# General Data Protection Regulation (GDPR)

# Acronyms, Abbreviations, and Initialisms

Short Form Full Form
DPD Data Protection Directive
EEA European Economic Area
EFTA European Free Trade Association
EU European Union
GDPR General Data Protection Regulation
U.S. United States

# Overview

The General Data Protection Regulation (GDPR) is a strict data privacy law that was adopted by the European Union (EU) in 2016 and went into effect on May 25, 2018. Though it was drafted and passed by the EU and is binding on all EU member states and members of the European Economic Area (EEA), it applies to any organization targeting or collecting data related to people in the EU.

The GDPR consists of two components: the articles and recitals.

  • The articles constitute the legal requirements organizations must follow to demonstrate compliance.
  • The recitals provide additional information and supporting context to supplement the articles.

# Articles

The GDPR contains 99 articles. These articles are split into several chapters. Covered on this page include:

  • Chapter 2: Principles
  • Chapter 3: Rights of the data subject
  • Chapter 4: Controller and processor

# Chapter 2: Principles

The principles contained within the GDPR include:

  • Article 5 - Principles relating to processing of personal data
  • Article 6 - Lawfulness of processing
  • Article 7 - Conditions for consent
  • Article 8 - Conditions applicable to child's consent in relation to information society services
  • Article 9 - Processing of special categories of personal data
  • Article 10 - Processing of personal data relating to criminal convictions and offences
  • Article 11 - Processing which does not require identification

# Chapter 3: Rights of the data subject

The rights of the data subject contained within the GDPR include:

  • Article 12 - Transparent information, communication and modalities for the exercise of the rights of the data subject
  • Article 13 - Information to be provided where personal data are collected from the data subject
  • Article 14 - Information to be provided where personal data have not been obtained from the data subject
  • Article 15 - Right of access by the data subject
  • Article 16 - Right to rectification
  • Article 17 - Right to erasure ("right to be forgotten")
  • Article 18 - Right to restriction of processing
  • Article 19 - Notification obligation regarding rectification or erasure of personal data or restriction of processing
  • Article 20 - Right to data portability
  • Article 21 - Right to object
  • Article 22 - Automated individual decision-making, including profiling
  • Article 23 - Restrictions

# Chapter 4: Controller and processor

This chapter is concerned with general obligations, security of personal data, and data protection. For example:

  1. In the case of a personal data breach, the controller shall without undue delay and, where feasible, not later than 72 hours after having become aware of it, notify the personal data breach to the supervisory authority.
  1. The controller and the processor shall designate a data protection officer in any case where:
    1. the processing is carried out by a public authority or body, except for courts acting in their judicial capacity;
    2. the core activities of the controller or the processor consist of processing operations which, by virtue of their nature, their scope and/or their purposes, require regular and systematic monitoring of data subjects on a large scale; or
    3. the core activities of the controller or the processor consist of processing on a large scale of special categories of data.

# Recitals

The GDPR contains 173 recitals. It's particularly important to highlight the following recital as it lays the framework upon which GDPR is established:

The protection of natural persons in relation to the processing of personal data is a fundamental right. Article 8(1) of the Charter of Fundamental Rights of the European Union (the 'Charter') and Article 16(1) of the Treaty on the Functioning of the European Union (TFEU) provide that everyone has the right to the protection of personal data concerning him or her.

# Consequences

The GDPR states explicitly that some violations are more severe than others.

The less severe infringements could result in a fine of up to €10 million, or 2% of the firm’s worldwide annual revenue from the preceding financial year, whichever amount is higher.

The more serious infringements go against the very principles of the right to privacy and the right to be forgotten that are at the heart of the GDPR. These types of infringements could result in a fine of up to €20 million, or 4% of the firm’s worldwide annual revenue from the preceding financial year, whichever amount is higher.

# Adoption

Governing Body Status
Australia Compliant
Canada Compliant
EFTA Compliant
European Union Compliant
Israel Compliant
Japan Compliant
United States Noncompliant

Noncompliance with GDPR does not necessarily mean an organization cannot process the data of EU citizens. Rather, these entities must meet special conditions to ensure that they provide an adequate level of data protection. In the United States (U.S.), this was accomplished by joining and complying with the Privacy Shield. However, this was rendered invalid in 2020 and a new agreement known as the Trans-Atlantic Data Privacy (TADP) Framework was announced in 2022 but has not yet been formally adopted.

# Noteworthy

  • The EU considers data protection a fundamental human right.
  • The GDPR repeals and supersedes the Data Protection Directive (DPD, Directive 95/46/EC).
  • The GDPR applies to any organization targeting or collecting data related to people in the EU.
  • The GDPR contains 99 articles and 173 recitals.
  • The GDPR requires that the data subject must consent to processing of his or her personal data.
  • The GDPR includes the right to be forgotten.
  • The GDPR mandates that the appropriate authorities are notified within 72 hours in the instance of a data breach.
  • The GDPR establishes the role of the data protection officer.

# Sources