GDPR (Facts)
Last updated
Last updated
GDPR stands for General Data Protection Regulation and is an EU regulation designed to protect the data and privacy of EU citizens.
It was approved in April 2016 and came into effect on May 25, 2018.
The GDPR applies to companies that process personal data of EU citizens, regardless of the company’s location.
It applies to the processing of personal data of EU citizens both in and outside of the EU.
Companies must obtain explicit consent from users before collecting and processing their personal data.
Companies must provide users with easy access to all the personal data they have stored about them.
Companies must inform users about their rights under the GDPR.
Companies must provide users with the option to request their data be deleted.
Companies must provide users with the option to opt-out of any processing activities that are not necessary for providing the service.
Companies must inform users about any data breaches within 72 hours.
Companies must have an appointed Data Protection Officer (DPO) to monitor compliance with GDPR.
Companies must provide users with the option to lodge a complaint with a supervisory authority if they feel their data has been mishandled.
Companies must implement technical and organizational measures to protect the data they are processing and to prevent unauthorized access.
Companies must keep records of all processing activities they are conducting.
Companies must provide users with the option to transfer their data to another controller.
Companies must notify the relevant supervisory authority if they are conducting large-scale processing activities.
Companies must conduct Data Protection Impact Assessments (DPIAs) to identify and address any potential risks associated with the processing of personal data.
Companies must obtain parental consent before collecting any personal data from children under 16.
Companies must obtain explicit consent from users before sending them marketing emails.
Companies are responsible for ensuring that any third-party data processors they use comply with the GDPR.
Companies can be fined up to 4% of their global annual turnover or €20 million (whichever is greater) for non-compliance with the GDPR.
Companies must appoint a Data Protection Officer (DPO) if they are processing large or sensitive amounts of personal data.
Companies must appoint a Data Protection Officer if they are a public authority or body.
Companies must have a process in place to respond to data subject access requests within one month.
Companies must have a process in place to respond to requests for data rectification or erasure within one month.