GDPR explained simply: the most important facts at a glance

by Martha Wanat
16 min read
10/14/24 9:55 AM

The General Data Protection Regulation (GDPR) stipulates that your website must obtain the clear and affirmative consent of the user before processing user data.

Regulation (EU) 2016/679 (EU General Data Protection Regulation) replaces the European Data Protection Directive from 1995 (Directive 95/46/EC) with the aim of harmonizing and modernizing European data protection law. It promotes the protection of data subjects with regard to the processing of personal data and the free movement of such data (Article 1 (1) General Data Protection Regulation).

The Data Protection Directive in force until May 25, 2018 was implemented very differently by the member states. This patchwork of Member State regulations hindered the cross-border movement of data within the European Union. The General Data Protection Regulation creates a uniform and directly applicable legal framework that guarantees the free movement of personal data in the European Union. This is an important prerequisite for the completion of the digital single market and for a level playing field in the European Union

In addition, European data protection law has been modernized and the fundamental right to the protection of personal data under Article 8 of the European Charter of Fundamental Rights has been strengthened. Data subjects are given more control and transparency in data processing, especially in the digital age. 

The General Data Protection Regulation increases the requirements for the legally effective consent of data subjects and extends their rights, in particular to information and access. Consent management is a central topic of the GDPR. We explain exactly what this means in this article.

Do you need help with the European Data Protection Act? Then arrange a free initial consultation or download our free checklist here. 

 

I. Who does the GDPR apply to?

The General Data Protection Regulation applies in principle to all processing of personal data. The details are regulated in Articles 2 and 3 of the General Data Protection Regulation.

Both public organizations and private individuals and companies must comply with the requirements of the General Data Protection Regulation if they process information about an identified or identifiable natural person.

Exceptions apply

  • for the non-automated processing of personal data that is not stored or intended to be stored in a file system - for example, files and collections of files that are not organized according to specific criteria
  • for natural persons who process personal data exclusively for the performance of personal or family activities - for example, private correspondence, address books or the use of social networks and online activities for personal or family purposes;
  • for activities which fall outside the scope of Union law - in particular activities relating to national security
  • for data processing for the purposes of law enforcement and security by the competent authorities - Directive (EU) 2016/680, which was adopted at the same time as the General Data Protection Regulation, applies here.

It is important to note that companies outside the European Union are also subject to the General Data Protection Regulation if they offer goods or services in the European Union or monitor the behavior of individuals in the European Union.

The General Data Protection Regulation applies to the processing of personal data if it is carried out in the context of the activities of an establishment in the European Union or in connection with the offering of goods or services in the European Union (so-called marketplace principle). This applies regardless of whether the processing takes place in the European Union. 

The General Data Protection Regulation also applies if the behavior of data subjects in the European Union is to be monitored or if the processing takes place in a place that is subject to the law of a member state of the European Union under international law. It does not matter whether the processed data relates to a citizen of the European Union or not.

 

II. Legal basis for data processing in accordance with the GDPR

According to the GDPR, the following principles apply to data processing: purpose limitation, necessity and data minimization (Article 5).

Since 2018, the purpose limitation principle has been supplemented by Article 6 (4), which specifies criteria for checking compatible purposes. If the original purpose of collection and the purpose of further processing by the same controller are compatible, the data may be further processed on the basis of the original legal basis.

With this “accountability”, the General Data Protection Regulation emphasizes the responsibility of the data controllers for compliance with the principles and proof thereof (Article 5 (2)).

Article 6 lists the admissibility criteria for the processing of personal data. It also largely corresponds to existing European data protection law. As before, any processing of personal data requires a legitimizing legal basis - regardless of whether the processing poses a high or low risk to the rights and freedoms of the data subjects (Article 8).

The processing of personal data is only lawful

  • with the consent of the data subject
  • or if the processing is necessary
  • for the performance of a contract or in order to take steps prior to entering into a contract ,
  • to protect the vital interests of the data subject or of another natural person
  • for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject
  • for compliance with a legal obligation to which the controller is subject, or
  • for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller.
These admissibility criteria form an exhaustive system; however, Member States may specify and clarify the requirements for the lawfulness of processing in some areas through national data protection law (Article 6 (2) and (3)). Many legal bases, in particular for the processing of personal data by public authorities, can therefore still be found in general or specific data protection law at national level.

 

III. The EDPB as a central point of contact

The European Data Protection Board (EDPB), the association of the supervisory authorities of all member states at European Union level, is responsible for the uniform application of the law. It is the leading supervisory authority for the enforcement of the GDPR in the EU and makes binding decisions on key issues of the General Data Protection Regulation. 

Its guidelines and decisions form the basis for enforcement by the national data protection authorities in each EU country. With the EDPB at the location of the main establishment, companies with cross-border data processing activities have a central point of contact (so-called one-stop store principle).

 

IV. Consumer rights under the GDPR

The GDPR defines the following rights of data subjects:

Transparency: The data subjects must be informed about the aspects listed not only at the time of initial collection, but in principle at every intended further processing for other purposes. The controller must provide the information on their own initiative, i.e. without a request from the data subject.

Information: In addition to the obligation to provide information, the data subject has a comprehensive right of access to personal data concerning him or her in accordance with Article 15. The right of access also includes the right to receive a copy of the processed data free of charge.

Correction & deletion: Under the conditions of Articles 16 to 18, data subjects may request the correction, deletion and restriction of processing.

The right to erasure also includes the so-called “right to be forgotten”: Where the controller has made the personal data public and thus accessible to other controllers, the controller shall, in the case of an obligation to erase, take reasonable steps to inform the other controllers that a data subject requests the erasure of any links to, or copying of, those personal data.

Data portability: Article 20 grants data subjects the right to data portability. Accordingly, in certain cases, data subjects have the right to receive their data in a structured, commonly used and machine-readable format in order to have it transferred from one controller to another (private) provider without hindrance. It should be noted that the rights and freedoms of other persons must not be impaired when transferring data from one controller to another. This may be the case, for example, if not only the data subject but also third parties are depicted in a photo.

Objection: Article 21 gives data subjects the right to object to (lawful) data processing on grounds relating to their particular situation.  There is also a right to object at any time to the processing of personal data for the purpose of direct marketing. The data subjects must be expressly informed of their right to object at the latest at the time of the first communication.

The rights of data subjects do not apply if the General Data Protection Regulation provides for direct exceptions or if the member states have provided for restrictions to the rights of data subjects via Article 23 of the General Data Protection Regulation.

 

V. Definitions & terminology of the GDPR

The GDPR is a strict law and defines the following terms, among others, as follows

Personal data

Any information relating to an identified or identifiable natural person (hereinafter “data subject”); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.

The GDPR definition of personal data is very broad and also includes information that can be combined to filter out or build up a comprehensive profile of a specific data subject.

According to this definition, statistics cookies (analytics cookies) and marketing cookies (tracking cookies), as used by most websites, are subject to the GDPR. This means that you need the proper consent of your users before placing all cookies that track personal data. Your users must be informed about all tracking and give their consent before data can be processed, says the GDPR.

Processing 

Any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.

Profiling

Any form of automated processing of personal data consisting of the use of personal data to evaluate certain personal aspects relating to a natural person, in particular to analyze or predict aspects concerning that natural person's performance at work, economic situation, health, personal preferences, interests, reliability, behavior, location or movements.

Pseudonymization 

The processing of personal data in such a manner that the personal data can no longer be attributed to a specific data subject without the use of additional information, provided that such additional information is kept separately and is subject to technical and organizational measures to ensure that the personal data are not attributed to an identified or identifiable natural person.

Controller

The natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data; where the purposes and means of such processing are determined by Union or Member State law, the controller or the specific criteria for its nomination may be provided for by Union or Member State law.

Processor 

A natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller.

Consent

Any freely given, specific, informed and unambiguous indication of the data subject's wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her.

Breach of the protection of personal data

A breach of security leading to the destruction, loss, alteration, unauthorized disclosure of, or access to, personal data transmitted, stored or otherwise processed, whether accidental or unlawful.

Genetic data 

Personal data relating to the inherited or acquired genetic characteristics of a natural person which provide unique information about the physiology or health of that natural person and which have been obtained in particular from the analysis of a biological sample from the natural person concerned.

Biometric data

Personal data relating to the physical, physiological or behavioral characteristics of a natural person, obtained using specific technical procedures, which allow or confirm the unique identification of that natural person, such as facial images or dactyloscopic data.

Health data

Personal data relating to the physical or mental health of a natural person, including the provision of healthcare services, and from which information about their health status is derived.

Representative

A natural or legal person established in the Union who has been appointed in writing by the controller or processor in accordance with Article 27 and who represents the controller or processor in relation to their respective obligations under this Regulation.

Binding internal data protection rules

Measures to protect personal data which a controller or processor established in the territory of a Member State undertakes to comply with in respect of transfers or a set of transfers of personal data to a controller or processor within the same group of undertakings or the same group of undertakings engaged in a joint economic activity in one or more third countries.

 

VI. Under what conditions may data be transferred to non-EU countries?

While data transfers to other Member States of the European Union are not subject to any additional requirements and any obstruction of the free movement of data is not permitted for reasons of data protection (see Art. 1 (3)), a transfer of personal data to countries outside the European Union or the European Economic Area (third countries) is only permitted under the conditions set out in Chapter V.

The purpose of the regulations on international data transfers is to ensure comprehensive protection of the fundamental right to data protection (Article 8): The high standard of data protection guaranteed within the European Union and the European Economic Area should not be undermined by the fact that personal data can be transferred to third countries without adequate safeguards.

For a third country transfer, the general provisions of the GDPR must first be complied with (Article 44). In particular, there must be a legal basis for the data transfer in the GDPR or in national data protection law.

In addition, one of the following conditions must be met for a data transfer to a third country

  • Existence of an adequacy decision by the European Commission in accordance with Article 45 GDPR. Decisions of the European Commission on an adequate level of protection exist, for example, for Argentina, Switzerland, Canada, New Zealand, Uruguay, Japan and South Korea.
  • Existence of appropriate safeguards (Article 46 GDPR), in particular in the form of
    • binding internal data protection regulations (Binding Corporate Rules),
    • standard data protection clauses or
    • approved codes of conduct or an approved certification mechanism.
  • Existence of an exception pursuant to Article 49 GDPR, in particular
    • where the data subject has given their express consent,
    • to protect the vital interests of the data subject,
    • where necessary for the performance of a contract,
    • for important reasons of public interest,
    • for the pursuit of legal claims or
    • to safeguard compelling legitimate interests of the controller.


VII. What is valid consent under the GDPR? The EDSA guidelines

The GDPR definition of proper or valid consent is very clear and puts all responsibility on website owners and operators.

On May 4, 2020, the EDPB adopted guidelines on valid consent in the EU. These include:

  1. Cookie banners must not have pre-ticked opt-in boxes / checkboxes as this does not meet the requirement of clear and affirmative action. All cookies (except necessary cookies) must be deselected by default. Consent must be a freely given, affirmative action.
  2. Continued scrolling and browsing on a website does not constitute valid consent. Users must take a clear and affirmative action indicating their choice of consent.
  3. Cookie walls cannot be used to obtain valid consent, i.e. making the user's consent conditional on access to a website and its services is considered unlawful. Bundling consents is not GDPR compliant.
  4. Instead, the cookie banner on your website must be interactive. Websites may not activate cookies that collect personal data until users have selected which categories of cookies may be activated (known as prior consent).

 

Conditions for valid consent

Article 7 of the General Data Protection Regulation deals with the conditions for consent and mentions the following as elementary:

  1. Where the processing is based on consent, the controller shall be able to demonstrate that the data subject has consented to the processing of his or her personal data.
  2. Where the data subject's consent is given in the context of a written statement which also relates to other matters, the request for consent shall be made in an intelligible and easily accessible form, using clear and plain language.
    Any part of such a declaration that constitutes a breach of this Regulation shall not be binding.
  3. The data subject shall have the right to withdraw consent at any time.
    Withdrawal of consent shall not affect the lawfulness of processing based on consent before its withdrawal. Before consent is given, the data subject must be informed that it is as easy to withdraw as it is to give consent.
  4. When assessing whether consent is freely given, consideration is largely given to whether the performance of a contract, including the provision of a service, depends on consent to the processing of personal data.

Genuine GDPR consent is therefore made clear before any processing of user data, can be revoked and is not linked to conditions for the provision of a service.

 

Characteristics of valid consent

Valid consent must be a freely given, informed, specific and unambiguous expression of the user's wishes. In principle, consent must have the following characteristics:

Specificity

According to the EDPB guidelines, valid consent must always be specific, i.e. a specific, explicit and legitimate purpose must be clearly defined for the intended processing activity.

Unambiguousness

The EDPB Guidelines make it clear that if your website processes personal data for more than one purpose, users must be able to freely choose which purpose they accept - rather than having to consent to a bundle of processing purposes. For your website, this means that you need to be aware of all cookies and their different purposes and offer your users the option to select the activation of some cookies and reject others.

Informed consent

Valid consent must be given in an informed manner, i.e. users must know and understand what they are agreeing to. Your website must provide at least the following information in the banner for consent to be considered informed:

You and the identity of your website

  • the purpose of the individual processing operations for which consent is requested on your website
  • what type of data is collected and used on your website
  • the right to withdraw consent
  • information on the use of the data for automated decision-making
  • possible risks of data transfer based on an adequacy decision as described in GDPR Article 46.

Revocability

In fact, it is a condition for the validity of consent that users must be able to withdraw their consent retrospectively in an equally simple manner; users must be able to withdraw their consent just as easily as they gave it.  

This withdrawal of consent must be voluntary and without consequences. Withdrawal must not result in a denial of access to a website or a restriction of services.

 

VIII. What is Consent Management?

Consent management is the act or process of managing consent from your users and customers for the processing of their personal data.

In other words, consent management means giving your users the ability to opt-in to certain categories of cookies (preferences, statistics and marketing), give their consent and withdraw it if they wish. Consent management is about empowering your users to exercise their right to privacy.

A proper consent management system includes the following:

  • Asking for consent by clearly stating what the consent is for and how the data will be used.
  • Withholding all tracking until the appropriate consent has been given.
  • Securely storing all consents as documentation that consent has been obtained.
  • Users are given the opportunity to withdraw their consent at any time.
  • Consent must be renewed annually. However, some national privacy policies recommend more frequent renewal, e.g. 6 months. Check your local data protection guidelines for compliance.

 

IX. What are the obligations for companies?

In addition to compliance with the principles for the processing of personal data (Chapter II) and the guarantee of consumer rights (Chapter III), Chapter IV of the General Data Protection Regulation contains central provisions for the obligations of data processors. These arise directly from the GDPR.

The main obligations for data processing are as follows

  • Ensuring appropriate technical and organizational measures to ensure data protection and data security, Articles 24, 25 and 32
  • Requirements for order processing, Article 28
  • Keeping a record of processing activities, Article 30
  • Notification of personal data breaches to the supervisory authority and notification of data subjects, Articles 33 and 34
  • Carrying out a data protection impact assessment and prior consultation with the supervisory authorities, Articles 35 and 36
  • Appointment of a data protection officer, Articles 37 to 39

Whether and to what extent the obligations of the General Data Protection Regulation must be fulfilled is primarily determined by the scope, purposes and severity of the risk posed by the data processing (so-called risk-based approach). Only institutions whose business purpose (core activity) is the processing of personal data or which carry out exceptional, high-risk data processing operations are subject to the full range of obligations under the General Data Protection Regulation.

 

Flexible restrictions of obligations according to risk adequacy

The concept of risk adequacy is decisive for the obligations to be fulfilled by the controller: the more probable or severe the risk posed by the data processing, the more extensive and higher the controller's obligations. This flexible approach takes particular account of the concerns of small and medium-sized companies that do not process high-risk data:

  • For example, the technical and organizational measures to ensure data protection and data security must take into account, among other things, the probability of occurrence and severity of the risk posed by the data processing for the data subjects in each individual case.
  • Companies with fewer than 250 employees are exempt from the obligation to keep a processing register if, among other things, the data processing does not pose a risk to the rights and freedoms of the data subjects.
  • In the case of security incidents (personal data breaches), the obligation to notify the supervisory authority does not apply if the breach is unlikely to result in a risk to the rights and freedoms of the data subjects; there is only an obligation to notify the data subjects of an incident if the breach is likely to result in a high risk for the data subjects.
  • The obligation to carry out a data protection impact assessment also only exists if the processing is likely to result in a high risk to the rights and freedoms of natural persons due to the nature, scope, circumstances and purposes of the processing. However, if the data protection impact assessment confirms that the processing would result in such a high risk, there is an obligation to consult the competent data protection supervisory authority in advance.

X. What are the consequences for companies that fail to comply with the GDPR?

If a supervisory authority becomes aware of a breach of the General Data Protection Regulation or a national data protection regulation through a complaint or a random inspection, it can issue a warning to the controller or issue instructions, orders or processing bans (Article 58(2) of the General Data Protection Regulation).

In addition to or instead of remedial powers, it can impose fines of up to € 20 million or 4 percent of annual global turnover in accordance with Article 83 of the General Data Protection Regulation. The requirement of effectiveness, but also proportionality, must be taken into account in each individual case. The data controller can lodge a judicial appeal against legally binding rulings by the supervisory authorities (Article 78 of the General Data Protection Regulation).

In addition to lodging a complaint with the competent supervisory authority, data subjects may also bring an action before the competent courts if they consider that their rights have been infringed as a result of the processing of their personal data (Article 79 GDPR). If a person suffers material or non-material damage due to a breach of the General Data Protection Regulation, they are also entitled to compensation in accordance with Article 82 of the General Data Protection Regulation.

Finally, Section 42 BDSG 2018 provides for criminal offences for the unauthorized processing of data that is not generally accessible if the act was committed commercially, for remuneration or with the intention of enrichment or damage.

 

XI. How do you manage GDPR compliance consent on your website?

The best way to manage GDPR consent is with a consent management platform (CMP), so you can be sure that your website is compliant and your users' privacy is protected.

At dwc, we specialize in consent management and offer all the services you need to comply with the GDPR. Arrange a free initial consultation now.
Previous story
← The new Swiss Data Protection Act (FADP)
The new Swiss Data Protection Act (FADP)
The new Swiss Data Protection Act

The new Swiss Data Protection Act (FADP)

10/14/24 9:39 AM 19 min read
Comprehensive and strict data protection: the Brazilian LGPD
Comprehensive and strict data protection: the Brazilian LGPD

Comprehensive and strict data protection: the Brazilian LGPD

9/5/24 8:43 AM 21 min read
Data protection-compliant tracking without consent with GA4
Data protection-compliant tracking without consent with GA4

Data protection-compliant tracking without consent with GA4

4/11/24 9:30 AM 5 min read