What Is GDPR?
ON THIS PAGE
- What Does GDPR Stand For?
- What Is GDPR?
- When did the GDPR Go into effect?
- Who does the GDPR Apply to?
- The Eight User Rights Under the GDPR
- Key Definitions of the GDPR
- Data Protection Principles
- Data protection by design and by default
- User Consent
- Data Transfers to Non-EU Countries
- Enforcement of the GDPR
- Penalties and Fines for Non-Compliance with the GDPR
- How to Comply with the GDPR?
- Frequently Asked Questions
What does GDPR stand for? What is GDPR? Who does the GDPR apply to? Read this blog article to learn more about the GDPR.
What Does GDPR Stand For?
The GDPR stands for General Data Protection Regulation. It is a European Union (EU) data privacy law, enforced by national Data Protection Authorities.
What Is GDPR?
The General Data Protection Regulation (GDPR) is a legal framework that sets guidelines for the collection and processing of personal information from individuals in the European Union.
The GDPR is the toughest privacy law in the world. It aims to give consumers control over their own personal data and sets responsibilities for companies for personal data collection and processing activities.
The GDPR provides one consistent data protection framework across all EU countries.
There are 99 articles in the GDPR, separated into 11 separate chapters. Read the full text of the regulation.
When did the GDPR Go into effect?
The GDPR went into effect on May 25, 2018.
The GDPR replaced outdated data protection regulation that was nearly 20 years old. The law gave organizations a two-year grace period before enforcement began.
Who does the GDPR Apply to?
The GDPR applies to:
- Any business or organization operating within the EU, that processes personal information as part of its activities, regardless of where the data is processed; or
- Any business or organization outside the EU, which is offering goods or services (paid or for free) or is monitoring the behavior of individuals in the EU.
If your company is a small or medium-sized enterprise that collects or processes personal data of European citizens, you have to comply with the GDPR.
The law applies independently of where businesses or websites are based. This means that if businesses provide goods or services to European consumers, even if they don't specifically market goods or services to EU residents, they must comply with the GDPR.
The Eight User Rights Under the GDPR
Under the GDPR, the users in the EU have the following rights:
- The right to be informed. Individuals have the right to know how you process their personal information. The easiest way to deal with this right is to post your privacy online, easily accessible by anyone.
- The right to access. Individuals have the right to be informed if their personal data is processed, what data, for what purposes, and receive access to it.
- The right to rectification. Individuals have the right to ask that their data be updated or corrected.
- The right to erasure. Individuals have the right to ask that their data be removed or deleted from your database.
- The right to restrict processing. Individuals have the right to block or suppress the processing of personal data. This means that you still have the right to store the data, but not the right to process it.
- The right to data portability. Individuals can reuse their personal data across different services. People are allowed to transfer or copy personal data from one service provider to another, so businesses need to provide their data copy.
- The right to object. Individuals have the right to object to processing based on legitimate interests or the performance of a task in the public interest/exercise of official authority, including profiling; object to direct marketing; and object to processing for purposes of scientific or historical research and statistics.
- The rights around automated decision-making and profiling. Individuals have the right to request information about automated decision-making and the likely outcomes of using it, including profiling. They can also refuse the use of automated decision-making technology with regards to personal data.
Note: GDPR uses an explicit consent model, also called opt-in consent model. This means that businesses must obtain user consent before any personal data is collected.
Key Definitions of the GDPR
Here is a list of the most important definitions of the GDPR.
Personal data. Personal data is any information that can directly or indirectly identify an individual. This includes the following information:
- full name, maiden name, or alias
- contact information, like home address, email address, or telephone number
- passport number
- driver’s license number
- Social Security Number
- online identifiers, like Internet Protocol (IP) addresses, cookie identifiers, or browser fingerprinting
- date and place of birth
- ethnicity, race, or religion
- photo of a face
- credit card number
- account username
- financial records
- medical or health records
- biometric data (e.g. fingerprints or DNA)
- online profiles and social media accounts
- employment information, employment applications, and background checks
- education information
- personally owned property, like vehicle registration number, house registration number, etc.
Read more about what data is protected under the GDPR.
Data controller. A data controller is the person who determines the purposes and means of processing personal data. A data controller can be a legal person, for example, a business, an organization, an SME, a public authority, an agency, or onother body.
Data subject. A data subject is the individual the personal data relates to. Most often data subjects are customers and subscribers of a business or website.
Data processor. The data processor is any third-party organization that processes personal data on behalf of a data controller. It could include analytics tools, marketing tools, and cloud suppliers.
Data processing. Data processing is any action performed on data, including manual and automatic methods. It includes the collection, processing, selling, sharing, profiling, and other actions performed on data.
Data Protection Impact Assessment (DPIA). A DPIA describes a process designed to identify risks arising out of the processing of personal data and minimization of these risks at early stages.
User consent. User consent is the permission granted by users to a website or organization to process their data.
Scan your website for free to see all your website cookies, local storage, and session storage in use.
Data Protection Principles
There are seven data protection and accountability principles outlined in Article 5.1-2 of the GDPR:
- Lawfulness, fairness, and transparency. Data processing must be lawful, fair, and transparent to the data subject.
- Purpose limitation. Organizations can only process data for the legitimate purposes specified explicitly to the data subject when they get user consent.
- Data minimization. Organizations can only collect and process as much data as absolutely necessary for the purposes specified.
- Accuracy. Organizations must keep personal data accurate and up to date.
- Storage limitation. Organizations can only store personally identifiable data for as long as necessary for the specified purpose.
- Integrity and confidentiality. Organizations must ensure appropriate data security, integrity, and confidentiality. There are different ways to do it, for example using data encryption, anonymization, staff training, requiring employees to use two-factor authentication, using cloud providers that use end-to-end encryption, limiting access to personal data to only those employees in your organization who need it, updating data Privacy Policy regularly, etc.
- Accountability. The data controller is responsible for being able to demonstrate GDPR compliance with all these principles, including collected user consent.
Data protection by design and by default
One of the legal approaches to ensure data protection is called the Privacy by Design approach, mentioned in Article 25.
You must consider the data protection principles already in the design of any new product or activity. Privacy by Design means incorporating data protection practices into projects, products, and technologies at the outset of the processes, and implementing a proactive approach to privacy.
For example, if you’re launching a new app for your company that could possibly collect personal information from users, you should think about how to minimize the amount of data and how you will secure this data.
User Consent
User consent is the permission granted by users to a website or organization to process their data.
User consent must be freely given, specific, informed, and unambiguous.
The GDPR requires to get explicit, or opt-in user consent.
Continuing to scroll the website, ignoring a Cookie Banner, and other indirect forms of using a website or app do not give valid user consent. Websites are not allowed to use cookie walls or dark patterns to get user consent.
In the case of known children under 13 years of age, you are not allowed to ask for user consent. You must ask for user consent their parents or legal guardians. Children age 16 and up may give consent for themselves.
One of the most common ways to obtain user consent is via a cookie consent banner. The purpose of the Cookie Banner is to inform website users of the use of cookies on the website and collect their consent for the usage of cookies, local storage, session storage, or other website trackers.
The Legal Basis for the Processing of Personal Data
There are several scenarios for the legal collection and processing or personal data, defined in Article 6:
- Explicit cookie consent. You can collect and process personal data if the data subject gave you specific, unambiguous user consent to process the data.
- Legitimate interest. You can collect and process personal data if you have a legitimate interest to process personal data. Legitimate interests can include things like protecting the security of a service or your network, improving the performance of a service, fraud detection, or enabling a company to meet its legal obligations.
- Public interest. You can collect and process personal data if it is necessary to perform a task in the public interest or to carry out some governmental or municipal function. For example, municipal heat suppliers could collect information heat necessities for individual households.
- Data processing is necessary to enter into a contract to which the data subject is a party.
- Compliance with a legal obligation. You can collect and process personal data in the case when you need to comply with a legal obligation of yours. For example, if you receive an order from a court in your jurisdiction, you need to provide the data.
- Saving life. You can collect and process personal data if it help to save somebody’s life.
Data Transfers to Non-EU Countries
The GDPR also covers the transfer of personal data to non-EU countries and international organizations.
The EU – US Privacy Shield was a legal framework for regulating transatlantic exchanges of personal data. However, it was invalidated by the Schrems II judgment of 2020, which led to a three-year period of uncertainty for the data transfer between the EU and the US.
On 10 July 2023, the European Commission adopted its decision on the revised EU – US Data Privacy Framework, which entered into force immediately.
The European Commission is responsible for assessing the level of protection given by a territory or processing sector in a non-EU country.
Even if there were no clear rules about data transfer to the US for three years, businesses were still fined for non-compliance. Recently, Uber was fined 290 million euros for personal data transfer to the US.
Enforcement of the GDPR
The GDPR sets out the obligation for member states of the European Union to set up a supervisory authorities, which are called Data Protection Authorities (DPAs).
National data protection authorities from the 27 EU member states enforce the GDPR. DPAs are independent of the government public authorities that supervise the application of the data protection law through investigative and corrective powers.
The task of these national authorities is to investigate complaints, provide advice on data protection issues, issue warnings and determine when the GDPR has been breached. DPAs can also perform audits, order data erasure, or block the transfer of data. All of this has a direct impact on the subject companies’ data controllers and processors.
The GDPR establishes the European Data Protection Board (EDPB). The European Data Protection Supervisor leads the board. All DPAs work together as a group. The EDPB aims to harmonize GDPR enforcement across the EU. The board guides member states on complicated topics or the application of the law.
National supervisory authorities cooperate to reach a single decision in cross-border cases where several national DPAs are involved. This principle is known as the “one-stop-shop” principle. If a company has subsidiaries in several member states, it will only deal with the data protection authority in the member state of its main establishment.
Penalties and Fines for Non-Compliance with the GDPR
The fines for non-compliance with the GDPR must be effective, proportionate, and dissuasive for each individual case. Intentional infringement, a failure to take measures to mitigate the damage that occurred, or a lack of collaboration with authorities can increase the penalties.
Art. 83(4) of the GDPR sets two levels of administrative fines for non-compliance:
- Up to €10 million, or 2% annual global turnover of the preceding fiscal year, whichever is higher.
- Up to €20 million, or 4% annual global turnover of the preceding fiscal year, whichever is higher.
The latter is applied for especially severe violations. However, even less severe violations could lead to fines. Read more about the biggest GDPR fines so far.
How to Comply with the GDPR?
The best way to comply with the GDPR and other privacy laws is to use Consent Management platforms (CMP).
CookieScript CMP is one of the best CMPs. Recently, it was nominated as the best CMP on G2, a peer-review website. CookieScript CMP is also a Google-certified CMP, recommended by Google for the implementation of Google Consent Mode v2 and IAB TCF v2.2.
CookieScript CMP offers the following functionalities:
- Full compliance solution. CookieScript CMP comes with the Cookie Scanner, Privacy Policy Generator, script manager, and user consent manager. It blocks cookies, Third-Party Cookies, Local Storage and Session Storage, so you can be sure your website is compliant with the GDPR and other privacy regulations 100%!
- Google-certified CMP. CookieScript is a Google-certified CMP partner, included in the list of Google-certified CMPs, and comes with a full IAB TCF v2.2 integration.
- Supports Google Consent Mode v2. If you want to use Google services (GA4, Google Ads, gtag, and Google Tag Manager) in the EU or EEA, you need to use a Google-certified CMP.
- Fully customizable Cookie Banner. CookieScript CMP allows Cookie Banner behavior adjustments, design customization, and has a self-hosted code option. You can change the color of the Accept/ Decline buttons, the accent color and more.
- Free staging banner. CookieScript CMP allows you to perform an A/B testing of your Cookie Banner design and behavior and see what works best for you.
- Geo-targeting. The CookieScript plugin allows you to create multiple cookie banners and deliver them based on user location.
- Privacy laws’ compliance hints. Not sure if your banner is compliant with privacy laws after you have customized it? No problem, our privacy laws’ compliance hints will show you if your banner is compliant if you change some feature of your Cookie Banner.
- Multiple integrations. CookieScript CMP could be easily integrated with Google advertisement services and Google Analytics 4, with other platforms, and with content management systems such as Drupal, Magento, Shopify, WordPress, PrestaShop, etc.
- Easy to set up. CookieScript CMP could be easily implemented even by non-professionals.
Read more about:
- The GDPR compliance checklist.
- How to choose a Google-certified CMP partner for ad compliance?
- Google Consent Mode v2.
- IAB TCF V2.2
Frequently Asked Questions
What does GDPR Stand For?
The GDPR stands for General Data Protection Regulation. It is a European Union (EU) data privacy law, which aims to give consumers control over their own personal data and sets responsibilities for companies for personal data collection and processing activities. The GDPR went into effect on May 25, 2018. Use CookieScript CMP to comply with the GDPR.
What is GDPR?
The General Data Protection Regulation (GDPR) is a legal framework that sets guidelines for the collection and processing of personal information from individuals in the European Union, that went into effect on May 25, 2018. It is the toughest privacy law in the world. Use CookieScript CMP to comply with the GDPR and avoid penalties.
Who does the GDPR Apply to?
The GDPR applies to any business or organization operating within the EU, that processes personal information as part of its activities, regardless of where the data is processed, or any business or organization outside the EU, that is offering goods or services (paid or for free) or is monitoring the behavior of individuals in the EU. Use CookieScript CMP to comply with the GDPR and avoid penalties.
Where can I find the full GDPR text?
You can find the full text on the website here.
What does data minimization in the GDPR mean?
Article 5(1)(c) of the GDPR defines data minimization by saying that the processing of personal data should be “adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed.” It means that businesses should only collect essential information they need and keep it as long as it’s actually needed. Read the GDPR compliance checklist to learn more about how to comply with the law.
What is the Data Protection Impact Assessment under the GDPR?
The Data Protection Impact Assessment (DPIA) describes a process designed to identify risks arising out of the processing of personal data and minimization of these risks at early stages. Read the GDPR compliance checklist to learn more about how to comply with the GDPR.
What are the privacy rights for data subjects under the GDPR?
Under the GDPR, data subjects (customers) have the following privacy rights: the right to be informed, the right of access, the right to rectification, the right to erasure, the right to restrict processing, the right to data portability, the right to object, and rights around automated decision-making and profiling. Use CookieScript CMP to get a Cookie Banner to execute the privacy rights or your customers.