Skip to main content

What is GDPR

Publicat în 25/04/2022
What is GDPR

GDPR stands for Regulation (EU) 2016/679 of the European Parliament and of the Council of April 27, 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data and repealing Directive 95/46/EC (Regulation general data protection).

GDRP was published in the Official Journal of the European Union L119/4 May 2016, entered into force on 25 May 2016 and will be applicable from 25 May 2018 throughout the European Union. The GDPR contains a set of rules designed to give citizens more control over data that can identify them.

What are the main obligations imposed by GDPR


The Data Protection Officer (DPO) is a person who has specialized knowledge of legislation and practices regarding data protection whose role is to ensure the assistance of the operator or the person authorized by the operator to monitor compliance, at an internal level, with the provisions Regulation (EU) 2016/679. When appointing the DPO, the following conditions must be taken into account:

  • the professional qualities of the appointed person
  • specialized knowledge in data protection law and practices
  • the ability to perform the tasks provided for by Regulation (EU) 2016/679

New rights for individuals. Portability of personal data

Data subjects will have new rights, such as the right to data portability, i.e. individuals will have the right to receive their data in a structured format.

New rules on consent

Consent for processing will have a much more restrictive regime. Thus, the consent request must be intelligible and easily accessible, in clear and simple language; if more than one aspect is included, the request for consent must be clearly differentiated from the other aspects; consent must be able to be withdrawn as simply as it was given; conditioning of consent is not allowed (eg conditioning the provision of a service or the delivery of a good on the agreement to process data for direct marketing).


Currently, the processing of personal data must be brought to the attention of the data subjects, but the rules applicable from May 25, 2018, according to the GDPR, impose a series of additional elements, such as the data protection officer, the basis of the processing, if profiling is used, how long the data is kept, etc.

Who must appoint a DPO Public authorities or institutions (courts must create their own supervisory mechanisms for the processing carried out in the exercise of their jurisdictional function) The organization/enterprise/legal person/entity which, in the capacity of operator or person empowered by operator, carries out as its main activity processing operations which, by their nature, scope and/or purposes, require a periodic and systematic monitoring of data subjects on a large scale. The organization/enterprise/legal person/entity which, as an operator or a person authorized by the operator, processes, in the course of its main activity, on a large scale special categories of data or personal data regarding criminal convictions and offences.

Who is obliged to implement the GDPR? The GDPR applies to any organization operating within the EU, as well as any non-EU organization that provides goods or services to EU customers or businesses. Ultimately, it means that almost every major corporation in the world will need to be ready when GDPR comes into effect. The aim of the GDRP is to simplify the regulatory environment for business so that citizens and businesses can fully benefit from the digital economy. There are two different types of data processors: the legislation applies to: processors and operators. Definitions of each term are provided in Article 4 of the General Data Protection Regulation. Sanctions and obligations Failure to comply with GDPR provisions can result in a fine from 10 million euros to 4% of the company's global annual turnover, which for some could mean billions.

The fines will depend on the severity of the violation of the regulation and whether the company is considered to have taken the necessary measures seriously to ensure the security of the data. The maximum fine of 20 million euros or 4% of the company's global annual turnover will be awarded for violating the rights of data subjects, unauthorized international transfer of personal data and failure to adopt procedures or ignore a person's request for access to personal data. Fines of 10 million euros or 2% of global annual turnover will be applied to companies that use personal data in other ways. These include not reporting cases of data security violations and not ensuring confidentiality and data protection in the first stage of the project.