GDPR

The General Data Protection Regulation (GDPR) is a central set of rules for the protection of personal data within the European Union (EU). Since it came into force on 25 May 2018, it has set essential standards for the processing of such data by companies, organizations and public bodies.

The GDPR aims to give individuals more control over their personal data while creating a consistent level of data protection across the EU. This includes data that can directly or indirectly identify an individual, such as names, photos, email addresses, bank details, posts on social networks, medical information or IP addresses.

• Data protection through technology design and data protection-friendly default settings (privacy by design and by default): Technologies must be designed in such a way that they take data protection into account from the outset. By default, only the data that is absolutely necessary for the respective purpose should be collected.

• Right of access: Data subjects have the right to be informed by the data processor whether and what personal data is stored about them.

• Right to be forgotten: In certain circumstances, individuals can request the erasure of their data.

• Data portability: This allows individuals to transfer their data from one service provider to another in a commonly used format.

The GDPR applies to all companies and organizations that process the personal data of individuals in the EU, regardless of whether the processing takes place in the EU or not. This means that the GDPR is also relevant for many companies outside the EU.

Implementing the GDPR is a challenge for many companies, particularly with regard to documenting data processing activities, ensuring data security and obtaining valid consent for data processing.