Zurück zum Glossar

GDPR Explained: Overview of Basic Principles, Roles, and Sanctions

The General Data Protection Regulation (GDPR) has been the binding data protection law of the European Union since May 2018. It applies directly in all member states, without the need for national implementing laws. Its core principle is the protection of natural persons during the processing of personal data. For companies that process data of EU citizens, GDPR compliance is not an option, but a mandatory requirement.

What is the GDPR?

The GDPR is a regulation issued by the EU Commission, grounded in fundamental rights. Its central focus is the right to the protection of personal data. Concurrently, the regulation aims to facilitate the free flow of data within the EU and EEA. While it doesn't entirely supersede national laws, it establishes a unified framework that is directly applicable.

Scope of Application: Who and What is Affected?

Material Scope the GDPR covers any wholly or partly automated processing of personal data. Non-automated processing is also included, provided the data is stored or intended to be stored in a filing system. This encompasses electronic operations via computers, scanners, digital cameras, or smartphones, as well as analog but organized data collections.

Excluded are unsorted, purely analog collections (the so-called "household exception" for personal or family activities) and certain processing activities in the context of law enforcement. In Germany, specific regulations for employee data protection also apply to employee data.

Territorial Scope the GDPR applies based on two connecting factors: the establishment or presence within the EU, and the market principle. The latter means that companies based outside the EU are also subject to the GDPR if they offer goods or services to individuals in the Union or monitor their behavior.

Basic Principles of Processing

The GDPR establishes binding principles against which all data processing must be measured:

     
  • Lawfulness, Fairness, and Transparency
    •  
  • Purpose Limitation: Data may only be collected for specified, explicit purposes.
    •  
  • Data Minimization: Only data necessary for the purpose may be processed.
    •  
  • Accuracy and Storage Limitation
    •  
  • Confidentiality and Integrity

The transparency obligation requires controllers to inform data subjects about processing and purposes whenever data is collected. Data subjects also have a right to information about whether and to what extent their data is processed.

Closely linked to this is Accountability: The controller must be able to actively demonstrate compliance with the principles – for example, through records of processing activities and documented technical and organizational measures.

Legal Bases under Article 6

Every processing of personal data requires a legal basis. Article 6 GDPR lists several legal bases, including:

     
  • Processing for the provision of a service requested by the data subject
    •  
  • Fulfillment of a legal obligation
    •  
  • Protection of the vital interests of the data subject
    •  
  • Processing in the public interest or in the exercise of official authority
    •  
  • Processing based on the legitimate interests of the controller – provided these do not override the rights and freedoms of the data subject

Roles in the GDPR context

The GDPR clearly defines three central roles:

     
  • Data Subject: the individual whose data is collected or processed
    •  
  • Controller: the company that determines the purposes and means of processing
    •  
  • Processor: a company that processes data on behalf of the controller

The GDPR requires a data processing agreement for data processing by a processor.

Rights of Data Subjects

Data subjects have a clearly defined set of rights. These include the right to erasure ("right to be forgotten") under Article 17 – applicable when there are no compelling reasons for further retention – as well as rectification, restriction of processing, objection, and data portability. Additionally, data subjects can lodge complaints with data protection supervisory authorities and claim compensation for damages.

Sanctions and Enforcement

Violations of the GDPR can lead to severe consequences. Data protection supervisory authorities can impose fines of up to 20 million Euros or up to 4% of the global annual turnover – whichever amount is higher. The GDPR is thus considered the cornerstone of a strict European data protection and enforcement framework.

Conclusion

The GDPR legally governs how personal data may be processed. Crucial aspects include the fundamental principles of processing, the correct classification of roles, understanding the material and territorial scope, and implementing the legal bases for processing and accountability requirements. For anyone processing data of EU citizens, structured GDPR compliance is essential.