Skip to content

What Does the GDPR Require by Law?

Paige Harris Jun 1, 2022 12:10:00 PM

What Does the GDPR Require by Law?

The European Union (EU) created the General Data Protection Regulation (GDPR) with the intention of protecting data linked to the people in the EU against intrusive organizations and practices across the globe. Known as the most stringent privacy and security law in the world, it imposes serious fines on persons and businesses who violate its standards. 

Scope, Penalties, and Key Definitions

While the GDPR apply to EU citizens and residents, organizations that control and process such data–whether they are based in the EU or not–are also covered by it, triggering what is called an extra-territorial effect.

There are two components when talking about penalties for breaching the GDPR. The first is a fine of €20 million or 4% of your business’ global revenue, whichever is higher. Next is the compensation for damages to parties involved.

Furthermore, the legal terms commonly used in relation to GDPR are listed below:

  • Personal data
  • Data processing 
  • Data subject 
  • Data controller 
  • Data processor 

CTA Terms of Service GraphicPeople’s Privacy Rights

GDPR recognizes the need to give data subjects more control over the data they turn over to organizations. Enumerated below are the rights inherent to an EU citizen or resident. 

  1. The right to be informed
  2. The right of access
  3. The right to rectification
  4. The right to erasure
  5. The right to restrict processing
  6. The right to data portability
  7. The right to object
  8. Rights related to automated decision-making and profiling.

A great way to uphold your data subjects’ right to be informed is to use a free terms of service generator like Enzuzo that will help you clearly express your user rights policy, disclaimers, website or app agreements, and content ownership policies.

Data Protection Principles

According to Article 5.1-2, data controllers or processors should adhere to the seven GDPR principles of protection and accountability.

  1. Lawfulness, fairness, and transparency 
  2. Purpose limitation 
  3. Data minimization 
  4. Accuracy 
  5. Storage limitation 
  6. Integrity and confidentiality 
  7. Accountability 

Data Security

Handling data would mean becoming well-versed in appropriate technical and organizational procedures. 

Technical operations include employing limited access to personal data storage through two-factor authentication or contracting cloud providers for end-to-end encryption. Meanwhile, organizational measures lean more towards instilling policies and boundaries in employees, such as staff training and employee handbooks.

Failure to inform data subjects after 72 hours of breach will result in penalties.

ACCOUNT INFO - BONLOOKWhen You’re Allowed to Process Data

In some instances, processing personal data is permitted by law. Unless it is for one of the following reasons, it is safer not to extract, manipulate, or erase any form of personal data. The applicable reasons include:

  1. Distinct and explicit consent to process the data was given by the data subject.
  2. Processing is a prerequisite to entering into a contract to which the data subject is a party.
  3. Data is needed in compliance with a legal obligation.
  4. Processing of data is needed to save a life.
  5. It is required to accomplish a task in the public interest or to carry out some official function.
  6. There is a lawful right or vested interest to process personal data. This has proven to be the most acceptable legal basis.


The revised law is more assertive in implementing laws regarding consent from data subjects. These regulations are as follows: 

  • Consent must be willingly given, specified, and explicitly stated. 
  • In soliciting consent, language should be presented clearly. 
  • Furthermore, data subjects can retract their consent, and data processors or controllers must concur accordingly. 
  • Parental guidance is mandated for children under 13 years of age. 
  • A consent form or any document of proof should be kept.

Data Protection Officers

A Data Protection Officer is not necessarily required by every data controller or processor. Unless you are a public authority with judicial capacity, your primary activities entail the systematic and regular surveillance of people, and such activities are extensive processing of special categories of data, there is no need to appoint one. 

Final Thoughts

Even if you think that you’re covered by the GDPR, we strongly recommend that you familiarize yourself with its details and consult an attorney or data privacy specialist to ensure that you are GDPR compliant.LEARN MORE

Leave a Comment