Definition
The G eneral D ata P rotection R egulation, abbreviated: GDPR, is a set of laws of the EU (European Union) that have been in force since May 2018. They apply to companies based in the EU and deal with the collection and storage of private data of individual persons. Information may therefore only be collected if the relevant persons have given their consent.
The GDPR was introduced to harmonise data collection across Europe, particularly on the internet, and thus provides greater transparency about the further processing of private information.
Principles for the Processing of Personal Data
The GDPR is based on a number of principles that are to be observed when processing personal data:
- Lawfulness and transparency
- Purpose limitation
- Data minimisation
- Accuracy
- Storage limitation
- Integrity and confidentiality
Market Place Principle
The GDPR follows the market place principle. The decisive factor for the legal treatment of data is therefore not the registered office of a company, but to whom the company’s offer is directed. If a specific offer is intended for persons within the territory of the European Union, the GDPR must be observed.
Principle of Transparency
One of the guiding principles of the GDPR is the principle of transparency. It emphasises the right of information of every individual regarding the processing of their personal data. According to the legal text, the relevant information must be provided in “precise, transparent, comprehensible and easily accessible form in clear and plain language”.
The obligation to provide information covers the following areas:
- Purpose,
- Recipients and
- Controllers of data processing.
- Storage period,
- Right to rectification,
- to block and
- to delete the data.
Right to be Forgotten
The GDPR explicitly provides that all personal data must be deleted when the legal basis for further processing no longer exists. Exceptions apply where statutory retention obligations require the data to be stored for a longer period.
On the other hand, the GDPR grants individuals the right, upon their own request, to demand the deletion of all personal data from a company when the reasons for data processing have ceased to apply.
Privacy by Design and Privacy by Default
The GDPR provides for two principles in the technical design of data processing:
Privacy by design means that the technical architecture already implements essential data protection requirements without having to be explicitly controlled. This includes, for example, anonymising data as early as possible or preventing data processing measures that conflict with the GDPR.
Privacy by default aims to ensure that the processes involved in data processing are designed to be as privacy-friendly as possible. This is intended to enable users to understand and monitor the processing of their data without great effort.