What is the GDPR regulation?

GDPR, or General Data Protection Regulation, aims to provide EU citizens with a single and harmonized approach to privacy protection in the EU. It seeks to strengthen citizens’ data protection rights as defined in Article 8 of the EU Charter of Fundamental Rights.

One of the initial changes regarding the GDPR, and a fundamental change compared to the previous data protection framework (directive 95/46/EU), is the format of the legal text.  After much debate, the EU Parliament decided to create a new privacy protection framework of life in the form of a regulation rather than a directive.

The regulation is a binding piece of legislation that is directly applicable in all EU member states. In this way, it eliminates the need for local legislation. However, despite the need for national legislation, there may be differences in the interpretation and application of the regulation between Member States.

The GDPR has a broad scope that also affects entities that are not established in the EU. However, certain conditions must be met for extraterritorial application.

The purpose of the implementation is to remove the legal ambiguities and uncertainties that the previous legal framework created. Also wants to strengthen the fundamental rights and freedoms of natural persons. Finally, wants to ensure the uniformity of the legal framework in all member states.

The EU Parliament approved this regulation on 14 April 2016 after almost four years of debate and reflection. They set the mandatory implementation date of the GDPR for May 25, 2018. Nevertheless, the document came into force 20 days after the date of approval. While it may seem like a long time to prepare, there was actually a lot of prep work.

Furthermore, the law applies not only to companies within the EU, but also to companies established in the EU that process outside the EU or to companies established outside the EU that process outside the EU. At the same time, it also applies to entities that are outside the EU, when they provide goods or services to individuals in the EU or when they monitor the behavior of individuals in the EU (activities related to profiling, tracking individuals’ online activities, etc.).

Personal data is all information that can (directly or indirectly) identify an individual. Therefore, any information that can identify a person is considered personal data. Such information includes name, ID number, address and telephone number. Also more indirect information such as gender, age and income are also personal data.

A fine of €20 million has been set,  in case of violations of articles 8, 11, 25 to 39 and 41 paragraph 4, as well as for violations of the basic principles (articles 5, 6, 7 and 9), the rights of the subject (articles 12 to 22) and the terms of transmission to third party recipients (Articles 44 to 49). Another fine is in the amount of 4% of the total annual worldwide turnover in the previous financial year (the highest one). Finally, they have determined the right to claim compensation from the subject and the administrator’s responsibility.

In addition, in January 2019  Google was fined €50 million, the first major global penalty for GDPR. They failed to adequately inform users of how their data would be used when building the Android operating system. Although Google appealed the fine, the French court upheld it in 2020.

In conclusion, GDPR puts individuals in control of their personal data. Also, it simplifies the regulatory environment for international businesses.