European General Data Protection Regulation (GDPR)

The General Data Protection Regulation (GDPR) came into force on May 25, 2016 and became mandatory in all member states of the European Union as well as in the additional countries of the European Economic Area (Iceland, Liechtenstein and Norway) on May 25, 2018. The aim of this regulation is to standardize the protection of personal data in Europe and to give data subjects more control over their data. Companies and authorities must comply with the provisions of the GDPR in order to avoid high fines.

Standardization of data protection in Europe

The GDPR, also known as “Regulation (EU) 2016/679”, was introduced to harmonize the different data protection practices in Europe. Before the GDPR, Directive 95/46/EC led to inconsistent data protection standards in the Member States, which not only impaired the protection of natural persons, but also made the free exchange of goods and services more difficult. The GDPR now creates a uniform legal framework that contains over 60 opening clauses that allow for country-specific adaptations.

What does the GDPR protect and when does it apply?

The GDPR protects the fundamental rights and freedoms of natural persons, in particular their right to the protection of personal data. Their scope of application is limited both in terms of subject matter and territory:

  • Material scope of application: The GDPR applies to the fully or partially automated processing of personal data and to the non-automated processing of personal data stored or to be stored in a filing system. Excluded are unsorted analog data collections, data processing by private individuals in the exclusively personal area and data processing for the prosecution of criminal offenses and law enforcement.
  • Territorial scope: The GDPR applies to all companies and organizations based in the EU or processing data of EU citizens, regardless of whether the processing takes place inside or outside the EU. Companies outside the EU that offer goods or services to EU citizens or monitor their behavior must also comply with the GDPR.

Data protection principles of the GDPR

The GDPR is based on several fundamental principles that apply to the processing of personal data:

  1. Lawfulness, fairness and transparency: Processing must be lawful and transparent and data subjects must be informed about the way in which it is carried out.
  2. Purpose limitation: Data may only be collected for specified, explicit and legitimate purposes and may not be further processed in a manner incompatible with those purposes.
  3. Data minimization: Only data that is necessary for the purposes of processing may be collected.
  4. Accuracy: Data must be factually correct and up to date.
  5. Storage limitation: Data may only be stored for as long as is necessary for the purposes of processing.
  6. Integrity and confidentiality: Data must be protected by appropriate security measures against unauthorized or unlawful processing and against accidental loss, destruction or damage.
  7. Accountability: Data controllers must be able to demonstrate compliance with data protection principles.

Obligations for companies

Companies must fulfill numerous obligations in order to meet the requirements of the GDPR:

  1. Duty to provide information: Data subjects must be comprehensively informed about data processing.
  2. Rights of data subjects: Requests from data subjects, such as the right of access, rectification, erasure and objection, must be answered within one month.
  3. Reporting and notification obligations: Data breaches must be reported to the supervisory authority within 72 hours.
  4. Order processing contracts: Contracts must be concluded with processors to ensure that they also comply with the GDPR.
  5. Data protection impact assessment: A data protection impact assessment must be carried out for risky data processing.
  6. Processing records: Companies must keep records of all processing activities.
  7. Data security: Companies must implement suitable technical and organizational measures for data security.

Rights of the data subjects

The GDPR significantly strengthens the rights of data subjects. The most important rights include:

  • Right to information: Data subjects have the right to know whether and which personal data is being processed.
  • Right to rectification: Data subjects may request the rectification of inaccurate data.
  • Right to erasure: Data subjects can request the erasure of their data under certain conditions (right to be forgotten).
  • Right to restriction of processing: In certain circumstances, data subjects may request that the processing of their data be restricted.
  • Right to data portability: Data subjects have the right to receive their data in a structured, commonly used and machine-readable format.
  • Right to object: Data subjects may object to the processing of their data on grounds relating to their particular situation.

Sanctions and fines

Violations of the GDPR can have considerable financial consequences. The ordinance provides for two ranges of fines:

  1. Higher fines: Violations of key regulations, such as the principles of data processing, can be punished with fines of up to 20 million euros or 4% of the global annual turnover of the previous financial year.
  2. Lower fines: Violations of documentation and verification obligations can be punished with fines of up to 10 million euros or 2% of the global annual turnover of the previous financial year.


The GDPR places high demands on companies and organizations, but also provides a clear legal framework for data protection in Europe. By complying with the GDPR, companies can strengthen the trust of their customers and minimize legal risks. It is therefore crucial that all employees of a company understand the data protection principles and that the necessary measures are taken to implement the GDPR. Effective data protection management is essential in order to meet the extensive requirements of the GDPR and protect the privacy of data subjects.