Data Protection Compliance Gdpr.
Data Protection Compliance – GDPR (General Data Protection Regulation)
The General Data Protection Regulation (GDPR) is the EU’s comprehensive data privacy law that came into effect on 25 May 2018. It governs how personal data of EU citizens is collected, stored, processed, and transferred. GDPR applies to organizations inside and outside the EU if they process EU citizens’ data.
1. Objectives of GDPR
Protect Personal Data: Ensure individuals’ data is collected and used responsibly.
Increase Transparency: Organizations must explain how they use data.
Enhance Individual Rights: People have rights like access, correction, deletion, and portability.
Ensure Accountability: Organizations must demonstrate compliance with GDPR principles.
Control Cross-Border Data Transfer: Safeguard data leaving the EU.
2. Key Principles of GDPR (Article 5)
| Principle | Explanation |
|---|---|
| Lawfulness, Fairness, Transparency | Data must be processed lawfully, fairly, and transparently. |
| Purpose Limitation | Data collected for specified, legitimate purposes only. |
| Data Minimization | Only collect data that is necessary. |
| Accuracy | Keep data accurate and up-to-date. |
| Storage Limitation | Retain data only as long as necessary. |
| Integrity and Confidentiality | Secure data against unauthorized access or breaches. |
| Accountability | Organizations must show compliance with GDPR. |
3. Individual Rights under GDPR (Articles 12–23)
Right to Access – Individuals can request their data.
Right to Rectification – Correct inaccurate or incomplete data.
Right to Erasure (‘Right to be Forgotten’) – Delete data under certain conditions.
Right to Restrict Processing – Limit how data is processed.
Right to Data Portability – Transfer data to another provider.
Right to Object – Object to processing for marketing or profiling.
Rights related to Automated Decision-Making – Consent required for profiling decisions.
4. GDPR Compliance Requirements for Organizations
Data Protection Officer (DPO): Appoint a DPO if processing large-scale sensitive data.
Data Protection Impact Assessment (DPIA): Required for high-risk data processing.
Breach Notification: Notify authorities within 72 hours of a data breach.
Consent Management: Obtain clear, explicit consent for processing personal data.
International Transfers: Use standard contractual clauses or adequacy decisions for data leaving the EU.
5. Important GDPR Case Laws
Case 1: Google Spain SL, Google Inc. v. Agencia Española de Protección de Datos (AEPD) and Mario Costeja González (2014)
Court: Court of Justice of the EU (CJEU)
Issue: Right to be forgotten – removal of outdated personal data from search results.
Ruling: Individuals can request search engines to remove personal data under certain conditions.
Impact: Strengthened right to erasure and GDPR compliance.
Case 2: Schrems I (Max Schrems v. Facebook Ireland, 2015)
Court: CJEU
Issue: Transfer of EU personal data to the US under the Safe Harbor agreement.
Ruling: Safe Harbor invalidated; inadequate protection for EU citizens’ data in the US.
Impact: Triggered GDPR-compliant frameworks like Privacy Shield and later standard contractual clauses.
Case 3: Schrems II (Max Schrems v. Facebook Ireland, 2020)
Court: CJEU
Issue: Data transfer to the US under Privacy Shield.
Ruling: Privacy Shield invalidated; US surveillance laws inadequate under GDPR.
Impact: Reinforced strict rules on international data transfers.
Case 4: British Airways GDPR Fine (ICO, 2019)
Issue: Data breach affecting 500,000+ customers.
Ruling: ICO fined British Airways £20 million (initially £183 million proposed) for failing to secure customer data.
Impact: Showed financial consequences of GDPR non-compliance.
Case 5: Marriott International GDPR Fine (ICO, 2020)
Issue: Breach exposing 339 million guest records.
Ruling: Marriott fined £18.4 million for failure to protect personal data.
Impact: Emphasized responsibility for third-party data breaches.
Case 6: H&M Germany Employee Monitoring Case (2020)
Court/Authority: Hamburg Data Protection Authority
Issue: Excessive monitoring and storage of employee personal data.
Ruling: GDPR violation for creating detailed employee profiles without consent.
Impact: Highlighted GDPR rules in workplace data processing.
6. Key Takeaways
GDPR is strict and extraterritorial; non-compliance can result in fines up to €20 million or 4% of annual global turnover.
Individual rights are at the core; organizations must respect them.
Data breach notification is mandatory within 72 hours.
International transfers are strictly regulated.
Case law shows courts and regulators actively enforce GDPR globally.
RELATED Blog
comments