Definition and Significance of the GDPR
The General Data Protection Regulation (GDPR; German: Datenschutz-Grundverordnung, DSGVO) is Regulation (EU) 2016/679 of the European Parliament and the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data. Since May 25, 2018, it has formed the legal framework for data protection in the European Union (EU) and has largely replaced the previous Data Protection Directive 95/46/EC as well as national data protection laws to the extent that they conflict with the GDPR.
The objective of the GDPR is to harmonize the protection of personal data within the European Union and to grant data subjects comprehensive rights regarding their data. At the same time, companies and organizations should be provided with legal certainty when processing personal data, and free data flow within the European Single Market should be ensured.
Scope of the GDPR
Territorial Scope
The GDPR applies to all controllers and processors who process personal data of individuals in the EU, regardless of whether the processing takes place inside or outside the EU (Art. 3 GDPR). Thus, companies based outside the EU are also subject to the GDPR if they offer goods or services to individuals in the EU or monitor their behavior.
Material Scope
The regulation applies to both fully automated and non-automated processing of personal data, provided that it is stored or is intended to be stored in a filing system, and to the processing of personal data by controllers and processors in both the private and public sectors.
Exceptions
The processing of data by natural persons for the sole purpose of personal or family activities and certain activities related to public security, defense, or state security are exempt from the application of the GDPR.
Key Terms of the GDPR
Personal Data
Personal data is any information relating to an identified or identifiable natural person. This includes, for example, name, address, email address, telephone number, but also online identifiers or location data.
Processing
Under the GDPR, processing means any operation performed on personal data, whether or not by automated means, such as collection, storage, alteration, transmission, or deletion of such data.
Controller
A controller is any natural or legal person, public authority, agency, or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data.
Processor
A processor is a natural or legal person who processes personal data on behalf of the controller.
Fundamental Principles of Data Protection under the GDPR
Lawfulness, Fairness, Transparency
The processing of personal data is only lawful if there is a corresponding legal basis (e.g., consent, performance of a contract, legitimate interests). Data processing must be carried out in a way that is comprehensible to data subjects.
Purpose Limitation
Personal data may only be collected for specified, explicit, and legitimate purposes and must not be further processed in a manner that is incompatible with those purposes.
Data Minimization
Only as much personal data as is necessary for the respective purpose may be processed.
Accuracy
It must be ensured that personal data are factually accurate and, where necessary, kept up to date.
Storage Limitation
Personal data must be stored in a form which permits identification of data subjects only for as long as is necessary for the purposes for which the data are processed.
Integrity and Confidentiality
Appropriate technical and organizational measures must be taken to protect personal data against unauthorized access, loss, or destruction.
Legal Bases for Data Processing
The GDPR defines six legal bases for permissible data processing (Art. 6 GDPR):
- Consent of the data subject
- Performance of a contract or steps prior to entering into a contract
- Fulfillment of a legal obligation
- Protection of vital interests
- Performance of a task carried out in the public interest or the exercise of official authority
- Pursuit of legitimate interests of the controller or a third party, unless the interests or fundamental rights and freedoms of the data subject override
Stricter requirements apply to special categories of personal data (e.g., health data) (Art. 9 GDPR).
Rights of Data Subjects
Right of Access (Art. 15 GDPR)
Data subjects have the right to obtain information about stored personal data, its origin, recipients, purposes of processing, and other relevant details.
Right to Rectification (Art. 16 GDPR)
Incorrect or incomplete personal data must be rectified or completed upon the data subject’s request.
Right to Erasure (‘Right to be Forgotten’, Art. 17 GDPR)
Under certain circumstances, data subjects may request the erasure of their data, for example if the data is no longer needed for the intended purpose or if consent has been withdrawn.
Right to Restriction of Processing (Art. 18 GDPR)
Processing may be restricted, for example, while the accuracy of the data is contested or the data is needed by the data subject for the establishment, exercise, or defense of legal claims.
Right to Data Portability (Art. 20 GDPR)
Upon request, personal data must be made available in a structured, commonly used, and machine-readable format and, if desired, transferred to another controller.
Right to Object (Art. 21 GDPR)
Data subjects may object to the processing of their data for reasons arising from their particular situation, especially when the data processing is based on legitimate interests.
Rights regarding Automated Decisions including Profiling (Art. 22 GDPR)
Under certain circumstances, data subjects have the right not to be subject to a decision based solely on automated processing—including profiling.
Obligations for Controllers and Processors
Data Protection Impact Assessment (DPIA)
For processing operations that are likely to result in a high risk to the rights and freedoms of natural persons, a prior data protection impact assessment is required (Art. 35 GDPR).
Record of Processing Activities
Controllers and processors are required to maintain a record of all processing activities (Art. 30 GDPR).
Technical and Organizational Measures
Appropriate technical and organizational measures must be implemented to ensure the security of personal data (Art. 32 GDPR).
Designation of a Data Protection Officer
In certain cases, the GDPR (Art. 37 ff.) requires the mandatory appointment of a data protection officer, for example, if the core activities involve large-scale processing of special categories of personal data.
Obligations to Report Data Breaches
Data breaches must be reported to the competent supervisory authority without undue delay, and where feasible, within 72 hours (Art. 33 GDPR). Data subjects must also be informed of data breaches where applicable (Art. 34 GDPR).
Supervisory Authorities and Sanctions Mechanisms
National Supervisory Authorities
Each EU Member State establishes independent supervisory authorities to monitor the application of the GDPR. These authorities serve as contact points for complaints, conduct audits, and have extensive enforcement and sanctioning powers.
Sanctions and Fines
In case of violations of the GDPR, severe fines may be imposed. These can reach up to 20 million euros or up to 4% of the total worldwide annual turnover of the preceding financial year, whichever is greater (Art. 83 GDPR).
Legal Remedies
Data subjects are entitled to effective judicial remedies against decisions of supervisory authorities as well as against controllers or processors in cases of GDPR violations.
International Data Transfers
A transfer of personal data to a third country or to an international organization is only permitted under certain conditions (Art. 44 ff. GDPR):
- Adequacy decision of the EU Commission
- Existence of appropriate safeguards (e.g., standard data protection clauses)
- Consent of the data subject or specific exceptional situations
This provision is intended to ensure that the level of data protection in third countries does not fall below that of the EU.
Relationship to National Regulations and Other EU Regulations
The GDPR is specified and supplemented by national provisions such as the Federal Data Protection Act (BDSG) in Germany, provided the GDPR permits such clauses. Other regulations such as the ePrivacy Directive or sector-specific data protection laws also apply.
Criticism and Practical Impacts
The GDPR has significantly raised awareness of data protection requirements among companies, authorities, and the public. However, its complexity and the implementation costs, especially for small and medium-sized enterprises, are frequently criticized. On the positive side, the standardized approach across Europe fosters trust in digital processes and business models.
Summary
The General Data Protection Regulation represents the central legal framework for data protection in the European Union. Its objectives are to strengthen the protection of personal data, expand the rights of data subjects, and harmonize the European Single Market regarding the free flow of data. Through comprehensive regulations and sanctioning mechanisms, the GDPR demands a high level of responsibility and transparency from all entities processing personal data, while providing broad protection for data subjects.
Frequently Asked Questions
Are companies required to appoint a data protection officer and when is this necessary?
The obligation to appoint a data protection officer is stipulated in Art. 37 GDPR. Companies must appoint a data protection officer if they process special categories of personal data on a large scale pursuant to Art. 9 GDPR (e.g., health data) or personal data relating to criminal convictions and offenses under Art. 10 GDPR. A data protection officer is also required if the company’s core activities consist of processing operations which, by their nature, scope, and/or purposes, require regular and systematic monitoring of data subjects (e.g., scoring, tracking, video surveillance). In addition, the amended Federal Data Protection Act (BDSG-neu) in Germany requires the appointment of a data protection officer if at least 20 persons are constantly involved in the automated processing of personal data. The appointment must be reported to the competent supervisory authority and the officer’s contact details must be published. The data protection officer may be internal or external, is subject to special protection against dismissal, and must report directly to company management. The main tasks include monitoring compliance with the GDPR, training employees, and acting as a contact point for authorities and data subjects.
When and to what extent must a data protection impact assessment be carried out?
A data protection impact assessment (DPIA) is mandatory pursuant to Art. 35 GDPR whenever a type of processing—particularly when using new technologies—due to its nature, scope, context, and purposes, is likely to result in a high risk to the rights and freedoms of natural persons. For example, a DPIA is required for extensive surveillance of public areas, systematic evaluation of health data, profiling, or processing large volumes of sensitive data. In a DPIA, the processing purpose, the necessity and proportionality of the processing operations, risks to data subjects, and planned risk mitigation measures must be documented. The DPIA must be conducted before processing begins and submitted to the authority upon request. If risks cannot be adequately mitigated despite measures, the supervisory authority must be consulted before processing commences (Art. 36 GDPR).
What rights do data subjects have regarding the processing of their data?
The GDPR grants data subjects extensive rights. These include in particular the right of access (Art. 15 GDPR), the right to rectification (Art. 16 GDPR), the right to erasure (right to be forgotten, Art. 17 GDPR), the right to restriction of processing (Art. 18 GDPR), the right to data portability (Art. 20 GDPR), as well as the right to object to processing (Art. 21 GDPR). Companies are required to inform data subjects transparently about their rights and to respond to such requests free of charge, usually within one month. Special obligations apply when a request for erasure is received: it must be checked whether statutory retention obligations conflict with erasure requirements; otherwise, the data must be deleted. The exercise of rights may not be refused without compelling reasons; evidence of the measures taken and communication with the data subject must be retained.
When is data processing lawful under the GDPR?
The lawfulness of data processing is regulated in Art. 6 GDPR. In principle, the processing of personal data is only permitted if at least one of the legal bases specified in the article is present. In particular, these are: consent of the data subject, performance of a contract or steps required prior to entering into a contract, compliance with a legal obligation, protection of vital interests, performance of a task in the public interest or in the exercise of official authority, as well as the pursuit of legitimate interests of the controller or a third party, unless the interests or fundamental rights and freedoms of the data subject prevail. Careful assessment of lawfulness is required for every processing activity; the chosen legal basis must be documented and justified.
What obligations exist when reporting data breaches?
A data breach, according to Art. 4 No. 12 GDPR, is a security violation that leads to destruction, loss, alteration, unauthorized disclosure of, or access to personal data. According to Art. 33 GDPR, the controller is obliged to report a personal data breach to the competent supervisory authority without undue delay and, where feasible, within 72 hours of becoming aware of it. The notification must include information about the nature of the breach, the types of data concerned, the number of data subjects affected, the likely consequences, and the measures taken. If the data breach is likely to result in a high risk to the rights and freedoms of the affected individuals, immediate notification of the data subjects in accordance with Art. 34 GDPR is also required. Companies should establish an internal reporting procedure to ensure compliance with deadlines and documentation obligations.
What role does the record of processing activities play and who is required to maintain it?
The record of processing activities pursuant to Art. 30 GDPR is a central element of accountability. It contains all relevant information about the processing activities (including the purpose of processing, description of categories of data subjects and data, recipients, transfers to third countries, as well as technical and organizational measures). Both controllers and processors are obligated to maintain such a record and present it to the supervisory authority upon request. Only micro-enterprises or companies with fewer than 250 employees are exempt from this obligation in certain cases, unless the processing poses a risk to the rights and freedoms of data subjects, is not only occasional, or involves special categories of personal data.
When is data transfer to third countries (outside the EU/EEA) permitted?
The transfer of personal data to third countries is permitted under Art. 44 et seq. GDPR only under certain conditions. Transfer is permitted if the European Commission has determined that the respective third country ensures an adequate level of data protection (adequacy decision). If such a decision is lacking, appropriate safeguards are required, such as standard data protection clauses, Binding Corporate Rules (BCR), or other tools approved by the supervisory authority. In special exceptions (e.g., explicit consent of the data subject, performance of a contract), a transfer may also occur without these safeguards. Controllers must review and document the conditions and risks of such transfers and inform the data subjects about the risks.
What sanctions may be imposed for violations of the GDPR?
In the event of violations of the GDPR, companies may face hefty fines in accordance with Art. 83 GDPR. Depending on the seriousness of the breach, up to 20 million euros or, for companies, up to 4% of the worldwide annual turnover (whichever is higher) can be imposed as a sanction. The amount of the fine is determined by considering the nature, severity and duration of the infringement, intent or negligence, measures taken to mitigate the damage, cooperation with the supervisory authority, previous relevant infringements, and the type of personal data affected. In addition to fines, orders for measures such as the prohibition of certain data processing activities may also be issued. To avoid sanctions, companies must establish sustainable data protection management.
