Datenschutzverordnung (DSGVO) in Europa

What exactly is the General Data Protection Regulation (GDPR) in Europe?

Introduction

The General Data Protection Regulation (GDPR) is a European Union regulation that came into force on May 25 , 2018. It aims to strengthen and unify data protection and privacy for all citizens within the European Union (EU) and the European Economic Area (EEA). In addition, it regulates the export of personal data outside the EU and the EEA. The GDPR is one of the most comprehensive data protection laws in the world and has a significant impact on companies and organizations that process personal data of EU citizens.

Background and development

The GDPR replaces the Data Protection Directive 95/46/EC, which had been in force since 1995. This directive aimed to enable the free flow of data within the EU while ensuring a high level of protection for personal data. However, with the rapid development of technology and the advent of the Internet, it quickly became clear that the old directive was no longer sufficient to meet modern data protection requirements. Therefore, in 2012 the EU began drafting the GDPR, which was finally adopted in April 2016.

Principles of the GDPR

The GDPR is based on several principles that serve as guidelines for the processing of personal data. These principles are:

  1. Lawfulness, fairness and transparency (Article 5 paragraph 1 lit. a GDPR):

    • Personal data must be processed lawfully, fairly and in a manner that is transparent to the data subject.
  2. Purpose limitation (Article 5 paragraph 1 lit. b GDPR):

    • Data must be collected only for specified, explicit and legitimate purposes and must not be further processed in a manner incompatible with those purposes.
  3. Data minimization (Article 5 paragraph 1 lit. c GDPR):

    • The processing of personal data must be adequate, relevant and limited to what is necessary for the purposes of the processing.
  4. Accuracy (Article 5 paragraph 1 lit. d GDPR):

    • Personal data must be accurate and, where necessary, kept up to date. All reasonable steps must be taken to ensure that personal data which are inaccurate, having regard to the purposes for which they are processed, are erased or rectified without delay.
  5. Storage limitation (Article 5 paragraph 1 lit. e GDPR):

    • Data may only be stored for as long as is necessary for the purposes for which it is processed.
  6. Integrity and confidentiality (Article 5 paragraph 1 lit. f GDPR):

    • Personal data must be processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical and organisational measures.

Rights of the data subjects

The GDPR significantly strengthens the rights of data subjects. These rights include:

  1. Right to information (Article 15 GDPR):

    • Data subjects have the right to obtain from the controller confirmation as to whether or not personal data concerning them are being processed and, where that is the case, access to those data and certain information.
  2. Right to rectification (Article 16 GDPR):

    • Data subjects have the right to request the rectification of inaccurate personal data.
  3. Right to erasure (right to be forgotten) (Article 17 GDPR):

    • Under certain circumstances, the data subject has the right to obtain from the controller the erasure of personal data concerning him or her without undue delay and the controller has the obligation to erase personal data without undue delay.
  4. Right to restriction of processing (Article 18 GDPR):

    • The data subject has the right to request the controller to restrict processing if one of the conditions referred to in Article 18(1) GDPR is met.
  5. Right to data portability (Article 20 GDPR):

    • Data subjects have the right to receive the personal data concerning them, which they have provided to a controller, in a structured, commonly used and machine-readable format and they have the right to transmit those data to another controller without hindrance from the controller to whom the personal data were provided.
  6. Right to object (Article 21 GDPR):

    • Data subjects have the right to object at any time to the processing of personal data concerning them for reasons related to their particular situation.
  7. Right to non-exclusively automated decisions (Article 22 GDPR):

    • Data subjects have the right not to be subjected to a decision based solely on automated processing, including profiling, which produces legal effects concerning them or similarly significantly affects them.

Obligations of the controllers and processors

In addition to the rights of data subjects, the GDPR also sets out strict obligations for controllers and processors:

  1. List of processing activities (Article 30 GDPR):

    • Controllers and processors must maintain a record of all processing activities under their responsibility.
  2. Data Protection Impact Assessment (DPIA) (Article 35 GDPR):

    • Where a type of processing is likely to result in a high risk to the rights and freedoms of natural persons, in particular when using new technologies, an assessment of the impact of the envisaged processing operations on the protection of personal data shall be carried out prior to the processing.
  3. Data protection through technology design and through data protection-friendly default settings (Article 25 GDPR):

    • Controllers must implement appropriate technical and organizational measures to ensure that only personal data that is necessary for the respective processing purpose is processed.
  4. Reporting of data breaches (Articles 33 and 34 GDPR):

    • In the event of a personal data breach, the controller must notify the personal data breach to the competent supervisory authority without undue delay and, where possible, within 72 hours of becoming aware of it. Where the breach is likely to result in a high risk to the rights and freedoms of natural persons, the data subject must also be notified without undue delay.

Sanctions and enforcement

The GDPR provides for strict sanctions for violations. Article 83 of the GDPR provides for fines of up to €20 million or up to 4% of a company’s total worldwide annual turnover of the previous financial year, whichever is higher. The amount of the fine depends on various criteria, including the nature, gravity and duration of the violation, as well as any measures taken to mitigate the damage to the data subjects.

Impacts and challenges

Since its entry into force, the GDPR has had a significant impact on companies and organizations around the world. They have had to revise their data protection practices, appoint data protection officers and implement extensive technical and organizational measures to ensure compliance with the GDPR.

Conclusion

The General Data Protection Regulation (GDPR) represents a significant milestone in data protection law. It provides a comprehensive legal framework that strengthens the rights of data subjects and places high demands on controllers and processors. With its strict requirements and significant sanctions, the GDPR has fundamentally changed the way companies and organizations around the world handle personal data.

Globeria Consulting GmbH zeichnet sich als einer der führenden DSGVO-Dienstleister in Deutschland aus und bietet umfassende Lösungen durch zertifizierte Datenschutzbeauftragte (DSB). Unsere Dienstleistungen decken das gesamte Spektrum der DSGVO-Compliance ab und stellen sicher, dass Ihr Unternehmen alle rechtlichen Anforderungen effizient erfüllt. Vertrauen Sie auf unsere Expertise für ein beispielloses Datenschutz- und Privacy-Management.

Wir bedienen Berlin, Frankfurt, München, Magdeburg, Sachsen-Anhalt, Hamburg und ganz Deutschland.
Arbeitszeiten: Montag-Freitag, 09:00-17:00
© 2024 Globeria Consulting GmbH. Alle Rechte vorbehalten.