European Commission
The General Data Protection Regulation (GDPR) functions as a protective framework for individuals when their data is processed by both the private sector and most of the public sector. Most notably, the GDPR defines the data subject rights - individuals' digital rights, the obligations of entities processing data, methods for compliance, as well as sanctions for breaches of the GDPR. The GDPR has applied since 25 May 2018.
The GDPR applies both to organisations established in the European Union that process the personal data of individuals in the EU, and to organisations outside the EU that target people living in the EU. Therefore, non-EU companies serving EU individuals or monitoring their activities must also adhere to GDPR. The GDPR distinguishes two actors in the realm of data processing to whom the obligations apply: the controller who determines the purposes and means of the processing of personal data, and the processor who processes personal data on behalf of the controller.
The GDPR ensures a level playing field for companies operating within the EU internal market by implementing a unified set of data protection regulations across the EU, reducing legal ambiguity, and lessening administrative burdens. It solidifies set rights for the data subject and requires all processing of personal data to conform with harmonised data protection principles. The GDPR mandates organisations, especially those extensively handling data or processing sensitive categories like health data, to designate data protection officers. The "one-stop shop" approach simplifies interactions between businesses and supervisory authorities. The regulation promotes the integration of data protection into product and service development, emphasises privacy-enhancing techniques like pseudonymisation and encryption, eliminates notification obligations to facilitate the free flow of personal data within the EU, requires data protection impact assessments for high-risk data processing, adjusts record-keeping requirements based on data processing scale and nature, and provides a comprehensive toolkit for secure international data transfers, including adequacy decisions, contractual clauses, and certification.
