GDPR (General Data Protection Regulation)

GDPR has been in effect since May 25, 2018. It replaced the "EU Data Protection Directive 95/46/EC of October 24, 1995 on the protection of individuals with regard to the processing of personal data." The GDPR rules are mandatory for all EU member states.

The fundamental goal of the Regulation is to protect personal data and prevent human rights violations.

Personal data refers to information that allows a person to be identified: name and surname, address, phone number, passport. This also includes online identifiers (IP addresses, cookies, RFID tags, etc.) and genetic information (DNA, RNA).

Almost any interaction between people and organizations involves the transfer of personal information. This simplifies communication and cooperation. It is important for companies to collect and process the information they receive responsibly.

GDPR establishes the protocols and rules by which personal data must be handled. The document also defines the roles of the parties involved, types of consent, and accountability standards.

Companies subject to GDPR take its requirements into account when drafting their Privacy Policy — a comprehensive document prepared in accordance with the Regulation.

The Regulation expands citizens' rights compared to the previously applicable directive. In particular, people are entitled to request information about how their personal data is used and stored, and can demand deletion of their data or its transfer to another operator. Any person also has the right to withhold consent to processing for purposes unrelated to the reason for the original request.

‍

Under the Regulation, the person whose data belongs to them is called the data subject. Responsibility for protecting information received from subjects lies with:

• Controller. A company or individual that determines the purposes and means of data processing, oversees it, and bears responsibility for it. They ensure GDPR compliance.
• Processor. Processes personal information on behalf of and under the instruction of the controller.

Companies that handle large volumes of information and operate under GDPR often hire a dedicated Data Protection Officer (DPO). This person must be well-versed in the provisions of the Regulation and is responsible for ensuring compliance before supervisory authorities.

The controller and processor are often the same entity.

Example: A digital agency based outside the EU signs a contract with a European company and, under that contract, sends email campaigns to the company's customers. The agency acts as the processor; the European company is the controller.

Another example: an online store based outside the EU serves EU citizens. It collects personal data which it then uses to interact with customers. In this case, the store acts as both controller and processor.

‍

Data Processing Principles

‍

GDPR lists the principles that must be followed when processing personal data. These are not detailed instructions or rules — they are guiding tenets for controllers, processors, and data subjects.

Lawfulness, fairness, and transparency. Data must be processed lawfully, fairly, and in the prescribed manner.

Purpose limitation. Personal data is collected for a clear and legally legitimate purpose and processed in a manner appropriate to that purpose.

Data minimization. Only information that is genuinely necessary for the specific situation should be collected.

Accuracy. All inaccurate personal data must be erased or corrected without delay. All reasonable measures must be taken to ensure accuracy.

Storage limitation. The retention period must not exceed the time necessary to achieve the stated purpose.

Integrity and confidentiality. Data must be processed in a manner that ensures security, as well as protection of personal information from unlawful use, loss, damage, or destruction.

Organizations must explain to users how and for what purpose their data will be processed. Companies do this through a Privacy Policy or a Privacy Notice — a more accessible version of the document. The latter is used by most companies that are not subject to GDPR but collect information on their website through contact forms.

‍

GDPR Requirements

‍

To comply with the Regulation, a number of requirements must be met.

Collect and use personal data only with the owner's consent. Consent must be voluntary and unambiguous, not allowing for misinterpretation. The person must first receive detailed information about what data is being collected and what will happen with it.

Process data only in ways consistent with the stated purposes. If the information is intended to be used for a different purpose, it must be verified that it’s relevant to the original purpose of collection.

Destroy collected data as soon as the purposes are achieved. The retention period is defined by specific timeframes or criteria.

Delete data from the database immediately upon request from the owner. A data subject may prohibit the use of their personal data by any available means, including through automated tools.

Appoint a responsible data protection officer. This person must be well-versed in the provisions of the Regulation in order to oversee data handling.

Maintain records confirming GDPR compliance. This includes developing data processing rules, maintaining a breach register, and documenting how data is obtained.

In the event of a personal data breach, the processor must immediately notify the controller. The controller is then obligated to notify the supervisory authority within 72 hours and inform the owners of the data (subjects) if the breach poses a risk to their rights.

‍

First and foremost, all organizations established in the EU must comply with GDPR, including their foreign branches. This also applies to any companies that export goods and services to EU countries.

In addition, the following organizations must comply with the Regulation:

• Those offering goods and services to EU citizens on a paid or free basis. For example, online stores, digital services, hotels, and hostels. Note that occasional one-off online sales do not require GDPR compliance. Indicators of ongoing engagement include the use of an EU country's language or currency, or the mention of EU citizens as users or consumers.
• Those monitoring the behavior of EU citizens. These are organizations that track cookies or IP addresses of visitors from EU countries and build user profiles. Examples include dating sites, banks, online stores, search engines, and social media platforms.

Important: If a company's website is regularly visited by EU citizens, it is worth checking whether GDPR compliance is required — even in the absence of sales. Analytics tools such as Google Analytics may collect identifying data from EU visitors depending on configuration settings. This may mean the company is obligated to comply with GDPR.

GDPR compliance is not required for personal and household activities. If a person collects friends' contact details for personal use, they are not required to take additional steps to protect confidentiality.

Organizations with fewer than 250 employees are partially exempt from the Regulation. They must ensure the protection and security of personal data, but are not required to maintain documentation.

‍

Fines for Non-Compliance with GDPR

‍

GDPR compliance is monitored by supervisory authorities — independent public bodies responsible for overseeing the application of the Regulation. A supervisory authority may review GDPR compliance upon request from any data subject. If violations are identified, a fine is imposed.

The size of the fine depends on various factors: the nature, severity, and duration of the violation; whether the action was intentional or accidental; what protective measures were in place; and whether the violator is willing to cooperate in resolving the issue.

The following fines are provided for:

‍

the most serious of them.

Example: In January 2019, Google was fined €50 million for non-compliance with GDPR requirements. Due to the overly complex presentation of the Privacy Policy, users could not understand how their personal data was being processed. In addition, the consent checkbox for data processing was pre-checked, which violates the Regulation's requirements.

In addition to fines, other measures can be applied to an organization: restricting access to the website in EU countries, freezing foreign assets, and various prohibitive measures for members of management.

It is therefore advisable for companies operating internationally to take GDPR principles into account, particularly those whose services or websites attract EU residents.

‍

• GDPR is the EU's General Data Protection Regulation. It has been in force since May 25, 2018.
• It applies to all EU-based organizations — including their foreign branches — as well as any companies that export goods and services to EU countries or serve EU residents.
• Key principles: lawfulness, fairness and transparency, purpose limitation, data minimization, accuracy, storage limitation, integrity and confidentiality.
• Fines range up to €20 million or 4% of annual global revenue, depending on the severity of the violation.
• In addition to fines, supervisory authorities may restrict market access and apply other sanctions.

‍