Legal

GDPR

The General Data Protection Regulation — the EU's comprehensive data protection law, effective since May 2018.

The General Data Protection Regulation (GDPR) is a regulation in EU law on data protection and privacy. It was adopted in April 2016 and became enforceable on 25 May 2018.

Key Principles

The GDPR is built on seven principles (Article 5):

  1. Lawfulness, fairness, and transparency
  2. Purpose limitation
  3. Data minimization
  4. Accuracy
  5. Storage limitation
  6. Integrity and confidentiality (security)
  7. Accountability — the controller must be able to demonstrate compliance

Scope

The GDPR applies to:

  • All organisations established in the EU/EEA
  • Organisations outside the EU that offer goods or services to, or monitor the behaviour of, EU residents

Enforcement

Supervisory authorities can impose fines of up to €20 million or 4% of annual global turnover, whichever is higher.

Key Roles

  • Data Controller — determines purposes and means of processing
  • Data Processor — processes data on behalf of the controller
  • DPO — independent compliance officer

Related Terms

Data ControllerPrivacy

The entity that determines the purposes and means of processing personal data.

Data ProcessorPrivacy

An entity that processes personal data on behalf of a data controller.

Data SubjectPrivacy

The identified or identifiable person whose personal data is being processed.

DPOPrivacy

Data Protection Officer — an independent expert responsible for monitoring an organisation's data protection compliance.

CCPALegal

The California Consumer Privacy Act — a US state law giving California residents control over their personal information.

Supervisory AuthorityLegal

An independent public authority responsible for monitoring the application of data protection law in its jurisdiction.