GDPR Basics

Personal data means any information related to a person (Data Subject in GDPR language) that can be used to directly or indirectly identify the person qualifies as personal data. It can be anything related to the person: a name, a phone number, an e-mail address, a photo or a video, an address or location, a number of the bank account, a car registration plate, social media account etc.

GDPR penalties make non-compliance an expensive mistake for any size of business. The GDPR Article 83 has introduced a tiered approach to penalties, meaning that the severity of the breach will determine the penalty imposed.

Tiers of GDPR penalties

Not having their records in order or failing to report any breaches to the authorities can be fined a maximum of 2% of their annual global turnover. The maximum penalty a company can face is 4% of their annual global turnover, of €20 million, whichever is the highest.

The assessment criteria when imposing the GDPR fine

Under the GDPR, penalties will be administered by the data protection authority of each EU member state. They will take into account the following criteria when assessing the breach:

  • Establish how many infringements (and therefore, penalties) there are
  • Assessment of category of infringement
  • Assessment of the seriousness of the infringement
    • According Article 83(2)(a):
      • Nature of the infringement (i.e. the specific section of GDPR framework);
      • The gravity of the infringement, considering the nature, scope and purpose of the processing, the number of data subjects concretely and potentially affected and the level of damage to the individual’s rights and freedoms;
      • Duration of the infringement;
    • Intention– whether the violation was intentional or was negligence;
    • Categories of personal data affected – whether the nature of personal data has the potential to cause immediate damages or distress and attract greater weight to the breach;
  • Potential reduction of the starting amount of the penalty, based on smaller turnover;
  • Assessment of mitigating and aggravating factors;
    • Did the organization take any type of action to mitigate the damage suffered by data subjects;
    • Responsibility – the degree of responsibility the organization has demonstrated so far regarding the implementation of appropriate technical and organizational measures;
    • Previous violations – any relevant previous infringements by the organization;
    • Level of cooperation – the level of cooperation with the supervisory authority that the organization demonstrated in order to remedy the violation and mitigate the possible effects;
    • Notification of the violation – whether (and to what extent) did the organization notify the supervisory authority about the violation;
    • History – were there any corrective measures previously issued against the organization regarding the same subject?
    • Codes of conduct – did the organization adhere to approved codes of conduct or approved certification mechanisms;
  • Check the sum against the maximum penalty defined by the GDPR;
  • Analysis of effectiveness, dissuasiveness and proportionality.

Example GDPR penalty calculator

Fine calculator based on German Data Protection Authority instructions

List of GDPR penalties applied

GDPR Enforcement tracker is a database of fines and penalties that data protection authorities within the EU have imposed under the EU General Data Protection Regulation

GDPR is a regulation, which means that the regulation will come into force as such. Therefore, regulations have binding legal effect in every member state. Directive on the other hand means that the member states can decide how to achieve the goals set out in the directive and transpose them into national laws.

Yes, any company who is processing personal data of the EU citizens, must comply with the General Data Protection Regulation.

Organisations operating outside the European Union, but employing EU citizens, must comply with the GDPR requirements. This means that the EU citizens can exercise their rights according to the GDPR, even if the company does not conduct any business within the EU.

According to GDPR Article 3 (2), organisations that are not located in the EU, but processing the personal data of persons located in the EU for the purpose of the offering of goods or services (irrespective of whether a payment of the data subject is required) and/or monitoring their behaviour as far as their behaviour takes place within the Union, must comply with the GDPR. This applies both to controllers and processors.

Such a non-EU controller or processor shall designate a local representative in the EU.

All companies processing personal data must comply with the GDPR, regardless whether payment is charged or not.

Article 4 (6) of the GDPR sets the definition for a ‘filing system’. If the personal data that the company processes manually is in structured form and the processing is conducted in a database, then yes GDPR does apply. If the processing is one-off and the company does not use a database, then GDPR might not apply.

Organizational Procedures

There is checklist for small and medium-size businesses that vast majority of them has to apply. These include:

  • Keep the records of Data Processing Activities. Be ready to present the report of Data Processing Activities to your local Data Protection Authority.
  • Describe your Privacy Policy and communicate it to your customers as well as partners. As absolute minimum, publish it in your public website.
  • Manage customer requests based on “new rights” the GDPR provides to persons. Most important ones include: a) Right to Know, b) Right to Data Portability c) Right to be Forgotten.
  • Have a list of your Service Providers (called Processors in GDPR language) who are processing Personal Data for you and conclude or amend an agreement with each of them to handle Personal Data processing issues.
  • Manage Data Breaches and report these to your local Data Protection Authority.


Companies need to appoint a Data Protection Officer (DPO) if the company

  • is a public authority,
  • carries out personal data processing on a large scale  regularly and systematically,
  • engages in large scale processing of sensitive personal data.

If you do none of these activities, then you do not need to appoint a DPO.

The DPO has generally two main tasks. To monitor the GDPR compliance operations within the organisation and interact with the supervisory authority and the data subjects whose data is being processed. Data protection officer might also inform and advise the organisation on other privacy related matters and raise awareness by training the employees.

Data controller is the person or a company who defines the purpose, means and conditions of how personal data is being processed. Data processor processes personal data on behalf of the data controller and is usually external entity from the data controller’s company.

Any company (or person) that deals with personal data on your behalf are called a Processor (in GDPR language). Examples of processors include marketing companies, accountants, payment and delivery service providers,  IT /cloud providers etc.

You have to maintain a list of your external service providers (processors), and the data they process, and conclude/review an agreement that defines the rules for handling your company’s personal data. Please note that having access to or just storing the data, equals processing from the GDPR point of view.

With every processor, you should have signed a Data processing Agreement (DPA). You can find more information about DPAs here.

In case of a data breach, you need to inform the supervisory authority within 72 hours when the breach was found.

The notification has to consist of information what was stolen or lost, how the data was protected (ex. pseudonymisation) and how the breach may affect the persons, who’s data it was (Data Subjects in GDPR language). When the breach is severe, and it may affect persons with a high degree, then company needs to inform the possibly affected persons as well.

If the data processing and the collected data may result in a high risk of the rights and freedom of natural persons companies need to evaluate how their processing model may affect natural persons and how to protect these processes from external threats. These impact assessments are required if the company processes (article 35):

  1. systematic and extensive evaluation of personal data by automated means;
  2. processing large scale special category data or criminal convictions and offences;
  3. a systematic monitoring of a publicly accessible area (ex. cameras facing a public area)

Data Subjects

If you are carrying out certain activities involving personal data (e.g. online marketing), you have to ask consent from the persons.

Consent has to be asked clearly and explicitly. It  has to be separate from all other text, it needs to be clear, freely given and specific, so that the person would know, to what they are giving it. Pre-ticked boxes, silence or inactivity is not considered as consent by GDPR; therefore, companies need to ask a direct and formal consent.

Also, persons have the right to withdraw their consent (opt out) at any time they like. You have to make it as easy as possible to do so.

According to the GDPR, the data subject can withdraw their consent at any time. However, withdrawing the consent applies only to future processing of personal data, not to data that has already been processed. If the obtained consent does not fulfill the requirements of the GDPR, the consent must be re-obtained.

The right to be forgotten is an individual’s (data subject’s) right to demand companies to erase or anonymise their personal data (this is called “right to be forgotten” or “right for erasure” in GDPR terms).

According to GDPR, “The data subject shall have the right to obtain from the controller the erasure of personal data concerning him or her without undue delay and the controller shall have the obligation to erase personal data without undue delay”. “Undue delay” should be understood as the latest within one month of receipt of the request for erasure or receiving identity verification or a fee, if such can be applied.

The data subject has the right to have their personal data erased (right to be forgotten) if:

  • Personal data is no longer necessary for the original purpose of collection or processing.
  • The company is relying on a data subject’s consent as the legal basis for processing the data and that individual withdraws their consent.
  • The company is relying on legitimate interest as its legal basis, the data subject objects to this processing, and there is no overriding legitimate interest for the organisation to continue with the processing.
  • The company is processing personal data for direct marketing purposes and the data subject objects to this processing.
  • The company processed a data subject’s personal data unlawfully.
  • The company must erase personal data in order to comply with a lawful obligation.

However, a right to process someone’s data might override their right to be forgotten in the following situations:

  • The data is being used to exercise the right of freedom of expression and information.
  • The data is being used to comply with a lawful obligation.
  • The data is being used to perform a task that is being carried out in vital or public interest.
  • The data is being used for the establishment of legal defence or in the exercise of other legal claims.

What means the Right to be Informed?

Individual has the right to be informed about how and why their personal data is being processed. Grounds for processing are usually explained when asking for consent from the individual. The individual has a right to be informed after giving their consent as well, meaning that the company should be able to provide the individual with concise, intelligible, easily accessible, free of charge and clearly written information about the processing.

Right to be informed – what information has to be provided to the data subject?

  • The name and contact details of our organisation.
  • The name and contact details of our representative or data protection officer (if applicable).
  • The purposes of the processing.
  • The lawful basis for the processing.
  • The categories of personal data obtained (if the personal data is not obtained directly from the individual).
  • The recipients or categories of recipients of the personal data.
  • The details of transfers of personal data to any third countries or international organisations (if applicable).
  • The retention periods for the personal data.
  • The rights available to individuals in respect of the processing.
  • The right to withdraw consent (if consent is used as a legal basis).
  • The right to lodge a complaint with a supervisory authority.
  • The source of the personal data (if the personal data is not obtained directly from the individual).
  • The details of whether individuals are under a statutory or contractual obligation to provide personal data (if applicable, and if the personal data is collected from the individual it relates to).
  • The details of the existence of automated decision-making, including profiling (if applicable).

Read more in EDPB guidelines to Right of access (aka Right to be informed)

Right to Data portability for person means possibility to obtain his personal Data from one service provider and reuse it at another for his own purposes in easy and safe way. It allows to get data from one IT environment in structured, commonly used and machine-readable format and put that into another without affecting its usability (if technically possible).

According to GDPR Article 16, the right to rectification means that the data subject shall have the right to obtain from the controller without undue delay the rectification of inaccurate personal data concerning him or her. Taking into account the purposes of the processing, the data subject shall have the right to have incomplete personal data completed, including by means of providing a supplementary statement.

The data controller should take reasonable steps to ensure that the data is accurate and to rectify the data if necessary. The controller should take into account the arguments and evidence provided by the data subject.

Consent from the parents is required when processing data of children under the age of 16 for online services.

Digital marketing and direct marketing are based on the data that the company has collected, therefore marketing activities must comply with the GDPR as well. Consent must be obtained from the subjects and existing consent forms must be reviewed. There are several guidelines that must be followed when initiating contact in B2B and B2C. Read more about marketing in B2B and direct marketing rules and exceptions under the GDPR.

GDPR Terminology

“DPO” means Data Protection Officer. The role of the data protection officer (DPO) is to ensure that organisation processes the personal data of its staff, customers, providers or any other individuals in compliance with the applicable data protection rules. Data protection officers are responsible for overseeing a company’s data protection strategy and its implementation to ensure compliance with GDPR requirements.

DPO assists the organisation with monitoring it’s internal compliance, informs and advises on data protection obligations, provides advice regarding Data Protection Impact Assessments (DPIAs) and acts as a contact point for data subjects and the supervisory authority.