GDPR Overview | AlphaVerify Standards

What is GDPR?

The General Data Protection Regulation (GDPR) is a comprehensive data protection law that came into effect on May 25, 2018, across the European Union. It strengthens and unifies data protection for individuals within the EU and addresses the export of personal data outside the EU.

GDPR applies to any organization that processes personal data of EU residents, regardless of where the organization is located. It gives individuals greater control over their personal data and imposes strict obligations on organizations that handle such data.

GDPR Scope and Applicability

Territorial Scope

• Organizations established in the EU
• Organizations offering goods/services to EU residents
• Organizations monitoring behavior of EU residents

Material Scope

• Processing of personal data
• Automated processing
• Manual processing in filing systems

GDPR Key Principles

1. Lawfulness, Fairness, and Transparency

Processing must be lawful, fair, and transparent to the data subject.

2. Purpose Limitation

Data must be collected for specified, explicit, and legitimate purposes.

3. Data Minimization

Data must be adequate, relevant, and limited to what is necessary.

4. Accuracy

Personal data must be accurate and kept up to date.

5. Storage Limitation

Data must be kept in a form that permits identification for no longer than necessary.

6. Integrity and Confidentiality

Data must be processed in a manner that ensures appropriate security.

Data Subject Rights

Right of Access (Article 15)

Data subjects have the right to obtain confirmation of whether their personal data is being processed and access to that data.

Right to Rectification (Article 16)

Data subjects have the right to have inaccurate personal data corrected and incomplete data completed.

Right to Erasure (Article 17)

"Right to be forgotten" - data subjects can request deletion of their personal data under certain circumstances.

Right to Restrict Processing (Article 18)

Data subjects can request restriction of processing under certain conditions.

Right to Data Portability (Article 20)

Data subjects can receive their personal data in a structured, machine-readable format and transfer it to another controller.

Right to Object (Article 21)

Data subjects can object to processing of their personal data for direct marketing or legitimate interests.

Rights Related to Automated Decision-Making (Article 22)

Data subjects have the right not to be subject to automated decision-making, including profiling.

Right to Withdraw Consent (Article 7)

Data subjects can withdraw consent at any time, and it must be as easy to withdraw as to give consent.

Legal Basis for Processing

1. Consent (Article 6(1)(a))

Data subject has given clear, specific, informed, and unambiguous consent to processing.

2. Contract (Article 6(1)(b))

Processing is necessary for the performance of a contract with the data subject.

3. Legal Obligation (Article 6(1)(c))

Processing is necessary for compliance with a legal obligation.

4. Vital Interests (Article 6(1)(d))

Processing is necessary to protect the vital interests of the data subject or another person.

5. Public Task (Article 6(1)(e))

Processing is necessary for the performance of a task carried out in the public interest.

6. Legitimate Interests (Article 6(1)(f))

Processing is necessary for legitimate interests, provided they don't override data subject rights.

Key GDPR Requirements

Organizational Requirements

• Data Protection Officer (DPO) appointment
• Privacy by Design and by Default
• Data Protection Impact Assessments (DPIA)
• Records of processing activities
• Data breach notification (72 hours)

Technical and Organizational Measures

• Pseudonymization and encryption
• Regular security testing and assessment
• Staff training and awareness
• Access controls and authentication
• Data minimization and retention policies

GDPR Penalties
                        Tier 1: Up to €10 million or 2% of annual turnover
                        • Failure to maintain records
• Failure to notify supervisory authority of breach
• Failure to conduct DPIA
• Failure to appoint DPO

                    

                        Tier 2: Up to €20 million or 4% of annual turnover
                        • Violation of data subject rights
• Unlawful processing
• Failure to obtain consent
• Cross-border data transfers

                    

Need GDPR Compliance Help?

Get expert guidance on GDPR implementation and compliance.

Schedule Free Consultation