From 25 May 2018, all companies and other entities acting as data controllers or processors with their seat in the European Union will have to observe the new European regulation on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (GDPR).
The GDPR applies not only to entities with their seat directly in the EU but to everybody who processes personal data of natural persons within the EU.
Personal data include, for example, names and surnames, various identification numbers, localizing data, dates of birth and birth registration numbers, photographs, video recordings, e-mail addresses, profiles on social networks, online identifiers such as IP addresses, cookies, biometric data, data on health, and data on trade union activity. The heart of the matter with “personal data” is that the data subject can be identified or is identifiable from the data in question. In short, the GDPR regulates procedures during personal data processing and provides a mostly unified approach throughout the European Union.
What exactly do the 173 recitals and 99 articles of the GDPR contain? First, they set and define basic terms such as controller, processor, recipient, third party, and filing system. They also regulate the legal basis for personal data processing, i.e. the legal titles which authorize you to process personal data, such as the consent of the data subject. Other important elements are the requirements for consent of the data subject to the processing of personal data and specifying the information duty towards the data subject, summary and specification of the rights of the data subject and the obligations of the data processor, the requirements of a contract for personal data processing between a controller and a processor, the conditions for smooth cross-border flow of personal data, especially outside the EU, permitted data processing activities and assessing their impact on personal data protection, a list of necessary security measures and requirements concerning the responsible party, the possibilities of certification in the field of personal data protection and details of a one-stop-shop.
You will also certainly be interested in the general conditions for imposing sanctions. Under certain circumstances, these can be up to 20 million Euro or 4 % of global annual revenue for the previous year.
The GDPR is not the only legal provision dealing with personal data protection. Other acts and norms will follow, such as local regulations on personal data protection which every EU member state will adopt separately. Other important (but not binding) documents are expert opinions of the A29 WP working group. These will contribute to unified interpretation and application of the new European data protection regulation throughout the European Union.
Source: Regulation (EU) 2016/679) of the European parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC