The General Data Protection Regulation (GDPR) is a regulation in the European Union in the field of data protection. It replaces the Data Protection Directive 95/46/EC, which was introduced in 1995. The GDPR was adopted on April 14, 2018, and came into force on May 25, 2018. The GDPR regulates the handling of personal data by controllers and processors.
The regulation sets out strict rules about how personal data must be collected, used, and protected. It gives individuals the right to know what personal data is being collected about them, the right to have that data erased, and the right to object to its use.
The regulation applies to any company that processes the data of individuals in the EU, regardless of whether the company is based inside or outside the EU.
7 principles of GDPR
The 7 principles of GDPR are:
-
Lawfulness, fairness and transparency
-
Purpose limitation
-
Data minimisation
-
Accuracy
-
Storage limitation
-
Integrity and confidentiality
-
Accountability
-
Lawfulness, fairness, and transparency
The law requires that data processing activities be carried out in a lawful, fair, and transparent manner. This means that individuals must be informed of the purposes for which their data will be used, and they must be given a chance to object to its use if they so choose.
- Purpose limitation
The law restricts the use of personal data to the specific purpose(s) for which it was collected. This principle ensures that data is not used for any other purpose that the individual has not consented to.
- Data minimization
The law requires that data be collected and processed only to the extent necessary to achieve the specific purpose for which it was collected. This principle helps to protect individuals from having their data used for purposes that they did not consent to, or that are not necessary for the purposes for which it was collected.
- Accuracy
The law requires that personal data be accurate and up-to-date. This principle helps to ensure that individuals are not unfairly disadvantaged by incorrect or outdated data.
- Storage limitation
The law requires that personal data be kept for no longer than is necessary for the purpose(s) for which it was collected. This principle helps to protect individuals from having their data stored for longer than is necessary, or from having it used for purposes that it was not collected for.
- Integrity and confidentiality
The law requires that personal data be protected from unauthorized access, disclosure, or destruction. This principle helps to ensure that individuals’ data is safe and secure, and that their privacy is respected.
- Accountability
The law requires that data controllers be held accountable for their compliance with the GDPR. This principle helps to ensure that individuals’ rights are respected and that data controllers are transparent in their handling of personal data.
Fines
Under the GDPR, fines for non-compliance can be up to 4% of a company’s global annual revenue or €20 million (whichever is greater). In addition, companies can be ordered to stop processing data, and ordered to delete data that has been processed unlawfully.
Some specific examples of cases where companies have been fined for GDPR violations include:
-
Google was fined €50 million by the CNIL (the French data protection authority) in January 2019 for a lack of transparency, inadequate information, and lack of valid consent regarding the use of personal data for advertising purposes.
-
In July 2019, the British Airways was fined £183 million (around $230 million) by the UK’s Information Commissioner’s Office (ICO) for a data breach that affected 500,000 customers.
-
In December 2018, the Marriott International was fined €110 million (around $124 million) by the ICO for a data breach that affected 339 million customers.
Témoignages
"Legiscope nous permet d'économiser plus de 500 heures de travail de conformité par an ! C'est plus de 3 mois temps plein !"
— Sylvain GraveronArticles connexes
Tasks of the data protection officer
What is the Principle of Accountability?
Principles, Practices, and Compliance of Data Minimization
DPO or compliance officer ?
Comprehensive GDPR Data Storage Compliance Guide 2024
Does the GDPR Apply to Non-EU Organizations?
How to Handle Data Breaches under the GDPR
Designation of the data protection officer (DPO)
Comprehensive GDPR Audit Guide for Ensuring Compliance
How to Conduct the Triple Test to Assess the Legitimate Interests of the Data Controller (GDPR)
Article 28 of the GDPR: Obligations, Enforcement, and Compliance Strategies
How to get a valid consent under the GDPR
Europeans Spend 575 Million Hours Clicking Cookie Banners Every Year
Position of the data protection officer (DPO) in the GDPR
EU Representative GDPR Compliance Guide 2024