Corporate & Legal
GENERAL DATA PROTECTION REGULATION (GDPR)

GENERAL DATA PROTECTION REGULATION (GDPR)


GENERAL DATA PROTECTION REGULATION (GDPR)

Applicability

General Data Protection Regulations are applicable to European Union countries like, Austria Belgium, Bulgaria, Croatia, Republic of Cyprus, Czech Republic, Denmark, Estonia, Finland, France, Germany, Greece, Hungary, Ireland, Italy, Latvia, Lithuania, Luxembourg, Malta, Netherlands, Poland, Portugal, Romania, Slovakia, Slovenia, Spain and Sweden.

Introduction:

  1. This Regulation lays down rules relating to the protection of natural persons with regard to the processing of personal data and rules relating to the free movement of personal data.
  2. This Regulation protects fundamental rights and freedoms of natural persons and in particular their right to the protection of personal data.
  3. The free movement of personal data within the Union shall be neither restricted nor prohibited for reasons connected with the protection of natural persons with regard to the processing of personal data.

Principles relating to processing of personal data:

  1. Lawfulness, fairness, and transparency: Personal data must be processed lawfully, fairly, and in a transparent manner. Organizations must have a valid legal basis for processing personal data, and individuals must be informed about how their data will be used.
  2. Purpose limitation: Personal data should be collected for specified, explicit, and legitimate purposes. Organizations must clearly state the purposes for which data is collected and ensure that data is not processed in a manner incompatible with those purposes.
  3. Data minimization: Only the necessary personal data should be collected for the intended purpose. Organizations should minimize the amount of data collected and ensure that it is relevant and limited to what is needed.
  4. Accuracy: Personal data must be accurate and kept up to date. Organizations should take reasonable steps to ensure that inaccurate or incomplete data is rectified or erased.
  5. Storage limitation: Personal data should be kept in a form that allows identification of individuals for no longer than is necessary for the intended purpose. Organizations must establish appropriate retention periods and delete or anonymize data when it is no longer needed.
  6. Integrity and confidentiality: Personal data must be processed in a manner that ensures appropriate security, including protection against unauthorized or unlawful processing, loss, or damage. Organizations must implement technical and organizational measures to safeguard personal data.
  7. Accountability: Organizations are responsible for complying with the General Data Protection Regulation and must be able to demonstrate their compliance. This includes implementing appropriate policies, procedures, and measures to protect personal data and ensuring that individuals’ rights are respected.

Rights of Users:

General Data Protection Regulation gives a number of rights to the users. The same are listed below:

  1. Right to be informed: Users have the right to be informed about the collection, use, and processing of their personal data. Organizations must provide clear and transparent information about how they handle personal data, including the purposes of processing, the legal basis for processing, and the retention periods.
  2. Right of access: Users have the right to obtain confirmation from organizations as to whether their personal data is being processed and to access that data. They can request a copy of their personal data and any additional information about its processing.
  3. Right to rectification: Users have the right to request the correction or rectification of inaccurate or incomplete personal data. If the data held by an organization is incorrect, they must make the necessary changes and notify any third parties with whom the data has been shared.
  4. Right to erasure (right to be forgotten): Users have the right to request the erasure of their personal data when certain conditions are met. This includes situations where the data is no longer necessary for the purpose it was collected, the individual withdraws consent, or the processing is unlawful.
  5. Right to restrict processing: Users have the right to request the restriction of processing of their personal data under specific circumstances. This means that the data can be stored but not further processed.
  6. Right to data portability: Users have the right to receive a copy of their personal data in a structured, commonly used, and machine-readable format. They can also request that the data be transmitted directly to another controller where technically feasible.
  7. Right to object: Users have the right to object to the processing of their personal data based on legitimate interests or for direct marketing purposes. The organization must stop processing the data unless there are compelling legitimate grounds that override the individual’s interests, rights, and freedoms.
  8. Right not to be subject to automated decision-making: Users have the right not to be subject to a decision based solely on automated processing, including profiling, if it produces legal or similarly significant effects. Individuals have the right to obtain human intervention, express their views, and contest the decision.

It’s important to note that these rights are not absolute and may be subject to certain limitations and conditions depending on the specific circumstances and applicable national laws within the European Union.

Several Authorities you can approach depending on the circumstances:

  1. Data Protection Authority (DPA): Each European Union (EU) member state has its own DPA, which is responsible for enforcing the GDPR within its jurisdiction. You can contact the DPA of the country where the data controller or data processor is located or where the alleged violation took place. The DPA’s role is to investigate complaints, mediate disputes, and enforce data protection laws.
  2. Lead Supervisory Authority: If the processing of your personal data involves multiple EU member states or if the data controller or processor operates in multiple member states, you can contact the lead supervisory authority. The lead supervisory authority is determined based on the location of the organization’s main establishment within the EU.
  3. Other Regulatory Authorities: In addition to DPAs, there may be other regulatory authorities that oversee specific sectors or industries. For example, in the financial sector, there may be financial regulators or authorities with jurisdiction over data protection in that specific domain. You can approach these authorities if the misuse or mishandling of your data is related to their regulatory area.
  4. Judicial Remedies: If you believe your rights under the General Data Protection Regulation have been violated, you may also have the right to seek a judicial remedy through the courts. This can involve filing a lawsuit or legal action against the organization that has misused your data.

Penalties & Fines: – 

The GDPR provides for two tiers of administrative fines based on the severity of the violation:

  1. Lower-level fines: Organizations can be fined up to €10 million or 2% of their global annual turnover of the preceding financial year, whichever is higher, for certain less severe infringements. These may include failing to maintain records, not notifying a personal data breach to the supervisory authority, or not conducting a Data Protection Impact Assessment (DPIA) when required.
  2. Higher level fines: Organizations can be fined up to €20 million or 4% of their global annual turnover of the preceding financial year, whichever is higher, for more serious infringements. These include violations such as not obtaining proper consent for data processing, not respecting individuals’ rights, transferring personal data to third countries without adequate safeguards, or failing to implement appropriate security measures.

Conclusion:

The General Data Protection Regulation (GDPR) is a legal framework that sets guidelines for the collection and processing of personal information from individuals who live and outside of the European Union (EU). Its aim is to give consumers control over their own personal data by holding companies responsible for the way they handle and treat this information. The regulation applies regardless of where websites are based, which means it must be heeded by all sites that attract European visitors, even if they don’t specifically market goods or services to EU residents.

Check these links to Learn More About: Financial Consultancy Firm in India | Top audit firms in India | GST Service Provider