The GDPR, entered into force in 2018, is a comprehensive framework aimed at safeguarding the personal data of EU citizens and residents. It introduces the principles of privacy-by-design and privacy-by-default, requiring organizations to embed data protection measures into their systems and processes from the outset and to ensure that privacy settings are automatically set to the highest level possible. GDPR mandates that organizations must have a legal basis for processing personal data, such as consent or contractual necessity, and individuals have various rights over their data, including access, rectification, and erasure. Consent must be explicit and freely given, and individuals can withdraw it at any time.Moreover, GDPR imposes strict requirements for data breach notification and the appointment of Data Protection Officers in certain cases. It also regulates the transfer of personal data outside the EU, requiring organizations to ensure adequate protection or implement safeguards. A key aspect of GDPR compliance is conducting Data Protection Impact Assessments (DPIAs) to evaluate and mitigate risks to individuals’ rights and freedoms. Additionally, organizations must maintain detailed records of data processing activities to demonstrate compliance. Overall, GDPR aims to enhance data protection, privacy, and transparency in the digital age, empowering individuals with greater control over their personal data and holding organizations accountable for responsible data processing practices.
Legal basis for GDPR
GDPR Applies to any personal data that is processed, wholly or partly, by automated means or by means which form part of a filing system or are intended to form part of a filing system.
To process personal data a legal basis is required. The following are the only recognized legal bases in the GDPR:
If a data subject has given consent. Processing for the performance of contract.
Key Definitions
- Personal data; any information that directly or indirectly identifies a natural person (a data subject) which can include:
A name, identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural, or social identity of that natural person
- Processing; Operation or sets of operations conducted on personal data. These activities are considered to be ‘processing’:
Collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure, or destruction.
- Controller; determines the purpose and means of processing of personal data. This can be a natural or legal person, public authority, agency, or other body.
- Processor; a natural or legal person, public authority, agency, or other body that processes personal data on behalf of a controller.