Extended Slovník

General Data Protection

General Data Protection refers primarily to the General Data Protection Regulation (GDPR), a robust data privacy and security law enacted by the European Union (EU) to protect personal data and privacy for all individual citizens of the EU and the European Economic Area (EEA).

The General Data Protection Regulation (GDPR) is a comprehensive legal framework that sets guidelines for the collection and processing of personal information from individuals within the European Union (EU) and European Economic Area (EEA). It aims to give individuals control over their personal data and to simplify the regulatory environment for international business by unifying the regulation within the EU. The GDPR dictates how organisations must obtain, store, process, and protect personal data, emphasizing accountability, transparency, and data subject rights.

What is general data protection?

General data protection refers primarily to the legal and organisational principles established by the General Data Protection Regulation (GDPR), a robust data privacy and security law enacted by the European Union. The GDPR provides a unified set of rules governing how personal data — any information relating to an identified or identifiable natural person — must be handled. This includes data such as names, email addresses, IP addresses, location data, and even cookie identifiers.

The regulation is built around several core principles:

  • Lawfulness, fairness, and transparency: Data must be processed lawfully and in a transparent manner.
  • Purpose limitation: Data should be collected for specified, explicit, and legitimate purposes.
  • Data minimisation: Only the minimum amount of data necessary should be collected.
  • Accuracy: Personal data must be kept accurate and up to date.
  • Storage limitation: Data should be retained only as long as necessary.
  • Integrity and confidentiality: Data must be processed securely to prevent unauthorised access or loss.
  • Accountability: Organisations must demonstrate compliance with all of these principles.

The regulation also enshrines key rights for individuals, including the right to access their data, the right to rectification, the right to erasure (the "right to be forgotten"), and the right to data portability.

Why is general data protection important?

General data protection is critically important for several reasons:

  • Individual empowerment: It gives people control over their personal information, ensuring they know how their data is collected, used, and shared.
  • Trust and transparency: Organisations that comply with GDPR build stronger trust with customers, employees, and partners.
  • Data breach prevention: By mandating robust security measures, the GDPR helps reduce the risk and impact of data breaches.
  • Harmonised regulation: Before GDPR, data protection laws varied significantly across EU member states. The regulation creates a single, consistent framework, simplifying compliance for businesses operating across borders.
  • Significant penalties: Non-compliance can result in fines of up to €20 million or 4% of annual global turnover (whichever is higher), underscoring the seriousness with which data protection is treated.

For example, a company that obtains explicit consent before sending marketing emails to EU customers — clearly stating how their data will be used — not only avoids penalties but also fosters a relationship of trust with its audience.

How to comply with general data protection?

Compliance with the GDPR requires a structured and ongoing commitment. Key steps include:

  1. Conduct a data audit: Map out what personal data your organisation collects, where it is stored, who has access, and how it flows through your systems.
  2. Establish a lawful basis for processing: Ensure every data processing activity has a valid legal basis, such as consent, contractual necessity, or legitimate interest.
  3. Implement privacy by design and by default: Integrate data protection measures into your processes, systems, and products from the outset.
  4. Appoint a Data Protection Officer (DPO): Certain organisations are required to designate a DPO to oversee GDPR compliance.
  5. Update privacy notices: Provide clear, accessible, and comprehensive information to data subjects about how their data is used.
  6. Enable data subject rights: Put processes in place so individuals can exercise their rights — for instance, when an individual requests access to all personal data a company holds about them, the company must provide it within the one-month timeframe required by the regulation.
  7. Implement data breach notification procedures: Report qualifying data breaches to the relevant National Data Protection Authority within 72 hours.
  8. Maintain records of processing activities: Document all processing activities as evidence of compliance.

Guidance from authorities such as the Information Commissioner's Office (ICO), CNIL, BfDI, and the EU Agency for Cybersecurity (ENISA) can assist organisations in navigating compliance requirements.

When did general data protection regulation come into force?

The GDPR was adopted on April 14, 2016, and became enforceable on May 25, 2018, after a two-year transition period. This gave organisations time to prepare their systems, policies, and processes for full compliance. The official text of the regulation is published on EUR-Lex, the official portal for EU law.

Which entities must follow general data protection rules?

The scope of the GDPR is notably broad. It applies to:

  • Organisations established in the EU/EEA: Any company, public authority, agency, or other body that processes personal data as part of its activities within the EU/EEA.
  • Organisations outside the EU/EEA: Any entity worldwide that offers goods or services to, or monitors the behaviour of, individuals within the EU/EEA. This means a company based in the United States, Asia, or elsewhere must comply if it processes the personal data of EU residents.
  • Data controllers and data processors: Both the entities that determine the purposes and means of processing (controllers) and those that process data on behalf of controllers (processors) are subject to GDPR obligations.
  • Public and private sector: The regulation applies equally to government bodies, non-profit organisations, and commercial enterprises.

Oversight and enforcement are carried out by the European Data Protection Board (EDPB) and national supervisory authorities in each EU member state, ensuring consistent application of the regulation across all jurisdictions.

← Back to Glossary