Does the GDPR apply to companies outside the EU?

Yes, where they offer goods or services to, or monitor, individuals in the EU. Such organisations must comply and often appoint an EU representative.

What is the maximum GDPR fine?

Up to €20 million or 4% of total worldwide annual turnover, whichever is higher, for the most serious infringements.

What is the difference between a controller and a processor?

A controller determines the purposes and means of processing personal data. A processor processes data on behalf of and under the instructions of the controller. A DPA is required between them.

What lawful bases are available under the GDPR?

Six bases: consent, contract performance, legal obligation, vital interests, public task, and legitimate interests. The most commonly used in commercial contexts are consent, contract, and legitimate interests; each has different requirements and implications.

How does the GDPR affect AI and automated processing?

Article 22 GDPR gives individuals the right not to be subject to solely automated decisions with significant effects, including profiling. AI systems making such decisions must have a lawful basis and provide for human review on request.

GDPR

The EU regulation governing how personal data of individuals must be processed and protected.

Definizione

The General Data Protection Regulation (GDPR) is the EU-wide law governing the processing of personal data, granting individuals rights of access, correction, and erasure and imposing principles such as lawfulness, purpose limitation, and data minimisation. It applies to controllers and processors, requires a lawful basis for processing, and backs compliance with fines up to €20 million or 4% of global turnover. In the Netherlands it is known as the AVG and supplemented by the Uitvoeringswet AVG.

Esempio

Before launching an email campaign, a marketer confirms a valid lawful basis (consent or legitimate interest) for processing the recipients' data under the GDPR.

Perché rappresenta un rischio aziendale

GDPR compliance is not only a legal obligation but a contractual one: customer and partner contracts increasingly require warranted compliance, and a breach can trigger indemnity obligations as well as regulatory fines. Companies that treat GDPR as a checkbox exercise, rather than an ongoing programme, often discover gaps only when a breach or regulator inspection occurs.

Come gestirlo

Maintain a Record of Processing Activities (ROPA) so you know what data you process, on what basis, and who handles it.
Ensure every supplier that processes personal data on your behalf has a signed DPA before processing begins.
Test your 72-hour breach-notification process before an incident happens: know who is responsible and what data the regulator needs.
Review contracts that include GDPR warranties periodically so the warranted standard keeps pace with regulatory guidance.

Riferimenti normativi

Regulation (EU) 2016/679 General Data Protection Regulation

Salvo diversa indicazione, i riferimenti riguardano il diritto olandese (Burgerlijk Wetboek, il Codice Civile olandese); gli strumenti UE come il GDPR si applicano in tutta l'UE. Si tratta di informazioni generali, non di consulenza legale. Altre giurisdizioni trattano questi concetti in modo diverso. Verifichi il testo vigente e la propria situazione con un avvocato qualificato.

Domande frequenti

Domande comuni su questo termine.