What is the General Data Protection Regulation (GDPR)?
The GDPR is an EU law that was passed by parliament and went into effect on May 25, 2018. The GDPR unifies the EU under a single data protection regime for all member states and requires organizations to safeguard personal data and uphold the privacy rights of anyone in the EU. The aim of the GDPR is a high level of protection of personal data.
Who does the GDPR apply to?
- Any company or organization with an establishment in the EU.
- Multinational companies with employees or customers in the EU.
- Any company doing business with EU residents or organizations, in particular offering goods and services to customers located in the EU.
- Any company monitoring behavior of persons in the EU, as far as the behavior takes place in the EU.
What is the scope under the GDPR?
The GDPR applies to the processing of personal data (Art. 2 GDPR). Thus, only data relating to an identified or identifiable natural person is protected. Data relating to a legal entity, e.g., trade secrets or corporate confidential information, is not protected. However, the understanding of personal data is very broad (for example, online identifiers and IP-addresses are personal data).
The term of processing is to be understood very broadly as well. Nearly everything that is done with data, including collection, storage, use and transmission is covered as well as the transfer of personal data within group companies.
What are the GDPR's key principles?
The GDPR outlines seven principles for the lawful processing of personal data, including:
- Lawfulness, fairness and transparency, i.e., personal data may be processed only if the data subject has given consent or if there is a legal justification allowing the data processing. In addition, the data subject needs to be informed about the processing of his or her personal data.
- Purpose limitation, i.e., personal data may only be collected for specified, explicit and legitimate purposes, and companies must ensure that personal data is not used for purposes other than for what the data had been collected.
- Data minimization, i.e., processing of personal data must be adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed.
- Accuracy, i.e., processing of personal data must be accurate and up to date. Companies must take all reasonable steps to ensure the personal data they hold is not incorrect or misleading as to any matter of fact.
- Storage limitation, i.e., personal data must be kept in a form that permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed.
- Integrity and confidentiality (security), i.e., personal data must be processed in a manner that ensures appropriate security of the personal data.
- Accountability, i.e., companies are not only responsible for complying with the GDPR but must also be able to demonstrate their compliance.
Who can issue fines, and what are the penalties?
Any member state's data protection authorities can enforce the GDPR. The maximum penalty is €20 million or 4% of global revenue, whichever is higher. The authorities can also impose a temporary or definitive limitation including a ban on processing.
In addition to such fines by the authorities, claims for nonmaterial damages by data subjects are on the rise.
What fines have already been imposed by European data protection authorities?
The authorities are becoming more and more active and are imposing heavy fines, for example:
- €35.3m fine against a German clothing company for the alleged wrongful collection of data of a couple of hundred employees that related to their private life.
- €27.8m fine against an Italian telecommunications operator for unlawful marketing activities.
- €22m fine against a British airline for having insufficient technical and organizational measures to ensure information security.
- €50m fine against Google for failing to inform its users transparently about the use of their personal data as well as to demonstrate valid consent for the processing of their data for advertising purposes.
The first years of GDPR enforcement have shown that the authorities focus on topics such as marketing, information obligations and on whether companies have taken sufficient technical and organizational measures.
What are the key themes of the GDPR and in-scope activities?
- Determination of the territorial scope
- Cross-border data transfers (in particular, after Schrems 2.0)
- Identifying personal data (in particular, special categories of data)
- High consent requirements under the GDPR
- Cookie banners and online tracking
- Sufficient observance of data subject rights
- Complying with breach notification
- Fulfilment of data security
- Engagement of service providers
- Policies and organizations within a company
- Keeping records, on the one hand, and timely deletion, on the other hand
- Conducting internal audits and assessments