Skip to content

The expert's guide to GDPR

This GDPR Guide provides a comprehensive overview of the European Union's General Data Protection Regulation (GDPR). It covers the full scope of the GDPR, including its purpose, scope, definitions, principles, rights, obligations, enforcement, and more. It also provides practical advice on how to comply with the GDPR, including best practices for data protection, data security, and data management. This guide is an essential resource for any organization that collects, stores, or processes personal data.

Group 193 (1)-1

The expert's guide to GDPR

Group 193 (1)-1

What is the General Data Protection Regulation (GDPR)?

The General Data Protection Regulation (GDPR) is a comprehensive set of data protection laws that was adopted by the Council of the European Union and the European Parliament in April 2016. It was designed to protect the rights and freedoms of individuals with respect to the processing of personal data and to promote the free movement of personal data within the European Union.

The GDPR applies to any organization that processes personal data, regardless of where they are based. This includes organizations based in the EU, as well as those outside of the EU that process the personal data of EU citizens. The GDPR applies to both controllers and processors of personal data, and sets out a number of obligations for both.

The GDPR consists of 11 chapters and 99 articles. It outlines a set of aims, key definitions, fundamental principles, data subject rights, controller and processor obligations, and penalties, among other things.

The GDPR aims to protect the fundamental rights and freedoms of individuals with respect to the processing of personal data. It does this by establishing rules for organizations to adhere to when processing personal data. The GDPR also promotes the free movement of personal data within the EU.

The GDPR sets out a number of key definitions, including personal data, controller, processor, and data subject. Personal data is defined as any information relating to an identified or identifiable natural person. A controller is the natural or legal person who determines the purposes and means of the processing of personal data. A processor is a natural or legal person who processes personal data on behalf of the controller. The data subject is the natural person to whom the personal data relates.

The GDPR also outlines a number of fundamental principles, including transparency, fairness, purpose limitation, data minimization, accuracy, storage limitation, integrity, and confidentiality. These principles must be taken into account when processing personal data.

The GDPR also sets out a number of data subject rights, including the right to be informed, the right of access, the right to rectification, the right to erasure, the right to restrict processing, the right to data portability, the right to object, and the right not to be subject to automated decision-making.

The GDPR also sets out a number of obligations for controllers and processors of personal data. Controllers must ensure that personal data is processed lawfully, fairly, and in a transparent manner. They must also ensure that personal data is accurate and up-to-date, and that it is kept secure. Processors must also take appropriate measures to ensure the security of personal data.

Finally, the GDPR sets out a number of penalties for non-compliance. These can include fines of up to €20 million or 4% of the total worldwide annual turnover of the preceding financial year, whichever is greater.

In conclusion, the General Data Protection Regulation (GDPR) is a comprehensive set of data protection laws that was adopted by the Council of the European Union and the European Parliament in April 2016. It was designed to protect the rights and freedoms of individuals with respect to the processing of personal data and to promote the free movement of personal data within the European Union. The GDPR applies to any organization that processes personal data, regardless of where they are based. It outlines a set of aims, key definitions, fundamental principles, data subject rights, controller and processor obligations, and penalties, among other things.


Who does the GDPR apply to?

The General Data Protection Regulation (GDPR) is a comprehensive set of regulations that have been put in place to protect the personal data of individuals. This regulation applies to any company or organization that processes the personal data of individuals within the European Union (EU).

This includes companies that collect, store, use, or delete personal information of EU citizens. The GDPR applies to both data controllers and data processors.

Data controllers are organizations that determine the purpose and means of processing personal data. This includes companies that collect personal data from customers, such as names, addresses, and birthdates.

Data processors are organizations that process the personal data on behalf of the data controllers. This includes companies that store, analyze, and use the personal data for marketing or other purposes.

The GDPR applies to all companies and organizations that process the personal data of EU citizens, regardless of their location. This means that even if a company is located outside of the EU, it is still required to comply with the GDPR if it processes the personal data of EU citizens.

For example, if a company based in the United States collects and stores the personal data of EU citizens, it must comply with the GDPR.

The GDPR also applies to any company or organization that processes the personal data of individuals who are in the EU, regardless of their citizenship. This means that even if a company is based outside of the EU, it is still required to comply with the GDPR if it processes the personal data of individuals who are located in the EU.

For example, if a company based in the United States collects and stores the personal data of individuals who are in the EU, it must comply with the GDPR.

The GDPR applies to any company or organization that processes the personal data of EU citizens, regardless of their age. This means that the GDPR applies to companies that process the personal data of children, as well as adults.

For example, if a company based in the United States collects and stores the personal data of children who are located in the EU, it must comply with the GDPR.

The GDPR applies to any company or organization that processes the personal data of EU citizens, regardless of their nationality. This means that even if a company is based outside of the EU, it is still required to comply with the GDPR if it processes the personal data of EU citizens.

For example, if a company based in the United States collects and stores the personal data of EU citizens, it must comply with the GDPR.

In summary, the GDPR applies to any company or organization that processes the personal data of EU citizens, regardless of their location, age, or nationality. Companies that collect, store, use, or delete the personal data of EU citizens must comply with the GDPR in order to protect the privacy and security of the individuals whose data is being processed.


What are the 7 principles of the GDPR?

The General Data Protection Regulation (GDPR) is a set of rules and regulations that have been put in place to protect the personal data of individuals. The GDPR sets out seven fundamental principles that data controllers must adhere to when processing personal data. These seven principles are:

  1. Lawfulness, fairness, and transparency: Data controllers must collect and process personal data in a lawful, fair, and transparent manner. They must also ensure that the processing of personal data is done for a specific and legitimate purpose, and that the data collected is adequate, relevant, and limited to what is necessary for the purpose of the processing.

  2. Purpose limitation: Data controllers must ensure that personal data is processed only for the purposes for which it was collected.

  3. Data minimization: Data controllers must ensure that they collect only the minimum amount of personal data necessary for the processing.

  4. Accuracy: The accuracy principle requires data controllers to take reasonable steps to ensure that the personal data they store is accurate and kept up to date. Inaccurate data must be rectified or destroyed without undue delay.

  5. Storage limitation: Data controllers must store personal data for no longer than is necessary for the initial purpose for which it was collected.

  6. Integrity and confidentiality: The integrity and confidentiality principle requires data controllers to use appropriate technical and organizational measures to ensure adequate security is given to personal data in the course of processing. This includes protecting personal data against unauthorized or unlawful processing and accidental loss, destruction, or damage.

  7. Accountability: The accountability principle holds the data controller responsible for being able to demonstrate compliance with the above principles. Data controllers must be able to provide evidence that they have taken appropriate measures to ensure that their processing activities are compliant with the GDPR.

Overall, the seven principles of the GDPR are essential for ensuring the protection of personal data. Data controllers must adhere to these principles in order to ensure that they are compliant with the GDPR and that they are providing adequate protection to the personal data of individuals. Failure to comply with the GDPR can result in serious penalties, so it is important that data controllers take these principles seriously and ensure that they are compliant.


The General Data Protection Regulation (GDPR) is a set of laws that provide individuals with greater control over their personal data. It also sets out the conditions under which personal data can be legally processed.

Article 6 of the GDPR outlines the six legal bases for processing personal data:

  1. Consent
  2. Contract
  3. Legal obligation
  4. Vital interests
  5. Public task
  6. Legitimate interests

Consent is one of the most common legal bases for processing personal data under the GDPR. For consent to be valid, it must be freely given, specific, informed, and unambiguous. The individual must also be able to withdraw their consent at any time.

Processing is necessary for the performance of a contract when it is necessary for the performance of a contract between the data controller and the data subject. This legal basis is often used when processing personal data to fulfill contractual obligations.

Compliance with a legal obligation is another legal basis for processing personal data under the GDPR. This basis applies when the data controller is legally required to process the personal data in order to comply with a specific law or regulation.

Processing is necessary to protect the vital interests of the data subject when it is necessary to protect the life or health of the data subject. This legal basis is often used in medical contexts.

Processing is necessary for the performance of a task carried out in the public interest when it is necessary for the data controller to process the personal data in order to fulfill their public task. This legal basis is often used by public authorities.

The last legal basis for processing personal data is legitimate interests. This basis applies when the data controller has a legitimate interest in processing the personal data and the processing is necessary for the purposes of that legitimate interest. However, public authorities are not able to rely on legitimate interests as a legal basis for processing personal information.

The GDPR also requires data controllers to ensure that the data they process is adequate, relevant, and limited to what is necessary in relation to the purposes for which it is processed. Data controllers must also ensure that the data they process is accurate and kept up to date.

In conclusion, the GDPR provides six legal bases for processing personal data. Public authorities are not able to rely on legitimate interests as a legal basis for processing personal information. Data controllers must also ensure that the data they process is adequate, relevant, and limited to what is necessary in relation to the purposes for which it is processed.


Consent under the GDPR is an individual’s freely given, specific, informed, and unambiguous indication of their wishes for their personal data to be processed. Consent must be obtained prior to any processing of personal data and must be given by a statement or clear affirmative action.

The GDPR outlines specific conditions that must be met in order for consent to be valid. These conditions are as follows:

  1. Freely given: Consent must be voluntary and not given under duress or as a result of any form of coercion.
  2. Specific: Data subjects must be able to provide consent for each specific purpose of data processing.
  3. Informed: Data controllers must provide data subjects with all relevant information related to the data processing, including the controller’s identity, the purpose of the processing, and the type of data being processed. This information must be provided in a concise and easily understandable way.
  4. Unambiguous: The data subject must have a clear understanding of what they are consenting to. Data controllers must ensure that their consent forms are clear and easy to understand, and that any questions posed to the data subject are unambiguous.

The fourth and final condition is that consent must be revocable. This means that data subjects must have the right to withdraw their consent at any time, as easily as it is given. Data controllers must provide data subjects with clear instructions on how to withdraw consent and must not make it difficult to do so.

In summary, consent under the GDPR is an individual’s freely given, specific, informed, and unambiguous indication of their wishes for their personal data to be processed. The GDPR outlines specific conditions that must be met in order for consent to be valid, including that it must be freely given, informed, unambiguous, and revocable. Data controllers must ensure that they meet these conditions to ensure that their data processing activities are compliant with the GDPR.


What are GDPR data subject rights?

The General Data Protection Regulation (GDPR) is an EU law that was enacted in 2018 to protect the privacy of individuals and their personal data. It grants individuals certain rights in relation to their personal data, which are known as data subject rights. These rights are designed to give individuals more control over how their data is collected, used, and shared.

The GDPR grants data subjects the following rights:

  1. The right to access their personal data
  2. The right to rectification of inaccurate or incomplete personal data
  3. The right to erasure of their personal data
  4. The right to restrict or object to the processing of their personal data
  5. The right to data portability

The right to access personal data allows individuals to request and receive a copy of the personal data that a data controller holds about them. Data controllers must provide this information in a concise, transparent, intelligible, and easily accessible form, using clear and plain language. The right to rectification allows individuals to request that any inaccurate or incomplete personal data held by a data controller be corrected. The right to erasure, also known as the right to be forgotten, allows individuals to request that their personal data be erased from the data controller’s systems. The right to restrict or object to the processing of personal data allows individuals to request that a data controller stop processing their personal data. The right to data portability allows individuals to request that their personal data be transferred from one data controller to another in a structured, commonly used, and machine-readable format.

Data subjects also have the right to be informed about the collection and use of their personal data. Data controllers must provide individuals with clear and easily understandable information about how their personal data is being used and why. Finally, data subjects have the right to lodge a complaint with a supervisory authority if they feel that their rights have been violated.

In order to ensure that data subjects are aware of their rights, data controllers must provide clear and transparent information about these rights. They must also provide clear and simple methods for submitting requests related to these rights. Data controllers must respond to data subject rights requests without undue delay and within one month from receipt of the request. Responses to data subject rights requests must be provided free of charge, except where the request is found to be unfounded, excessive, or repetitive in nature.

In summary, the GDPR grants data subjects several rights in relation to their personal data. These rights are designed to give individuals more control over how their data is collected, used, and shared. Data controllers must provide clear and transparent information about these rights and must respond to data subject rights requests without undue delay and within one month from receipt of the request.


What are the GDPR requirements for international data transfers?

The General Data Protection Regulation (GDPR) is a comprehensive set of rules governing the transfer of personal data outside of the European Union (EU).

The GDPR outlines the conditions for transferring personal data outside of the EU in Chapter 5. Article 44 of the GDPR outlines the general principles for the international transfer of personal data, which states that such data transfers can only take place if the conditions of Chapter 5 are met. The GDPR requirements for international data transfers are designed to protect the personal data of EU citizens and ensure that it is treated with the same level of protection as it would be within the EU.

The GDPR requires that all data controllers and data processors must ensure that the transfer of personal data outside of the EU is done in a secure manner. The GDPR requires that the transfer of personal data outside of the EU can only take place if the conditions of Chapter 5 are met. These conditions include:

  1. The transfer is made on the basis of a European Commission adequacy decision. The European Commission can make an adequacy decision if a third country or international organisation offers an adequate level of data protection.

  2. The transfer is subject to appropriate safeguards under Article 46, including Standard Contractual Clauses (SCCs), Codes of Conduct and Approved Certification Mechanisms. SCCs are contractual clauses that must be included in any agreement between a data controller and a data processor that involves the transfer of personal data outside of the EU.

  3. The transfer is subject to Binding Corporate Rules (BCRs). BCRs are a set of rules that must be implemented by a company or group of companies when transferring personal data outside of the EU.

  4. The transfer relies on a derogation. Derogations are exceptions to the GDPR that allow for the transfer of personal data outside of the EU in certain circumstances.

The GDPR also requires that data controllers and data processors must ensure that any third party they are transferring personal data to is compliant with the GDPR. This includes ensuring that the third party has adequate security measures in place to protect the personal data that is being transferred. In addition, data controllers and data processors must also ensure that any third party they are transferring personal data to is compliant with the GDPR’s principles of data protection by design and by default. This means that the third party must implement technical and organisational measures to ensure that the personal data is protected from unauthorised access or processing.

The GDPR also requires that data controllers and data processors must provide individuals with certain information about the transfer of their personal data outside of the EU. This includes informing individuals of the risks associated with the transfer, the measures that have been put in place to protect the data, and the rights that the individual has in relation to the transfer.

In summary, the GDPR requirements for international data transfers are designed to ensure that the personal data of EU citizens is treated with the same level of protection as it would be within the EU. Data controllers and data processors must ensure that the transfer of personal data outside of the EU is done in a secure manner and in accordance with the GDPR’s principles of data protection by design and by default. They must also provide individuals with certain information about the transfer of their personal data outside of the EU.


What is supervisory authority in GDPR?

A supervisory authority is an independent public authority established by the European Union (EU) to ensure the consistent application of the General Data Protection Regulation (GDPR).

The GDPR is an EU regulation that provides a legal framework for the protection of personal data of individuals within the EU. It sets out the rules and principles that organizations must follow when collecting, storing, and processing personal data.

The GDPR requires the establishment of a supervisory authority in each EU Member State. These supervisory authorities are responsible for monitoring and enforcing the application of the GDPR. They also have the power to investigate and take corrective action against organizations that are not in compliance with the GDPR.

The supervisory authority has the following responsibilities:

  1. Ensuring that organizations comply with the GDPR: This includes ensuring that organizations have appropriate data protection policies and procedures in place, that they are aware of their responsibilities under the GDPR, and that they are taking appropriate measures to protect the personal data of individuals.

  2. Handling complaints lodged by data subjects: If a data subject believes that their personal data has been mishandled, they can lodge a complaint with their local supervisory authority. The supervisory authority will then investigate the complaint and take appropriate action, such as issuing a warning or imposing a fine.

  3. Promoting public awareness of the GDPR: This includes providing guidance and training to organizations on their obligations under the GDPR, and providing advice and support to individuals who have questions about their rights under the GDPR.

In summary, the supervisory authority is an important part of the GDPR, as it is responsible for ensuring that organizations comply with the GDPR and that individuals’ rights are respected. The supervisory authority has the power to investigate and take corrective action against organizations that are not in compliance with the GDPR, as well as the power to handle complaints lodged by data subjects. Furthermore, the supervisory authority is responsible for promoting public awareness of the GDPR and providing guidance and training to organizations on their obligations under the GDPR.


What are the penalties associated with GDPR violations?

The European Union's General Data Protection Regulation (GDPR) has significantly altered the way companies manage and protect personal data. It's important to comply with the GDPR regulations to avoid the penalties associated with violations. In this article, we will explore the penalties associated with GDPR violations.

Penalties for GDPR violations

The GDPR empowers supervisory authorities with the power to impose administrative fines for GDPR violations. These fines must be "effective, proportionate, and dissuasive." Depending on the nature and severity of the violation, the fines can range from €10 million or 2% of global turnover to €20 million or 4% of global turnover, whichever is greater.

Nature, Gravity, and Duration of the Infringement

When determining the penalty for a GDPR violation, supervisory authorities will take into consideration the nature, gravity, and duration of the infringement. This means that more serious breaches will result in more severe penalties. The GDPR doesn't provide specific definitions for "nature" and "gravity" of the infringement, so supervisory authorities will use their own discretion when assessing these factors.

Intentional or Negligent Infringement

Another factor that supervisory authorities will consider when determining the penalty for a GDPR violation is whether the infringement was intentional or negligent. Intentional violations are more severe than negligent ones and are more likely to result in higher fines.

Actions Taken to Mitigate Damage

Supervisory authorities will also consider the actions taken by the data controller or data processor to mitigate the damage caused by the infringement. If the company took swift and effective action to address the violation and prevent further harm, they may receive a lesser penalty.

Categories of Personal Data Affected

Finally, the categories of personal data affected by the violation will also play a role in determining the penalty. Certain types of personal data, such as health information, are considered more sensitive than others, and violations involving these types of data may result in higher fines.

In conclusion, the GDPR imposes significant penalties for violations, and it's essential for companies to comply with the regulations. The penalties for GDPR violations can range from €10 million or 2% of global turnover to €20 million or 4% of global turnover, whichever is greater. When determining the penalty, supervisory authorities will consider a variety of factors, including the nature, gravity, and duration of the infringement, whether the infringement was intentional or negligent, the actions taken to mitigate damage, and the categories of personal data affected. By understanding the penalties associated with GDPR violations, companies can take steps to avoid noncompliance and protect the personal data of their customers.


What is Data Protection Impact Assessment (DPIA)?

The General Data Protection Regulation (GDPR) mandates that organizations comply with a set of principles that ensure the protection of personal data. One of these principles is the requirement to carry out a Data Protection Impact Assessment (DPIA) where necessary. This article provides an overview of the DPIA process, its purpose, and why organizations should undertake it.

What is a DPIA?

A DPIA is a process that organizations use to identify, assess, and mitigate data protection risks. It is a structured method of identifying the privacy risks of data processing activities that an organization intends to carry out. The GDPR requires a DPIA to be conducted when a data processing activity is likely to result in a high risk to the rights and freedoms of natural persons.

Purpose of DPIA

The main purpose of a DPIA is to ensure that organizations comply with the GDPR's principles of accountability, privacy by design, and privacy by default. The DPIA process helps organizations to identify and assess the risks associated with processing personal data and to identify measures to reduce or eliminate those risks. The DPIA is an essential tool in helping organizations meet the GDPR's requirements for Privacy by design and Privacy by default.

When is a DPIA mandatory?

A DPIA is mandatory when an organization is introducing a new processing technology, which is likely to result in a high risk to the rights and freedoms of individuals. Additionally, a DPIA is mandatory when processing personal data on a large scale, or when processing special categories of data or criminal conviction data on a large scale.

Steps to conducting a DPIA

The GDPR outlines the following steps that organizations should take when conducting a DPIA:

  1. Identify the need for a DPIA - Determine if the processing activity is likely to result in a high risk to the rights and freedoms of individuals.

  2. Describe the processing activity - Identify the processing activities, the types of data, and the categories of individuals.

  3. Assess the necessity and proportionality - Determine if the processing activity is necessary and proportionate.

  4. Identify and assess the risks - Identify and assess the risks to the rights and freedoms of individuals.

  5. Identify measures to mitigate the risks - Identify and assess measures to mitigate the risks.

  6. Consult with stakeholders - Consult with relevant stakeholders to obtain their views on the processing activity.

  7. Obtain the Data Protection Officer’s opinion - Obtain the Data Protection Officer's opinion on the processing activity.

  8. Update the DPIA - Update the DPIA to reflect any changes in the processing activity.

Benefits of conducting a DPIA

Conducting a DPIA has several benefits, including:

  1. Risk management - The DPIA process helps organizations to identify and assess the risks associated with processing personal data, and to identify measures to reduce or eliminate those risks.

  2. Compliance - Conducting a DPIA is a requirement under the GDPR, and helps organizations to comply with the GDPR's principles of accountability, privacy by design, and privacy by default.

  3. Cost-effective - Conducting a DPIA at an early stage of a project can help to reduce the risk of fines, sanctions, and reputation damage that might otherwise occur to the organization.

  4. Stakeholder engagement - The DPIA process involves consultation with relevant stakeholders, including data subjects, and helps to build trust between the organization and its stakeholders.

In conclusion, the DPIA is an essential tool for organizations that want to comply with the GDPR's principles of accountability, privacy by design, and privacy by default. Conducting a DPIA helps organizations to identify and assess the risks associated with processing personal data, and to identify measures to reduce or eliminate those risks. A DPIA is mandatory when an organization is introducing a new processing technology, which is likely to result in a high risk to the rights and freedoms of individuals.


What are the steps for GDPR compliance?

The General Data Protection Regulation (GDPR) is a comprehensive privacy law that applies to businesses operating in the European Union (EU). It imposes a range of obligations on organizations that process the personal data of EU citizens. In this article, we will explore the essential steps for GDPR compliance.

  1. Develop a Plan of Action using the Seven Principles of GDPR: The GDPR is built around seven fundamental principles that guide the processing of personal data. These principles are lawfulness, fairness, transparency, purpose limitation, data minimization, accuracy, and storage limitation. Developing a plan of action that addresses each of these principles is the first step towards GDPR compliance.

  1. Create a Record of Processing Activities per Article 30: Article 30 of the GDPR requires businesses to keep a record of all processing activities involving personal data. This record should include details such as the type of data being processed, the purpose of processing, and the legal basis for processing. It is essential to maintain an accurate record to demonstrate compliance with the GDPR.

  1. Implement Privacy by Design and Processes for Conducting DPIAs: Privacy by Design is a key principle of the GDPR that requires organizations to consider data protection at every stage of the processing cycle. It involves the implementation of technical and organizational measures to ensure that privacy is built into products and services from the outset. Additionally, organizations must conduct Data Protection Impact Assessments (DPIAs) to identify and mitigate privacy risks.

  1. Develop a Framework for Consent Management: Under the GDPR, organizations must obtain valid consent from individuals before processing their personal data. Businesses must develop a framework for consent management, which should include clear and concise language, easy-to-use mechanisms for withdrawal, and a system for documenting consent.

  1. Understand Requirements for Cookie Consent in the Countries that You Operate: The use of cookies is widespread across the internet, but their use is regulated under the GDPR. Organizations must obtain consent from users before setting cookies on their devices. It is essential to understand the requirements for cookie consent in the countries where you operate to ensure compliance with the GDPR.

  1. Create a Portal for Data Subject Rights Requests Intake: Under the GDPR, individuals have the right to access, correct, and delete their personal data. Businesses must create a portal for data subject rights requests intake, which should include clear instructions for making a request and a system for responding to requests in a timely and efficient manner.

  1. Review Risks from Data Processors: Data processors are organizations that process personal data on behalf of businesses. Under the GDPR, businesses are responsible for ensuring that their data processors comply with the regulation. It is essential to review the risks associated with data processors and to implement contractual arrangements that ensure compliance with the GDPR.

  1. Prepare an Incident Management Plan: The GDPR requires organizations to report data breaches to the supervisory authority within 72 hours of becoming aware of the breach. Businesses must prepare an incident management plan that outlines the steps to be taken in the event of a data breach.

  1. Review Mechanisms for International Data Transfers: The GDPR places strict requirements on the transfer of personal data outside of the EU. Businesses must review their mechanisms for international data transfers to ensure compliance with the regulation. This includes implementing standard contractual clauses and obtaining adequacy decisions from the European Commission.

  1. Roll Out GDPR Training Programs: Employees play a crucial role in ensuring GDPR compliance. It is essential to provide training to all employees to ensure that they understand the requirements of the GDPR and their roles in achieving compliance.

  1. Appoint a DPO, Where Applicable: Under the GDPR, some organizations are required to appoint a Data Protection Officer (DPO). The DPO is responsible for ensuring GDPR compliance within the organization. Businesses should appoint a DPO where applicable and provide them with the necessary resources to carry out their duties effectively.