Key Compliances Under GDPR

1. Lawful Basis for Processing

• • Organizations must identify and document a lawful basis for processing personal data (consent, contract, legal obligation, vital interest, public task, legitimate interest).
  • Consent must be explicit, informed, and freely given.

2. Data Subject Rights

• • Right of access (Article 15)
  • Right to rectification (Article 16)
  • Right to erasure (“Right to be forgotten”) (Article 17)
  • Right to restriction of processing (Article 18)
  • Right to data portability (Article 20)
  • Right to object (Article 21)
  • Rights in relation to automated decision-making (Article 22)

3. Privacy by Design and by Default

• • Technical and organizational measures (TOMs) must be built into systems and processes.
  • Default settings should minimize personal data collection and exposure.

4. Records of Processing Activities (RoPA)

• • Data controllers and processors must maintain written records of processing activities (Article 30).

5. Appointment of Data Protection Officer (DPO)

• • Mandatory for public authorities, organizations processing large-scale sensitive data, or large-scale systematic monitoring of individuals.

6. Cross-Border Data Transfers

• • Transfers outside the EU/EEA permitted only under approved safeguards such as Standard Contractual Clauses (SCCs), Binding Corporate Rules (BCRs), adequacy decisions, or explicit consent.

7. Data Breach Notification

• • Supervisory authority must be notified within 72 hours of becoming aware of a personal data breach (Article 33).
  • Data subjects must be informed without undue delay if breach poses high risks (Article 34).

8. Impact Assessments (DPIA)

• • Mandatory for high-risk processing operations, e.g., large-scale profiling, systematic monitoring, or processing of sensitive categories of data.

9. Contracts with Processors

• • Controllers must ensure contracts with processors comply with Article 28 requirements, including security measures, sub-processor approval, and audit rights.

10. Children’s Data Protection

• • Special rules for processing data of children under 16 years (can be lowered to 13 by Member States).
  • Parental consent required where applicable.

Penalties Under GDPR

GDPR provides for two tiers of administrative fines:

• Tier 1: Up to €10 million, or 2% of annual global turnover, whichever is higher.
  • Applies to breaches of record-keeping, security, breach notification, and processor obligations.
• Tier 2: Up to €20 million, or 4% of annual global turnover, whichever is higher.
  • Applies to breaches of basic principles (consent, data subject rights, international transfers).

Supervisory authorities may also impose corrective actions such as warnings, reprimands, suspension of processing, or order to rectify/delete data.