Third Anniversary of the GDPR:
 Everything You Need to Know

The main European regulation for protection of personal data in 900 words

May 28, 2021

Julia Danylenko

Three years ago, the GDPR, a regulation that defines the principles of working with personal data of European Internet users, came into force. the GDPR, together with CCPA, is a major milestone in the history of personal data protection, and a headache for companies that collect data. A day after the GDPR came into force, Google and Facebook received claims totaling $8.8 billion.

Adsider explains what the GDPR is and how to avoid accidentally violating it.
Definition of the GDPR
The General Data Protection Regulation (the GDPR) is legislation that protects the personal data of individuals within the EU and the European Economic Area and punishes violations of standards.

The 88 pages of the regulation spell out what is meant by the concept of "personal data", who has the right to collect and process this information, according to which principles are prescribed the rights of data owners (ie Internet users), as well as obligations and restrictions for companies collecting data , and penalties for violations are determined.
Why there was a need for the GDPR
The protection of personal data is enshrined in the European Convention on Human Rights. Article 8 of the Convention states: “Everyone has the right to respect for their private and family life, their home and correspondence”.

Advances in technology and the emergence of the Internet have led to the emergence of new ways of collecting data — for commercial purposes and not only. The more advanced Internet technologies became, the more risks arose associated with issues of confidentiality and the issuance of personal information for lack of information, especially with the advent of social networks.

In 2011, Google wearer of Massachusetts filed against the company's lawsuit accusing the tech giant of scanning her private correspondence.

In 2016, the Cambridge Analytica scandal, when the manipulation of private data allowed to influence the outcome of the elections in the United States, showed that the situation has become critical, and the personal data of users needs to be protected more than ever.
Whom does the GDPR apply to?
Your location doesn't matter. You can work from the USA, Ukraine, Guatemala, or even manage your company from a base in the Arctic — if you collect and process data from EU citizens or residents, you are also subject to the GDPR.
What happens if you violate it?
In short, it is very expensive to violate the GDPR.

There are two levels of penalties. The first, for less serious violations, is a fine of up to € 10 million, or 2% of the company's global annual income for the previous financial year (if this income is more than €10 million).

The second tier of penalties is €20 million, or 4% of the company's global annual income for the previous financial year.

You can read more about the fines on the website.
When did the GDPR appear
the GDPR entered into force exactly three years ago, on May 25, 2018, but the basic principles of the regulation were prescribed four years earlier — in 2014.

Work on the creation of relevant legislation began in 1995, with the adoption of the European Parliament Directive on the protection of personal data.

Adsider has collected the main events in the "life" of the GDPR.
May 12 — The European Parliament voted in favor of the first iteration of the GDPR. 621 voted in favor, 10 against, 22 abstained.
July 27 — The European Oversight Office for Personal Data Protection publishes recommendations for the final version of the GDPR text. Launch of a mobile application where you can compare the proposals of the Parliament, the Commission and the Council of Europe.
December 15 — The European Parliament, Council and Commission agree on the text of the GDPR.

February 2 — the GDPR implementation action plan published.

April 27 — EU adopts the GDPR.

May 24 — 20 days after publication in the Official Journal of the EU, the GDPR comes into force.
January 10 — The European Commission proposes two new rules for privacy and electronic communications and data protection rules applicable to EU institutions.
May 6 — Regulation on the protection of personal data in EU institutions is proposed.

May 25 — from this day, the GDPR applies to any company in the world, collects and processes personal data of EU citizens or residents.
the GDPR principles
Companies subject to the GDPR are required to comply with seven principles of protection and responsibility
Legality, honesty and transparency.
Limitations of the purpose of use (use the data only for the purpose that you have informed the user about).
Data minimization (do not accumulate more user data than is vital for your work).
Accuracy (you keep accurate and current data).
Restriction of storage (the collected data can only be stored for the time necessary to achieve the purpose for which you collected it).
Responsibility (you must prove that you adhere to all the GDPR principles).
It is worth noting that the company is responsible for ensuring the protection of the data that it has collected about its customers or users, and therefore, be responsible if hackers, competitors or someone who should not have had access to this data got to this data. Also, if the company has transferred the collected data to a third party without the informed consent of the user.
Informed consent
The user's consent to the collection and processing of personal data is also clearly regulated by the GDPR. The company cannot simply ask to "agree to whatever we do with your data."
The user's consent must be voluntary, clear, informed.
Consent requests must be clearly identifiable and written in understandable language.
The user has the right to revoke his consent to the processing of his data at any time.
Children under 13 years of age can only give consent with parental permission.
You must keep documentary evidence of your consent to the processing of your data.
Key terms to know
Personal data
is any information that allows you to directly or indirectly identify a user. These are names, email addresses, as well as location, nationality, gender, biometrics, and the like.
Data processing
is any action with this data: collection, recording, organization, storage, use.
Data subject
is the person whose data is being processed, for example your client or user.
The data controller
is the person who decides how and how personal data will be processed. The owner of the company or the person in charge of handling user data within the company.
Data processor
is a third party that processes data on behalf of the controller.
Read next Ресурс 1