On this Page

The EU GDPR, the vanguard of digital privacy in the European Union, impels the processing of personal data in a regulated and secure manner. As a privacy pioneer in the digital age, it has been a model for privacy legislation worldwide. With a stricter scope and nature, the law extends to all kinds of businesses, from conglomerates to micro-enterprises. Get up to speed on the EU GDPR in this easy-to-follow guide.

Effective date: 25 May, 2018

Official legal text: GDPR official text

What is EU GDPR?

The General Data Protection Regulation (GDPR) is a landmark privacy law that came into effect in 2018. It caused a ripple effect in the digital privacy realm and has catalyzed many privacy laws around the globe. The ultimate aim of EU GDPR is to give individuals authority over their personal data and make data controllers accountable.

The expanded scope of EU GDPR encompasses all businesses that process the personal data of EU residents into its applicability. The law enforces privacy by design, extends rights to data subjects, and imposes obligations upon businesses. The law also provides a strict two-tier penalty provision that can cost you millions for non-compliance.

Download our GDPR Summary for a quick dive into this comprehensive law

What are some of the important terms under EU GDPR?

Before we start, let us learn some important terms associated with EU GDPR.

Personal data: Any information that can directly/indirectly identify an individual/data subject such as your name, address, identification number, location information, or online identifiers is known as personal data. 

Get a detailed look at what constitutes GDPR Personal Data

Special categories of personal data: EU GDPR considers the following categories of personal data as special categories and require enhanced protection:

  • Personal data that reveals:
    • racial or ethnic origin
    • political opinions
    • religious beliefs
    • philosophical beliefs
    • trade union memberships
  • Genetic/biometric data
  • Health-related data
  • Data related to a person’s sex life or sexual orientation

Data subject: The person to whom the personal data belongs. In other words, the individual whose personal data is processed. 

Here is a simple example: When you give your name and email address to sign up for an online platform, you are the data subject.

Controller: A person who makes decisions about personal data collected from data subjects such as the purpose and means of processing it. 

For example, A supermarket that collects phone numbers from its customers is a data controller.

Processor: A person who processes personal data on behalf of the data controller.

Here’s a real-life example: For a reservation application that allows you to reserve tables at a restaurant, the application would be the data controller, and the restaurant that processes personal data like names and contact numbers to reserve the table (on the restaurant’s behalf) would be the processor.

Consent: It is an informed, affirmative action given freely, specifically, and unambiguously and signifies an agreement to the processing of personal data. 

Who must comply with EU GDPR?

If you think EU GDPR will not apply to you because your business is far from Europe, don’t be caught off-guard. The basic objective behind enacting the EU GDPR is to protect European personal data. Thus, it has a global reach and applies to businesses regardless of location.

As provided under Article 3, the following is the territorial scope of EU GDPR:

  • Any organization in the European Union, regardless of whether they process the personal data of EU residents or
  • Any organization outside the European Union and:
    • offers its products/services to EU residents
    • monitors the behavior of EU residents 
  • Any organization outside the European Union where the laws of the member states apply under public international law.

Intention plays a significant part in determining whether your business offers its products/services to EU residents. Just because your website is accessible to EU members doesn’t necessarily imply the intention. However, if the product is purchasable in currencies specific to member states, it might convey an intention.

Furthermore, the law applies to you if your organization is in Europe, even if you store personal data elsewhere.

Who is not covered by EU GDPR?

The EU GDPR does not take a one-size-fits-all approach. Despite its extensive reach, it carves out an exception for personal data processed purely in a personal or household context.

It also limits its applicability to living individuals. The law defines personal data as any information that can identify a natural person; therefore, the protection under EU GDPR is for living human beings and not for the deceased or legal entities like corporations. 

Though not a complete exemption, EU GDPR gives a derogation for record-keeping to micro, small, and medium enterprises with less than 250 employees.

What are the 7 main principles of EU GDPR?

Article 5 of EU GDPR lays down the 7 main principles forming the law’s essence. Businesses that target Europeans must follow these principles to ensure effective compliance.

Lawfulness, fairness, and transparency

Europeans’ personal data should be processed only if it falls under any of the 6 “lawful bases,” namely consent, the performance of a contract, fulfilling a legal obligation, protecting vital interest, public interest, or legitimate interest

Fairness co-relates to reasonable expectations of data subjects, the sources of personal data, and how it affects the interest of the data subjects

To ensure transparency, businesses must inform data subjects about their data practices including the risks associated, rights under EU GDPR, and how they can be exercised. The information should be available in a clear, concise, and legible format.

Create a GDPR privacy policy
for free!

Create Privacy Policy for Free

No signup required

Purpose limitation

Limit the scope of processing personal data to what is lawful, adequate, and necessary to fulfill the specific purpose for which it was collected.

Data minimization

Restrain the collection of personal data to what is minimal and adequate for the specific purpose of collection. Achieve this by not collecting personal data irrelevant to the purpose and by limiting the retention of this data to the period required to achieve the purpose.

Accuracy

Assure that the information maintained is up-to-date, accurate, and not misleading. Take steps to rectify or delete any inaccurate information.

Storage limitation

Avoid retaining personal data for longer than necessary. Conduct a periodic review to determine whether the specific purpose is fulfilled. Delete or anonymize the data if you no longer need it. A reasonable storage policy is a good way to comply with this principle.

Integrity and confidentiality

Implement security measures such as risk analysis and encryption to protect personal data, which is also known as the “security principle.”

Accountability

The main idea behind this principle is to make businesses responsible for the personal data they handle. For this purpose, businesses must equip themselves to demonstrate compliance using different methods such as documentation and data protection policies.

What are the 6 lawful bases of processing under EU GDPR?

The lawful basis of processing is just as important as the principles of EU GDPR. While processing personal data, it is pertinent to identify it under any of the following lawful bases:

Consent

EU GDPR emphasizes user control over personal data. Therefore consent is a lawful use of personal data and is a significant way to evade large fines.

Valid consent is an informed, affirmative action given freely, specifically, and unambiguously to signify an agreement to the processing of personal data. Let us take a descriptive approach and understand each term:

Informed: Data subjects should be informed about the processing of their personal data, such as who is collecting their data, the purpose of collection, the retention period, and their rights, including the right to withdraw consent.

Freely given: Consent is given without any undue influence or coercion. This means you cannot make consent a condition for using the service.

Specifically given: Consent is given separately for each purpose. So, if the data subjects consent to a general description, it may not be valid. 

Unambiguous: There should not be any uncertainty regarding the data subject’s consent. This implies that silence, inaction, or pre-checked boxes do not constitute valid consent. 

The law also allows them to withdraw consent at any time. Furthermore, businesses must make the revocation process convenient and simple.

Manage cookie consent
without any hassle

Add a cookie consent banner and manage cookie consent to comply with GDPR

Try for free

14-day free trialCancel anytime

 

Dive deep into the concept of GDPR Consent to understand its requirements


Get more info on GDPR Cookie Consent

Contract

EU GDPR allows the processing of personal data to fulfill a contract or enter into one.

Legal obligations

It is a fair use of personal data if you process personal data to achieve compliance with a law or to protect the public interest. For example, financial institutions process personal data such as names, account numbers, etc, to comply with anti-money laundering laws.

Vital interest

The law justifies the processing of personal data to protect someone’s life when no other option is left. However, this does not apply to health data processed while the data subject is capable of giving consent.

Public task

This principle is more relatable to official authorities doing public functions or organizations dealing with tasks involving public interest. In short, this will apply to organizations exercising official authority or carrying out tasks in the public interest.

Legitimate interest

Sometimes, businesses have to process personal data for purposes other than those mentioned above. In simpler terms, this can be justified as a legitimate interest if the data subject expects such usage of his personal data and does not compromise his fundamental rights and freedoms.

A simple example of legitimate interest would be the installation of surveillance cameras in a shop to prevent shoplifting.

Read more about what is Legitimate Interest under GDPR

What are the special categories of personal data under EU GDPR?

All personal data are important, but some are more important. This is primarily because of the greater harm that could occur in the event of its compromise. Imagine the consequences if your precise location becomes known to the public, making it potentially available to criminals. That is why Article 9 of EU GDPR gives a special status to certain categories of personal data, which we have already discussed in the definitions. 

We can now examine how businesses can lawfully process these special categories of personal data.

The general rule under EU GDPR is not to process special categories of personal data. But there are some exemptions: 

  • It is lawful to process special categories of personal data with the explicit consent of the data subject.
  • To carry out obligations or rights related to employment, social security, and social protection. 
  • To protect the vital interests of individuals when they are incapable of giving consent.
  • Legitimate activities of non-profit bodies with a political, philosophical, religious, or trade union background.
  • If the data subject makes such data publicly available.
  • Judicial acts/legal claims.
  • For purposes associated with health care and medicines.
  • Archiving, scientific or historical research, and statistical purposes.

What are the rights of data subjects under EU GDPR?

GDPR guarantees EU citizens with certain rights. Businesses must provide convenient data subject request mechanisms and information regarding it in privacy notices.

Right to access

Data subjects have the right to confirm whether controllers are processing their personal data. They can also access related information such as the purpose of processing, retention period, data subject rights, consequences of profiling, and the process to initiate data subject requests. 

Whenever you transfer personal data to third countries, inform the data subjects of the security measures taken.

Right to rectification

As we already discussed, accuracy is an important privacy principle and EU GDPR confers its data subjects with the right to correct any inaccuracies in the personal data.

Right to erasure/right to be forgotten

Data subjects can request controllers to delete their personal data under various circumstances such as exhaustion of purpose, withdrawal of consent, objection to the processing, unlawful processing, or compliance with a legal obligation.

Right to restrict

This right allows data subjects to limit the controllers from processing their personal data. They can restrict the processing of personal data under the following circumstances:

  • The data subject contests the accuracy of personal data, and the controller needs to verify it.
  • Unlawful processing of personal data and the individual restricts such processing instead of erasure.
  • When the controller no longer requires personal data, but the data subject needs it for legal claims
  • The data subject objects to the processing of personal data, and the controller considers whether there is a legitimate interest that overrides that of the individual.

Right to data portability

This right allows the movement of personal data. Data subjects can request controllers to provide them with a copy of their data in a machine-readable and portable format. 

They can also request the controller to transmit their personal data to another controller if it is technically feasible.

Right to object

Data subjects have the right to object to processing their personal data. EU GDPR limits the right to the following list of circumstances:

  • Direct marketing
  • Task carried out in public interest/ official authority
  • Legitimate interest
  • Profiling

However, EU GDPR does not confer an absolute right to object under the above circumstances except for direct marketing.

Rights related to automated decision-making

Automated decision-making does not involve humans and is completely automated. Though it makes work easy for controllers, data subjects might be impacted.

Under EU GDPR, data subjects have the right not to be subjected to automated decision-making, including profiling. This right is limited if it is necessary to enter into a contract or for the performance of a contract authorized by law or if the data subject consents to it. However, data subjects should be allowed to get human intervention to contest such automated decisions. 

What are the obligations of businesses under EU GDPR?

GDPR imposes duties on data controllers to safeguard the privacy of data subjects. It is important to uphold these obligations to comply with EU GDPR. 

The following are the duties of organizations under EU GDPR:

Compliance with EU GDPR principles

Businesses must be able to demonstrate their compliance with the principles of EU GDPR. For this purpose, implement data protection policies along with adequate technical and organizational measures. Such measures should be periodically reviewed and updated. 

Exercise of data subject rights

Ensure that the data subjects can conveniently exercise their rights, such as the right to access, correct, and erase. Verify the identity of the data subject before fulfilling the request.

Respond to requests within a month, which can be extended to two more months if necessary. However, the concerned individual must be notified of the extension within the initial one-month period. Fulfill the requests free of charge unless they are unreasonable. 

Privacy by design 

Data protection policies need to be implemented right from the start of data collection. For this, businesses should practice privacy by design principles such as data minimization, purpose limitation, and security safeguards.

Read more about Privacy by Design.

Contractual relationship

You should have a contract with processors determining the nature and duration of the processing, the types of data processed, the categories of personal data, etc. You should also ensure their EU GDPR compliance.

Do not involve processors in processing data on your behalf unless they guarantee technical and organizational measures to be EU GDPR compliant and protect the rights of data subjects.

Children’s personal data

Obtain verifiable parental consent before processing the personal data of children under 16 years of age. Member states are allowed to lower the age limit to 13 years. 

Privacy notices should be written so that they are easy to understand, even for children.

Breach notifications

In the event of a data breach that can cause a risk to the data subject’s rights and freedom, controllers must notify the affected persons and the supervisory authority within 72 hours.

Include the following contents in the breach notification to the supervisory authority:

  • The nature of the breach includes the categories and number of affected individuals and personal data records wherever possible.
  • Name and contact details of the data protection officer or similar official
  • Possible consequences of the data breach
  • Remedial measures taken or to be taken

Document data breaches, including the factors leading to them, effects, and measures adopted. If the personal data breach is unlikely to risk individuals’ freedom and rights, data breach notification is not necessary.

Data protection impact assessments

Impact assessments are helpful in analyzing and mitigating risks associated with handling personal data. Before processing personal data involving high risks, such as those used for profiling or special categories of personal data, businesses should conduct assessments to discover the associated risks, consequences, and preventive measures.

Data protection officers

DPOs are experts in data protection and key players in protecting individuals’ privacy. The EU GDPR requires public authorities, controllers who monitor a large number of data subjects, and those who process special categories of personal data on a large scale to appoint independent data protection officers.

Provide information

The primary objective of EU GDPR is to empower individuals with control over their personal data and hold data controllers accountable for its protection. However, this will be fruitless if they are not aware of data practices or their rights. 

Therefore, businesses must inform the data subjects about certain details, such as the categories of personal data collected, purposes of processing, retention period, and contact details of the controller. This is commonly known as a privacy policy, statement, or notice. 

Cross-border transfers

Before transferring personal data to third countries, determine whether the processing is lawful. The next step is to ensure the adequacy of third countries.

The commission determines adequate protection based on several factors, such as the rule of law, rights and freedoms, data protection legislation and its implementation, supervisory authority, and more. 

What is the penalty for violation of EU GDPR?

The EU GDPR imposes hefty fines for violations, up to €20 million or 4% of the total annual revenue. The fine amount depends on many factors, including the gravity of the offense, intention, and repetitiveness.

The Data protection authorities of member states, working together as the European Data Protection Board, are the enforcement authorities of the EU GDPR. They also play a key role in monitoring the application of the EU GDPR in cooperation with the EDPB.

The penalty provision is a two-tiered system, and here is a simple breakdown of it:

  • For violations of the obligations of controllers and processors ( Articles 8,11,25,39,42,45 ), certification bodies (42 and 43), and monitory bodies (41(4)), penalties may be up to € 10 million or 4% of the total annual revenue.
  • For violations of the principles of EU GDPR, including consent(Articles 5,6,7 and 9), data subject rights, international transfer rules, member state laws according to Chapter IX, and non-compliance with an order of supervisory authorities, penalties can reach € 20 million or 4% of the total annual revenue.

Read more about GDPR fines and how to avoid them.

Data subjects have a private right of action and are entitled to claim damages. They can also mandate that non-profit bodies actively involved in data protection claim damages for them. Any data subjects who have faced material or non-material damages can seek compensation from controllers.

Checklist for EU GDPR compliance

  • Practice data minimization and purpose limitation
  • Adhere to GDPR principles and implement privacy by design
  • Do not process personal data unless there is a lawful basis
  • Provide an accessible and easy-to-understand privacy notice
  • Implement Security safeguards
  • Obtain consent before processing the personal data of children under 16 years
  • Have a contract with processors and ensure their compliance with GDPR
  • Ensure adequacy of third countries before personal data transfer
  • Appoint data protection officers if applicable
  • Conduct periodic data impact assessments if applicable
  • Provide convenient data subject request mechanisms

Download our 10–step GDPR Checklist, so you can take a quick look at where to start with your GDPR compliance

FAQ on EU GDPR

What is GDPR in simple terms?

GDPR is the comprehensive privacy policy of the European Union that came into effect in May 2018. The law aims to protect the privacy of EU residents and enumerates the rights of data subjects and the obligation of data controllers. Penalties for GDPR violations may be up to €20 million or 4% of the total annual revenue.

What is the purpose of GDPR?

GDPR empowers data subjects with authority over their personal data. It also makes provisions for the security, confidentiality, and transparency and fairness of data processing.

What are the GDPR rules?

Lawful basis for processing, data minimization, purpose limitation, data security and confidentiality, transparency, data subject rights, breach notifications, children’s data, adequacy of cross-border transfer, and accountability are the important rules of GDPR.

How do I prove I am GDPR compliant?

Document the processing activities and create data protection policies. Conduct data protection impact assessments to assess the risks associated with processing and create risk-mitigation plans. Provide proper training to your employees to ensure that everyone is on the same page regarding GDPR compliance.