The General Data Protection Regulation (GDPR) is a set of rules for the law. Within the European Union (EU), it sets rules for the collection and handling of personal data of individuals. It was signed into law on May 25, 2018, after being approved on April 14, 2016. GDPR replaces the 1995 Data Protection Directive and aims to harmonize data privacy laws across Europe.
Individuals should have control over their personal data, according to the organization. The regulatory framework for global business is also made simpler.
Who Does GDPR Apply To?
GDPR applies to all companies that handle the personal data of individuals residing in the EU, regardless of the company’s location. This includes:
Businesses inside the EU.
Businesses outside the EU that offer goods or services to EU residents.
Data controllers and processors.
Advance your career with our 6-month Advanced Certification Program in Data Protection & Privacy Laws. Learn from industry experts, covering GDPR, DPDP Act, cross-border data transfers, and compliance frameworks.
General Data Protection Regulation 2018: Chapter Overview
The GDPR is composed of 11 chapters and 99 articles, covering a comprehensive framework for data privacy and protection. Below are the key highlights of its pivotal chapters
Chapter 1 of GDPR: General Provisions
The foundational framework of the regulation is laid by chapter 1 of GDPR. GDPR clearly defines objectives, scope and territorial reach of the GDPR, and it applies to any entity, inside or outside the EU, handling the personal data of persons from the EU.
Furthermore, it defines some key terms, which make up the regulatory structure of GDPR, such as 'personal data', 'processing', 'data controller' and 'data processor'.
This chapter enforces the consistency of understanding and implementation across jurisdictions.
This chapter provides an overview of the objectives and territorial coverage of the GDPR which applies to any organisation that processes individuals’ personal data that are located within the EU, regardless of the location of the organisation.
Chapter 2 of GDPR: Principles
This Chapter enshrines the core principles of GDPR. It contains 7 Articles from Articles 5 to 11 which define key principles that determine what is lawful data processing. They include:
Lawfulness, Fairness, and Transparency: The data has to be legally processed and transparently.
Purpose Limitation: Data collected for particular purposes cannot be used for any other purpose.
Data Minimization: Only needed data should be processed.
Accuracy: Personal data has to be accurate and kept up to date.
Storage Limitation: No data should be retained beyond its necessity.
Integrity and Confidentiality: However, data should be protected from unauthorised access by appropriate measures.
Chapter 3 of GDPR: Rights of the Data Subjects
Chapter 3 contains 5 Sections and 12 Articles, that is from Article 12 to Article 23. This chapter establishes a comprehensive set of rights for individuals, including:
Right to Access: This allows individuals to access the data that organisations hold about them.
Right to Rectification: Inaccurate data can be corrected and requested by individuals.
Right to Erasure ('Right to be Forgotten'): In certain situations, individuals can demand the deletion of their data.
Right to Data Portability: This means individuals can even transfer their data to another service provider.
Right to Object: Individuals have a right to object to data processing for certain purposes.
For example, a European e-commerce company must comply with a customer's request to delete their data after account closure.
Chapter 4 of GDPR– Controller and Processor
This chapter includes article 24 to 43. It details responsibilities for controllers and processors. Controllers must implement appropriate data protection measures and maintain records of processing. Processors must follow instructions and ensure security. It introduces the need for Data Protection Officers (DPOs), impact assessments for high-risk processing, and mandatory breach notifications within 72 hours. Contractual agreements between controllers and processors are required.
Chapter 5 of GDPR: Transfers of Personal Data to Third Countries or International Organizations
This chapter applies to data transfers outside of the European Union. It allows transfers only if the receiving country or organisation provides an adequate level of data protection. Secure transfers are managed with mechanisms such as standard contractual clauses (Standard Contractual Clauses - SCCs) and binding corporate rules (Binding Corporate Rules - BCRs).
For example, an Indian based cloud storage provider handling EU data must adhere to GDPR's transfer requirements or face penalties.
Chapter 6 of GDPR: Independent Supervisory Authorities (Articles 51–59)
Each EU member state has to set up its own independent supervisory authority (SA) to keep an eye on how GDPR is being used. These groups handle complaints, look into them and make sure the law is followed. This chapter spells out their duties, freedom, ability to work with data subjects and authority. It makes sure SAs have enough resources and operate free from outside influence.
Chapter 7 – Cooperation and Consistency
This chapter makes sure that GDPR enforcement is the same across the whole EU. The "one-stop-shop" principle for cross-border processing cases is introduced, and a way for supervisory authorities to work together is set up. The European Data Protection Board (EDPB) plays a crucial role in resolving disagreements, issuing rules, and promoting uniform interpretation and application throughout all member states.
Chapter 8 of GDPR: Remedies, Liability, and Penalties
Chapter 8 of GDPR contains 8 chapters from Article 77 to 84. This chapter emphasizes enforcement and accountability. Following are some important provisions from this chapter
Remedies: The aggrieved party has a right to lodge complaints and seek judicial redress.
Liability: The GDPR violations are the controller and processor’s responsibility.
Penalties: The maximum fines for non-compliance can go up to 20 million euros or 4% of annual global turnover, whichever is the higher.
For example, in 2019, when Google had a 50 million euro fine slapped on the transparency violation under the GDPR.
Chapter 9 – Specific Processing Situations
Articles 85 to 91 are in it. In areas like journalism, research, the public interest, and employment, this chapter gives member states the freedom to develop specific rules for the data process. It balances data protection with other fundamental rights, like the right to free speech, scientific research, and historical archiving, and acknowledges that some data uses require exceptions.
Chapter 10: Delegated and Implementing Acts
Chapter 10 of the law has articles 92 and 93. It lets the European Commission make changes to the technical parts of GDPR by adopting delegated and implementing acts. This makes sure that GDPR can be changed as needed over time. With these powers, the Commission can make things like standard contractual clauses and rules for how to work with people from other countries more consistent across the EU.
Chapter 11 of GDPR – Final Provisions
It contains articles 94 to 99. This final chapter repeals the previous Data Protection Directive (95/46/EC) and clarifies GDPR's legal precedence. It confirms GDPR's enforcement date—May 25, 2018—and includes provisions for review and evaluation. It also confirms that member states may maintain or introduce additional data protection laws as long as they align with GDPR principles.
Nature and Scope of the Act
People and businesses outside of the EU are still subject to GDPR if they process personal data of EU residents. A risk-based approach is set up, with a focus on accountability and data protection by design. All industries, from e-commerce to healthcare, are required to comply with the GDPR's provisions, ensuring full coverage.
Data Breach
Organizations must report certain types of personal data breaches to the relevant supervisory authority within 72 hours of discovery. If the breach poses a high risk to individuals, those affected must also be informed. The report should include
Nature of the breach.
Categories of data affected.
Number of data subjects impacted.
Possible consequences.
Steps taken to mitigate the damage.
Summary
GDPR, 2018 is a comprehensive data protection regulation aimed at ensuring protection of personal data rights of individuals within the EU and beyond. It standardized data privacy laws of the digital age to address the challenges of the digital age. Its provisions include principles of data processing, rights of the data subject and regulations for international data transfers, including severe penalties for failure to comply. As having an extraterritorial scope, GDPR is offering a global benchmark for data privacy, with transparency, accountability and security in personal data processing.
Related Posts:
What is GDPR: FAQs
Q1. What is the main purpose of the GDPR?
The objective of GDPR is to keep the data safe pertaining to the EU residents so long as it's being processed in a transparent and responsible manner.
Q2. Who must comply with GDPR?
GDPR applies to all organisations that process personal data about EU citizens, regardless of where the processor is situated.
Q3. What are the penalties for not complying with GDPR?
Non-compliance can occur with fines of up to 20 million euros or 4 percent of the group's annual turnover, whichever is higher.
Q4. Does the GDPR apply to a small business?
GDPR applies to all businesses which handle personal data of EU citizens regardless of the size of businesses.
Q5. Does GDPR apply to non EU residents?
GDPR mainly protects EU residents, but because of its impact often global organisations feel compelled to adopt similar data protection measures and indirectly benefit nonEU individuals.
