General Data Protection Regulation (EU) 2016/679
European Union regulation on data protection and privacy. Applies to all organizations processing personal data of EU residents, regardless of where the organization is located.
Principles of data processing
Personal data must be processed lawfully, fairly, and transparently. Data minimization, accuracy, and storage limitation principles apply.
Data protection by design and default
Data protection must be integrated into the design of processing activities and business practices.
Security of processing
Implement appropriate technical and organizational measures to ensure security of personal data processing, including encryption and access control.
Breach notification (supervisory authority)
Data breach must be reported to the supervisory authority within 72 hours of becoming aware.
Data protection impact assessment
A DPIA must be conducted when processing is likely to result in high risk to data subjects.
Principles Relating to Processing of Personal Data
Personal data shall be processed lawfully, fairly, transparently; collected for specified, explicit, legitimate purposes; adequate, relevant, limited to what is necessary; accurate and up to date; kept no longer than necessary; processed securely.
Lawfulness of Processing
Processing is lawful only if and to the extent at least one lawful basis applies: consent, contract, legal obligation, vital interests, public task, legitimate interests.
Conditions for Consent
Where processing is based on consent, the controller shall be able to demonstrate that the data subject has consented; consent must be freely given, specific, informed, and unambiguous.
Information to be Provided When Personal Data Are Collected
Provide data subjects with information about controller identity, purposes, recipients, retention, rights, etc. at the time of collection.
Right to Rectification
Data subjects have the right to obtain rectification of inaccurate personal data; controller must communicate rectification to recipients.
Right to Data Portability
Data subjects have the right to receive personal data in a structured, commonly used, machine-readable format; right to transmit to another controller.
Right to Object
Data subjects have the right to object to processing for direct marketing + (with grounds) other legitimate-interest processing.
Automated Decision-Making + Profiling
Data subjects have the right not to be subject to a decision based solely on automated processing (including profiling) that produces legal or similarly significant effects.
Responsibility of the Controller
Controllers shall implement appropriate technical and organisational measures to ensure + demonstrate processing is compliant.
Processor Contracts
Processing by a processor must be governed by a contract binding the processor to the controller, with specific minimum terms.
Records of Processing Activities (RoPA)
Each controller + processor shall maintain a record of processing activities under its responsibility.
Notification of a Personal Data Breach to the Supervisory Authority
In case of personal data breach, controller shall notify the supervisory authority within 72 hours of becoming aware.
Communication of Personal Data Breach to the Data Subject
When a personal data breach is likely to result in high risk to data subjects, the controller shall communicate the breach to data subjects without undue delay.
Designation of the Data Protection Officer (DPO)
Controller and processor shall designate a DPO when processing is by a public authority, involves regular and systematic monitoring on a large scale, or involves large-scale special categories of data.
General Principle for Transfers
Any transfer of personal data to a third country or international organization shall take place only if conditions of Chapter V are complied with.
Transfers Subject to Appropriate Safeguards
Without adequacy decision, transfers may only occur if controller/processor has provided appropriate safeguards: BCRs, SCCs, codes of conduct, certification.
Powers of the Supervisory Authority
DPAs have investigative, corrective, and authorisation powers including audits, orders, bans, fines. Companies must cooperate with DPA exercise of powers.
General Conditions for Imposing Administrative Fines
GDPR fines: up to €10M / 2% global revenue for procedural violations; up to €20M / 4% for substantive violations.