General Data Protection Regulation - GDPR

Paz Itzhaki-Weinberger, 13-August-2017




On April 27th, 2016 the European Commission adopted a new regulation, No.2016/679, known as the General Data Protection Regulation (GDPR).


GDPR brings with it significant changes in the area of personal data protection in the European Union.


However GDPR affects not only European organizations, but exceeds EU borders and also applies to almost all organizations operating globally dealing with data originating for the EU or related to EU citizens or residents.


MEANING OF GDPR Adoption & Deadline for compliance

         GDPR replaces Data Protection Directive 95/46/EC as well as the personal data protection laws of EU Member States!

         GDPR is directly applicable in all countries of the EU (no transposition to national laws required)

         All organizations that store, process and transfer any personal data related to EU residents (including employers processing employees personal data, outsourcers or companies only sending data or storing it outside the EU) are subject to GDPR and must amend or adopt entirely new form of work and procedures in the way they collect and use personal information and be able to prove such internal policies to the supervising authority

        GDPR comes into force on 25th May, 2018

        Companies now have less than one year to become familiar with the new guidelines, and adapt to and comply with the new regulation before the deadline, this is not a trivial task for many organizations.


See this link for more details and the Countdown Clock:




Under GDPR organizations in breach of GDPR can be fined up to 4% of annual global turnover 
or 20 Million (whichever is greater). This is the maximum fine that can be imposed for the most serious infringements e.g. not having sufficient customer consent to process data or violating the core of Privacy by Design concepts. There is a tiered approach to fines e.g. a company can be fined 2% for not having their records in order (article 28), not notifying the supervising authority and data subject about a breach or not conducting impact assessment. It is important to note that these rules apply to both controllers and processors -- meaning 'clouds' will not be exempt from GDPR enforcement.

Conditions for consent have been strengthened, and companies will no longer be able to use long illegible terms and conditions full of legalese, as the request for consent must be given in an intelligible and easily accessible form, with the purpose for data processing attached to that consent. Consent must be clear and distinguishable from other matters and provided in an intelligible and easily accessible form, using clear and plain language. It must also be as easy to withdraw consent as it is to give it.​


Also known as Data Erasure, the right to be forgotten entitles the data subject to have the data controller erase his/her personal data, cease further dissemination of the data, and potentially have third parties halt processing of the data. The conditions for erasure, as outlined in article 17, include the data no longer being relevant to original purposes for processing, or a data subjects withdrawing consent. It should also be noted that this right requires controllers to compare the subjects' rights to "the public interest in the availability of the data" when considering such requests.



There are many other aspects of GDPR compliance, including (but not limited to): Data Portability, Privacy by Design, Right to Access, Appointment of Data Protections Officers in Organizations and supervision over their work, Breach Notification etc.


EXTRA-TERRITORIAL- GDPR a Global issue, not just EU

The biggest change to the regulatory landscape of data privacy comes with the extended jurisdiction of the GDPR, as it applies to all companies processing the personal data of data subjects residing in the Union, regardless of the companys location (Extra-Territorial Applicability!). Previously, territorial applicability of the directive was ambiguous and referred to data process 'in context of an establishment'. This topic has arisen in a number of high profile court cases. GPDR makes the issue of applicability very clear - it will apply to the processing of personal data by controllers and processors in the EU, regardless of whether the processing takes place in the EU or not. The GDPR will also apply to the processing of personal data of data subjects in the EU by a controller or processor not established in the EU, where the activities relate to: offering goods or services to EU citizens (irrespective of whether payment is required) and the monitoring of behavior that takes place within the EU. Non-EU businesses processing the data of EU citizens will also have to appoint a representative in the EU



To summarize: the implications of GDPR seem massive, everyone is invited to seek professional advice, also as mentioned above The clock is ticking and the deadline closer than ever.


More details are planned to become available via the following link: