General Data Protection Regulation – scope and main changes
The General Data Protection Regulation (GDPR) was adopted on the 14th of April 2016 and has entered into force on the 25th of May 2018. The Regulation replaces the Data Protection Directive and aims at harmonizing the data protection laws across the European Union and protecting and empowering EU citizens with regards to their data protection rights.
What is the scope of the GDPR?
The scope of the GDPR covers the processing of all personal data, which relates to an identified or identifiable person – anonymous data or data related solely to a company is thus excluded.
Furthermore, a company must comply with the GDPR:
- if it processes personal data and
- has a presence in the EU or processes personal data of data subjects located in the EU for the purposes of offering them goods or services or monitoring their behavior.
In the second case, the company has to appoint a GDPR Representative, located in the EU.
With regards to size, the GDPR is applicable to companies with more than 250 employees, or to the ones whose processing impacts the rights and freedoms of data subjects, when the processing is not occasional or includes sensitive data.
What are the main differences between the Directive and the Regulation?
One of the main changes introduced by the GDPR is the extended territorial scope – companies must respect the GDPR irrespective of whether they process data inside or outside the EU or whether they are themselves located in the EU or not. Non-EU companies which process the data of EU citizens are therefore also subject to the GDPR.
Furthermore, the penalties for non-compliance with the GDPR were increased and companies can be fined up to 4% of their annual global turnover or up to 20 Million EUR (whichever is greater). The conditions for consent were also strengthened. Companies are now required to provide an intelligible and easily accessible form when requesting the consent for processing of personal data.
Obelis at Your Service
If you wish to know more about the General Data Protection Regulation, please do not hesitate to contact us. Obelis Expert Consultants, having nearly 30 years of experience with EU Regulations, will answer any questions you may have and will gladly assist you in the process of ensuring the compliance of your data processing activities and the appointment of a GDPR Representative.