revolution in the field of digital rights. Users now have real control over their personal information. Anyone can require any company to explain what data about them is stored, why they are needed, and to whom they are transferred. If a person changes their last name or there is an error in the data, they have the right to correct it. Furthermore, there is now the possibility to demand the complete deletion of data, which is particularly relevant for social networks and search engines. For businesses, GDPR is both a challenge and an advantage. Implementing the regulation requires significant costs for legal support, IT audits, upgrading security systems, and training staff. Especially small and medium-sized businesses face difficulties due to a lack of resources. However, compliance with GDPR creates a competitive advantage. Customers trust companies that handle their data transparently more. This also serves as a gateway to the European Union market without the risk of huge fines. Many companies use GDPR as a marketing tool, highlighting their accountability. Thus, the regulation raises the overall level of cybersecurity and fosters a culture of responsible handling of personal data.