Lawgical Talk #19: Global Capability Centres in India : Managing Regulatory Expectations with Internal Limitations on November 28, 2024 @ 4:00 PM | REGISTER NOW!

GDPR

GENERAL DATA PROTECTION REGULATION

Write With Lawrbit
Sneha Somya
Sneha Somya

Published on: Jul 3, 2023

Anjali Singh
Anjali Singh

Updated on: Jul 10, 2023

(29 Ratings)
4023

Introduction:

The European Union General's Data Protection Regulation (GDPR) came into force on May 25, 2018. The General Data Protection Regulation (GDPR), which replaces the 1995 Data Protection Directive, strengthens and expands upon the EU's existing data security framework.

The principle of GDPR is for businesses to protect the personal data and privacy of EU citizens for transactions that occur within EU member states. GDPR and non-compliance could impact the companies dearly. It provides the framework to strengthen and builds on the EU’s current data protection. It is a new set of rules designed to give EU citizens more control over their personal data. It aims to simplify the regulatory environment for businesses in the European Union can fully benefit from the digital economy.

In accordance with the terms of the GDPR, organizations are not only required to ensure that personal data is collected lawfully and in accordance with strict guidelines, but also that those who collect and manage it are required to protect it from misuse and exploitation and to uphold the rights of data owners.

Applicability:

Any Company operating in the EU as well as any business outside the EU that sells goods or provides services to clients or clients in the EU are subject to GDPR. This ultimately implies that a GDPR compliance strategy is required for almost every significant corporation in the world.

This regulation is applicable to citizens of EU Member states and companies. This Regulation is applicable as of May 25th, 2018 in all member states. This Regulation does not apply to processing of personal data:

  1. In the course of an activity which falls outside the scope of Union Law
  2. By the member States when carrying out activities which fall within the scope of Chapter 2 of the Title V of the EU
  3. By a natural person in the course of a purely personal or household activity
  4. By competent authorities for the purposes of the prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties, including the safeguarding against and the prevention of threats to public security.

"Breach" Under GDPR?

A Personal data breach is defined under GDPR as a security lapse that leads to the loss, alteration, or unintentional destruction of such data. Additionally, it might lead to unauthorized access to or exposure of personal data. A person's rights and freedoms are probably at jeopardy due to the violation.

Primary Concepts

  1. The General Data Protection Regulation (GDPR) is a legal framework that stipulates rules for the gathering, use, and transfer of personal data from EU individuals outside of the EU.
  2. Even if they are not based in the European Union, cloud computing enterprises that have a customer base in the EU must be GDPR compliant.
  3. A company's reputation will be harmed, it will be liable for compensation claims, and it will face heavy fines of up to 4% of its annual global turnover (around €20 million). The stringent requirements of the GDPR are inapplicable to even the best cloud service providers.

Major Compliances:

  1. Every controller shall implement appropriate technical and organizational measures to ensure and to be able to demonstrate the processing of Data. Measures shall be reviewed and updated where necessary.
  2. Every controller or controller’s representative, shall maintain an electronic record of processing activities under its responsibility that contains the following information:
    • The name and contact details of the controller and, where applicable, the joint controller, the controller’s representative and the data protection officer
    • The purposes of the processing
    • A description of the categories of data subjects and of the categories of personal data
    • The categories of recipients to whom the personal data have been or will be disclosed including recipients in third countries or international organization
    • Transfers of personal data to a third country or an international organization, including the identification of that third country or international organization
    • The envisaged time limits for erasure of the different categories of data
    • A general description of the technical and organizational security measures
  3. Every processor or processor’s representative shall maintain an electronic record of all categories of processing activities carried out on behalf of a controller, containing:
    • The name and contact details of the processor or processors and of each controller on behalf of which the processor or acting, and, where applicable, of the controller’s or the processor’s representative, and the data protection officer
    • The categories of processing carried out on behalf of each controller
    • Transfers of personal data to a third country or an international organization, including the identification of that third country or international organization
    • A general description of the technical and organizational security measures
    • Controller shall seek the advice of the data protection officer, where designated, when carrying out a data protection impact assessment.
  4. Every data subject shall have the following rights:
    • Right to lodge a complaint with a supervisory authority, in particular in the member state of his or her habitual residence, place of work or place of the alleged infringement if the data subject considers that the processing of personal data relating to him or her infringes this regulation
    • Right to an effective judicial remedy against a legally binding decision of a supervisory authority concerning them
    • Right to an effective judicial remedy where he or she considers that his or her rights under this Regulation have been infringed as a result of the processing of his or her personal data in non-compliance with this Regulation
    • Any person who has suffered material or non-material damage as a result of an infringement of this Regulation shall have the right to receive compensation from the controller or processor for the damage suffered.

Offences and Penalties:

The fine framework can be up to 20 million euros or, in the case of an undertaking, up to 4% of their entire global revenue of the prior fiscal year, whichever is higher, for particularly serious violations stated in Article 83(5) GDPR. But even the list of less serious offenses in Article 83(4) GDPR stipulates fines of up to 10 million euros or, in the case of an enterprise, up to 2% of its total global revenue for the prior fiscal year, whichever is larger. The fact that the word "undertaking" here is equivalent to the one used in the arts is particularly significant.

S.No Origin Country Act Name Short Notes
America - North
1 Jamaica Data Protection Act 2020 The Jamaica Data Protection Act 2020 is applicable to the processing of personal data within Jamaica, covering individuals, organizations, and the government. The act applies to the processing of personal data, which includes any information relating to an identified or identifiable individual. It covers data controllers (entities that determine the purposes and means of data processing) and data processors (entities that process data on behalf of data controllers).
2 Martinique (Department of France) LAW n° 2018-493 of June 20, 2018 relating to the protection of personal data The "LAW n° 2018-493 of June 20, 2018 relating to the protection of personal data," appears to be specific to Martinique, an overseas department and region of France. This law was enacted to protect personal data within Martinique and bring it in line with the European Union's General Data Protection Regulation (GDPR).
America - South
3 Brazil Brazilian General Data Protection Law The Brazilian General Data Protection Law (LGPD) applies to any organization that collects, processes, or stores personal data of individuals located in Brazil, regardless of whether the organization is based in Brazil or not. This broad territorial scope means that the LGPD has extraterritorial reach, similar to the European Union's General Data Protection Regulation (GDPR).
Europe - West
4 Belgium JULY 30, 2018. - Law on the protection of individuals with regard to the processing of personal data The Belgium Law on the protection of individuals with regard to the processing of personal data refers to the Belgian implementation of the General Data Protection Regulation (GDPR), which is a comprehensive data protection law in the European Union (EU). The GDPR is directly applicable in all EU member states, including Belgium, and it harmonizes data protection laws across the EU. The GDPR sets out the rights and obligations for the processing of personal data, including the collection, storage, use, and transfer of such data.
5 France LAW n° 2018-493 of June 20, 2018 relating to the protection of personal data Law No. 2018-493 of June 20, 2018, is the French implementation of the General Data Protection Regulation (GDPR). The GDPR is a regulation enacted by the European Union (EU) to protect the privacy and personal data of EU citizens. As a member state of the EU, France is bound by the GDPR, and the French law you mentioned aligns with the provisions of the GDPR. The purpose of this law is to regulate the processing of personal data, establish the rights of individuals regarding their data, and impose obligations on data controllers and processors.
6 Germany Federal Data Protection Act (BDSG) The Federal Data Protection Act (BDSG) is a German law that regulates the protection of personal data. It implements the provisions of the European Union's General Data Protection Regulation (GDPR) into German law. The BDSG applies to the processing of personal data by both public and private entities in Germany.
Europe - South East
7 Bosnia and Herzegovina Law on Protection of Personal Data As of my knowledge cutoff in September 2021, Bosnia and Herzegovina (BiH) does not have a specific comprehensive data protection law equivalent to the General Data Protection Regulation (GDPR) in the European Union (EU). However, Bosnia and Herzegovina has implemented some data protection provisions through its Law on Personal Data Protection. This law regulates the processing and protection of personal data in BiH and sets out certain rights and obligations for data controllers and data subjects.
8 Bulgaria Bulgarian Personal Data Protection Act The PDPA applies to the processing of personal data in Bulgaria. It implements the requirements of the European Union's General Data Protection Regulation (GDPR), which is a comprehensive data protection framework applicable across the EU member states. Therefore, many of the provisions of the PDPA align with the GDPR. The PDPA applies to both data controllers and data processors who handle personal data. A data controller is an entity that determines the purposes and means of the processing of personal data, while a data processor processes personal data on behalf of the controller.
9 Croatia
  1. Law on the Protection of Natural Persons in Relation to the Processing and Exchange of Personal Data for the Purposes of Preventing, Investigating, Detecting or Prosecuting Criminal Offenses or Executing Criminal Sanctions
  2. Law on the Implementation of the General Regulation on Data Protection
In Croatia, the main legislation governing data protection is the General Data Protection Regulation (GDPR), which is directly applicable in all European Union (EU) member states, including Croatia. As a result, the GDPR applies to the processing of personal data in Croatia. It applies to both public and private sector organizations that process personal data, including data controllers and data processors. In addition to the GDPR, Croatia has implemented its own national legislation to supplement and provide further provisions on data protection. In Croatia, this legislation is known as the Implementing Act to the General Data Protection Regulation (Zakon o provedbi Opće uredbe o zaštiti podataka), which was adopted to ensure compliance with the GDPR requirements and to address specific national aspects of data protection.
10 Cyprus Data Protection Act Cyprus Data Protection Act" in place. However, Cyprus has implemented the European Union's General Data Protection Regulation (GDPR) as part of its national legislation. The GDPR is a comprehensive data protection framework that applies to all EU member states, including Cyprus. The GDPR sets out the rights and obligations related to the processing of personal data for businesses operating within the EU, as well as for organizations outside the EU that handle the personal data of EU citizens. It aims to protect the privacy and fundamental rights of individuals and imposes certain requirements on data controllers and processors.
11 Greece Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of individuals with regard to the processing of personal data and transposition into national law of Directive (EU) 2016 / 680 of the European Parliament and of the Council of 27 April 2016 and other provisions. "Regulation (EU) 2016/679, commonly known as the General Data Protection Regulation (GDPR), is a comprehensive data protection law enacted by the European Union. It was adopted on April 27, 2016, and became fully applicable on May 25, 2018. The regulation aims to strengthen and harmonize data protection rules within the EU and enhance the rights of individuals regarding their personal data.
The GDPR applies to the processing of personal data by organizations, both within and outside the EU, that offer goods or services to individuals in the EU or monitor the behavior of individuals within the EU. It applies to all types of organizations, including businesses, government entities, non-profit organizations, and other entities that process personal data."
12 Kosovo Law No.03/L – 172 on the protection of personal data The law is based on international standards and principles of data protection, including the European Union's Data Protection Directive (Directive 95/46/EC) and the General Data Protection Regulation (GDPR). It aims to ensure the protection of individuals' privacy and personal data by establishing rules and obligations for data controllers and data processors.
13 Romania Law No. 190/2018 on measures for the application of Regulation (EU) 2016/679 of the European Parliament and Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation) Law No. 190/2018 ensures the effective application and enforcement of the GDPR within the Romanian legal system. It provides additional rules, procedures, and specifications that are necessary for the application of the GDPR's provisions in Romania. The law covers various aspects of data protection, including the rights of data subjects, obligations of data controllers and data processors, data protection impact assessments, data breach notifications, and cross-border data transfers.
Europe - Central
14 Czech Republic Act of 12 March 2019 on personal data processing The Personal Data Protection Act in the Czech Republic provides a legal framework for the processing and protection of personal data. It implements the principles and requirements set forth by the General Data Protection Regulation (GDPR), which is a European Union (EU) regulation governing data protection and privacy. The Act applies to any entity that processes personal data within the territory of the Czech Republic, regardless of whether the entity is established in the Czech Republic or not. It covers both public and private entities, including businesses, organizations, and government institutions, as well as individuals who process personal data for non-professional or household activities.
15 Austria Austrian Data Protection Act The Austrian Data Protection Act (DPA), also known as Datenschutzgesetz (DSG), is the main legislation governing data protection and privacy in Austria. It was introduced to align the country's laws with the European Union's General Data Protection Regulation (GDPR). The Austrian DPA sets out the rights and obligations of individuals and organizations when processing personal data. It defines personal data as any information relating to an identified or identifiable natural person.
16 Slovak Republic ACT No 428 of 3 July 2002 of 3 July 2002 on personal data protection on personal data protection The Act No. 428 of 3 July 2002 on Personal Data Protection is the primary legislation in the Slovak Republic that governs the protection of personal data. The Act on Personal Data Protection applies to the processing of personal data within the Slovak Republic. The Act aims to ensure the protection of personal data and privacy by establishing principles for the lawful processing of personal data, such as purpose limitation, data minimization, accuracy, and security. It also outlines procedures for obtaining consent, handling data breaches, and transferring personal data outside the European Economic Area (EEA).
17 Slovenia Personal Data Protection Act (ZVOP-1) The ZVOP-1 applies to the processing of personal data within Slovenia. It is designed to ensure the protection of individuals' personal data and privacy. The act sets out the rights and obligations of data controllers and data processors and establishes principles for the lawful processing of personal data, including purpose limitation, data minimization, accuracy, and security.
18 Hungary Act CXII of 2011 on the Right of Informational Self-Determination and on Freedom of Information The Act applies to the processing of personal data within Hungary and governs the rights and obligations related to the protection of personal data and the freedom of information. It sets out the principles, rules, and procedures for handling personal data by data controllers and data processors, and it also establishes the rights of data subjects.
19 Poland Act of 10 May 2018 on the protection of personal data The Act of 10 May 2018 on the Protection of Personal Data (Ustawa z dnia 10 maja 2018 r. o ochronie danych osobowych) is the primary legislation in Poland that governs the protection of personal data. This act aligns with the provisions of the General Data Protection Regulation (GDPR) and provides specific regulations and guidelines for data protection within the Polish legal framework. The Act on the Protection of Personal Data applies to the processing of personal data in Poland. It sets out the rights and obligations of data controllers and data processors, as well as the rights of data subjects.
Europe
20 Denmark Data Protection Act The GDPR, which became applicable on May 25, 2018, harmonizes data protection laws across the European Union (EU), including Denmark. The GDPR is a directly applicable regulation that sets out the principles, rights, and obligations for the processing of personal data within the EU. The Danish Act on Processing of Personal Data was amended to align with the requirements of the GDPR, and it complements and specifies certain provisions of the GDPR that allow for Member State discretion.
21 Lithuania Republic of Lithuania on Legal Protection Data The Law on Legal Protection of Personal Data in Lithuania is designed to ensure the protection of individuals' personal data and privacy. The law is aligned with the European Union's General Data Protection Regulation (GDPR) and reflects its key principles and requirements. The law establishes the legal framework for the collection, processing, storage, and transfer of personal data. It outlines the rights of data subjects, including the right to access their data, the right to rectification, the right to erasure (the "right to be forgotten"), and the right to data portability. It also sets out the obligations of data controllers and processors regarding data security, data breaches, and obtaining consent for data processing.
22 England Data Protection Act 2018 The Data Protection Act 2018 is the United Kingdom's implementation of the General Data Protection Regulation (GDPR), which is a comprehensive data protection law in the European Union. The Act provides a framework for the collection, processing, storage, and sharing of personal data.
23 Iceland Act No. 90/2018 on Data Protection and the Processing of Personal Data The Act applies to both public and private sector organizations that engage in the processing of personal data. This includes businesses, government agencies, non-profit organizations, and any other entities that handle personal data in Iceland.
24 Italy Legislative Decree June 30, 2003, n.196 bearing the "Code regarding the protection of personal data Legislative Decree June 30, 2003, n. 196, commonly known as the "Italian Data Protection Code" or "Codice in materia di protezione dei dati personali," is an Italian law that governs the protection of personal data. The legislative decree implements the European Union's Data Protection Directive (Directive 95/46/EC) into Italian law. This directive was replaced by the General Data Protection Regulation (GDPR) in May 2018, which is directly applicable in all EU member states. However, the Italian Data Protection Code still holds relevance as it complements and provides further details on the GDPR's provisions.
25 Latvia "Personal Data Protection Law" The Personal Data Protection Law in Latvia aligns with the principles and requirements of the European Union's General Data Protection Regulation (GDPR). It aims to ensure the protection of individuals' privacy and personal data by establishing rules and obligations for data controllers and data processors. The law defines personal data and sets out the rights of data subjects, such as the right to access their data, the right to rectification, and the right to erasure. It also outlines the principles for lawful data processing, including the requirement for informed consent, data minimization, purpose limitation, and data security.
26 Luxembourg The Act of 1 August 2018 on the organisation of the National Data Protection Commission,implementing Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation), amending the Labour Code and the amended Act of 25 March 2015 stipulating the rules of remuneration and the terms and conditions for the promotion of State civil servants. The Luxembourg National Data Protection Commission, also known as the Commission nationale pour la protection des données (CNPD), is the independent supervisory authority responsible for the protection of personal data in Luxembourg. It operates in accordance with the provisions of the General Data Protection Regulation (GDPR) and other relevant national data protection laws.
27 Malta Data Protection Act. The Data Protection Act in Malta is designed to protect individuals' rights and freedoms regarding the processing of their personal data. The law aligns with the principles and requirements of the European Union's General Data Protection Regulation (GDPR) and implements its provisions into Maltese law. The Data Protection Act applies to the processing of personal data by both public and private entities operating in Malta. It defines personal data and sets out the principles for lawful processing, such as the requirement for informed consent, data minimization, purpose limitation, and data security.
28 Norway Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation) The GDPR sets out rules and regulations for the protection of personal data within the EU and the EEA. It harmonizes data protection laws across these regions and strengthens individuals' rights to privacy and control over their personal data. In Norway, the GDPR is implemented through the Personal Data Act (Personopplysningsloven) and other relevant national legislation. The Personal Data Act supplements the GDPR by providing additional provisions and specifications for data protection in Norway.
29 Scotland Data Protection Act 2018 The Data Protection Act 2018 applies in Scotland and aligns with the provisions of the General Data Protection Regulation (GDPR). It provides specific regulations and guidelines for data protection within the Scottish legal framework. The Act applies to the processing of personal data in Scotland, and it sets out the rights and obligations of data controllers and data processors, as well as the rights of data subjects.
30 Sweden Law (2018: 218) with supplementary provisions to the EU Data Protection Regulation The law you are referring to, Law (2018:218) with supplementary provisions to the EU Data Protection Regulation, is known as the Swedish Data Protection Act (Dataskyddslagen in Swedish). It complements the General Data Protection Regulation (GDPR) in Sweden and provides additional provisions and regulations to ensure the protection of personal data. The Swedish Data Protection Act applies to the processing of personal data within Sweden's territory, as well as to the activities of Swedish organizations and individuals outside of Sweden if they process personal data in connection with the offering of goods or services to individuals in Sweden or if they monitor the behavior of individuals in Sweden.
Europe - North
31 Estonia Personal Data Protection Act The Personal Data Protection Act in Estonia governs the protection of personal data and ensures the rights of individuals regarding their personal information. The PDPA implements the provisions of the General Data Protection Regulation (GDPR) within the national legal framework. The PDPA applies to individuals, organizations, and public authorities that process personal data in Estonia, regardless of whether they are established in Estonia or not, as long as the processing is related to the offering of goods or services to individuals in Estonia or the monitoring of their behavior within Estonia.
32 Finland Data Protection Act (Tietosuojalaki) The Tietosuojalaki (Data Protection Act) in Finland governs the processing of personal data and ensures the protection of individuals' rights in relation to their personal information. The Act is based on the requirements of the European Union's General Data Protection Regulation (GDPR) and provides additional provisions that apply specifically to Finland.
33 Spain Organic Law 15/1999 of 13 December on the Protection of Personal Data The Organic Law on the Protection of Personal Data applies to the processing of personal data within Spain. It is designed to ensure the protection of individuals' personal data and privacy. The law sets out the rights and obligations of data controllers and data processors and establishes principles for the lawful processing of personal data, including purpose limitation, data quality, data security, and confidentiality. The Organic Law 15/1999 defines the conditions for obtaining consent for data processing, the rights of data subjects, and the procedures for handling data breaches and cross-border data transfers.
Europe - North West
34 Ireland Data Protection Act 2018 The Data Protection Act 2018 is the primary legislation governing data protection in Ireland. It was enacted to align with the European Union's General Data Protection Regulation (GDPR) and provides additional provisions specific to Ireland. The Act applies to the processing of personal data in Ireland and has a broad scope of applicability. The Data Protection Act 2018 applies to both public and private sector organizations that process personal data in the course of their activities. This includes businesses, government agencies, non-profit organizations, and any other entities that handle personal data in Ireland, regardless of their size.
35 United Kingdom (UK) Data Protection Act 2018 The Data Protection Act 2018 is a piece of legislation in the United Kingdom that complements and supplements the General Data Protection Regulation (GDPR). It applies to the processing of personal data within the UK's territory and provides additional provisions and regulations to ensure the protection of personal data. The Data Protection Act 2018 applies to data controllers and data processors who process personal data in the UK, regardless of whether they are located in the UK or outside of it. It sets out the rights and obligations of individuals and organizations involved in the processing of personal data, including the collection, storage, use, and sharing of such data.
36 Netherlands Act of General Data Protection Regulation, 2018 (Implementing Act) (Uitvoeringswet Algemene verordening gegevensbescherming, 2018) The Act on the Implementation of the GDPR in the Netherlands applies alongside the GDPR to ensure consistent and effective data protection within the country. It addresses specific areas that require further elaboration or clarification under Dutch law. The implementing act sets out rules and procedures for data protection authorities, including the Dutch Data Protection Authority (Autoriteit Persoonsgegevens), which is responsible for supervising and enforcing data protection laws in the Netherlands.
Europe - South West
37 Portugal Act on the Protection of Personal Data The LGPD in Portugal aligns with the provisions of the General Data Protection Regulation (GDPR) and provides specific regulations and guidelines for data protection within the Portuguese legal framework. The LGPD applies to the processing of personal data carried out within Portugal. It sets out the rights and obligations of data controllers and data processors, as well as the rights of data subjects.

Disclaimer

The information provided in this article is intended for general informational purposes only and should not be construed as legal advice. The content of this article is not intended to create and receipt of it does not constitute any relationship. Readers should not act upon this information without seeking professional legal counsel.

Tell us how helpful was this post?

Subscribe Newsletter Request a demo Contact Us