Extended Slovník

GDPR (General Data Protection Regulation)

GDPR, or the General Data Protection Regulation, is a comprehensive data privacy and security law in the European Union (EU) and European Economic Area (EEA) that imposes obligations on organizations globally, as long as they target or collect data related to people in the EU.

What is GDPR and its main purpose?

The General Data Protection Regulation (GDPR) is a comprehensive legal framework established by the European Union (EU) that sets strict guidelines for the collection, processing, and storage of personal information from individuals living in the EU and the European Economic Area (EEA). Its primary goal is to give individuals greater control over their personal data while simplifying and unifying the regulatory environment for international business across the EU.

GDPR applies to any organization — regardless of its geographic location — that processes personal data of EU residents. This extraterritorial scope means that companies based in the United States, Asia, or anywhere else in the world must comply if they handle data belonging to people in the EU.

The regulation enshrines several key data subject rights, including:

  • Right of access – Individuals can request a copy of their personal data being processed.
  • Right to rectification – Individuals can have inaccurate data corrected.
  • Right to erasure ("right to be forgotten") – Individuals can request the deletion of their data under certain conditions.
  • Right to data portability – Individuals can receive their data in a structured, commonly used format and transfer it to another controller.
  • Right to object – Individuals can object to the processing of their data for specific purposes, such as direct marketing.

Why is GDPR important for businesses?

GDPR has fundamentally reshaped how businesses approach data privacy and security. Its importance for organizations includes:

  • Legal accountability: Both data controllers (entities that determine the purposes and means of processing) and data processors (entities that process data on behalf of controllers) are held accountable under GDPR. Organizations must demonstrate compliance through documented policies and records of processing activities.
  • Strict penalties: Non-compliance can result in fines of up to €20 million or 4% of annual global turnover, whichever is higher. Supervisory authorities such as the CNIL (France), BfDI (Germany), and the ICO (UK) actively enforce these penalties.
  • Consumer trust: Demonstrating GDPR compliance helps build trust with customers and partners, as it signals a commitment to respecting individuals' privacy rights.
  • Global influence: GDPR has become a benchmark for data protection legislation worldwide, influencing laws such as Brazil's LGPD and California's CCPA.

How to achieve GDPR compliance?

Achieving GDPR compliance requires a systematic and ongoing effort. Key steps include:

  1. Conduct a data audit: Map out all personal data your organization collects, processes, and stores. Identify the legal basis for each processing activity.
  2. Implement privacy by design: Integrate data protection principles into every stage of product development and business operations from the outset.
  3. Obtain valid consent: Where consent is the legal basis for processing, ensure it is freely given, specific, informed, and unambiguous. For example, a company offering an online service must clearly obtain explicit consent for marketing emails, allowing users to easily opt-out.
  4. Manage cookies properly: Websites using cookies must provide a cookie consent banner that allows users to accept, decline, or customise their cookie preferences before any non-essential cookies are loaded.
  5. Appoint a Data Protection Officer (DPO): Organizations that conduct large-scale monitoring or process sensitive data are required to appoint a DPO.
  6. Establish data breach procedures: Implement procedures to detect, report, and investigate personal data breaches. Breaches must be reported to the relevant supervisory authority within 72 hours.
  7. Conduct Data Protection Impact Assessments (DPIAs): Carry out DPIAs for processing activities that are likely to result in a high risk to individuals' rights and freedoms.
  8. Review third-party agreements: Ensure all data processors you work with are also GDPR-compliant through appropriate data processing agreements.

Guidance from the European Data Protection Board (EDPB) and the EU Agency for Cybersecurity (ENISA) can help organizations navigate technical and organizational measures required for compliance.

When did GDPR come into effect?

GDPR was adopted by the European Parliament and the Council of the European Union in April 2016 and became enforceable on 25 May 2018, after a two-year transition period. It replaced the earlier Data Protection Directive 95/46/EC, which had been in place since 1995. The full text of the regulation is available on EUR-Lex.

Which data is covered by GDPR?

GDPR applies to all personal data, which is defined as any information relating to an identified or identifiable natural person (known as a "data subject"). This includes, but is not limited to:

  • Basic identity information: Names, addresses, ID numbers
  • Online identifiers: IP addresses, cookie identifiers, device IDs
  • Location data: GPS data, mobile location data
  • Financial data: Bank account details, transaction histories
  • Health and biometric data: Medical records, fingerprints, facial recognition data (classified as special category data requiring additional protections)
  • Genetic data and data concerning sexual orientation, political opinions, religious beliefs, or trade union membership (also special category data)

The regulation also distinguishes between personal data and pseudonymised data (data that can no longer be attributed to a specific individual without additional information). Pseudonymised data is still subject to GDPR, while truly anonymised data — where re-identification is no longer possible — falls outside the regulation's scope.

← Back to Glossary