Reading time: 5 min | Amelie Gärtner
June 17th, 2021
“Is leitzcloud GDPR compliant?”
Read more about GDPR and other exciting topics on our Linkedin page.
We look forward to seeing you there!
The following table provides an overview of the individual chapters and summarizes the main contents of the articles.
|I. General Provisions||The first chapter specifies general provisions and objectives of the regulation and applies to the protection of natural persons with regard to the processing of personal data and the free movement of such data. The material and territorial scope is also discussed, as well as further definitions.|
The 7 articles describe the principles for data processing. This includes, for example, handling personal data as well as the lawfulness of data processing.
Article 6 of the EU GDPR: Processing shall be lawful only if and to the extent that at least one of the following applies:
the data subject has given consent to the processing of his or her personal data for one or more specific purposes;
processing is necessary for the performance of a contract [...] to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract;
processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child.
|III. Rights of the Data Subject||The third chapter of the GDPR deals with the rights of a data subject whose data is being processed. This includes, among others, transparency, information obligations and rights of access, the right to rectification and erasure of data (“right to be forgotten”), etc.|
|IV. Controller and Processor||These articles explain the responsibilities of the controllers, as well as the appointment of a Data Protection Officer. The Data Processing Agreement (DPA) according to Article 28 of the GDPR defines the requirements for the contractual relationship.|
|V. Transfer of personal data to third countries or international organizations||The regulation regulates the processing of data in third countries that are not part of the EU and ensures that the level of protection for natural persons is not undermined when transferring data.|
|VI. Independent supervisory authorities||Supervisory authorities review and monitor the implementation and compliance with the regulation. Authorities must be independent and not be directly or indirectly influenced.|
|VII. Cooperation and consistency||Chapter 7 regulates the general cooperation between the individual supervisory authorities. In the event of disagreements, the coherence procedure is initiated and regulated by a binding decision of the European Data Protection Board.|
|VIII. Remedies, liability and sanctions||As the chapter suggests, the articles deal with liability and sanctions. In addition, the general conditions for imposing fines are mentioned. These are decided based on the circumstances of each individual case.|
|IX. Specific data processing situations||The GDPR deals with regulations for specific data processing situations, such as freedom of expression and information or the processing and access to official documents.|
|X. Delegated and implementing acts||The European Commission is authorized to adopt delegated acts, to delegate and to set certain conditions for the delegation. In addition, a committee is established to support the Commission in its tasks.
Delegated acts = acts without legislative character to supplement or amend legislative acts.
|XI. Final provisions||The final provisions mainly include the relationship to other directives and existing agreements. The European Commission is obliged to prepare a report on the assessment and review of the regulation every 4 years and to submit it to the European Parliament and Council.|
With the GDPR, the entire EU has been brought to a uniform level of data protection.
Scope: The regulation now also applies to non-European companies that are active in the European market or work with personal data of EU citizens.
Fines: Above all, fines have increased significantly, so depending on the violation, penalties of up to 4% of annual turnover or 20 million euros can be imposed.
Privacy by Design: "Data protection by design" means that data processing procedures have already been integrated into the system and are part of the standard.
Privacy by Default: "Data protection by privacy-friendly default settings" means that default settings should be privacy-friendly, so that primarily less technically savvy people are protected.
Reporting Obligation: Companies are subject to the reporting obligation if there are data breaches, which must be reported within 72 hours.
What additional rights have been granted to consumers?
Data portability: Consumers have the right to data portability, meaning they have the right to take their personal data to another provider - and this in a secure and commonly used format.
Consent for data processing: Such consents must always be given voluntarily and can be revoked at any time.
Right to rectification: Consumers have the opportunity to have incorrect data corrected immediately.
Right to erasure: Data must be deleted as soon as the purpose ceases to exist or the consent is revoked.
Right to information: Consumer rights have been extended, for example, they receive not only information about the purpose of data processing, but also about the duration.
Test the GDPR-compliant cloud solution for your company now!