The GDPR becomes applicable from 25 May 2018

in all member states of the European Union (EU) and

contains a full set of requirements building on existing
principles and introducing some new concepts.

The GDPR is directly applicable at national level and harmonizes data protection
laws across the EU. It replaces the current 1995 Data Protection Directive
(Directive 95/46/EC). However, in certain limited occasions, the GDPR leaves
some flexibility to Member States for national transposition, as such Member
States have to introduce national provisions to complement the GDPR.
The GDPR applies to data controllers and data processors established in the EU. It also
becomes applicable to data controllers or processors offering goods or services to the EU or
monitoring the behavior of individuals in the EU.

The GDPR does not apply to certain processing covered by the Law Enforcement Directive
(Directive 2016/680/EC), processing for national security purposes and processing carried out
by individuals purely for personal/household activities.
1. Material Scope of the GDPR — (Article 2)
The GDPR applies to the processing of personal data. Personal data is defined as any
information relating to an identified or identifiable natural person and includes data such as an
IP address, an email address, or a telephone number. Processing activities include, among
others, the collection, use, and disclosure of the data.

The GDPR provides for additional protection to the processing of special categories of
personal data. Such special categories include, personal data revealing racial or ethnic origin,
political opinions, religious or philosophical beliefs or trade union membership and genetic and
biometric data for the purpose of uniquely identifying a natural person, data concerning health
or data concerning a natural person's sex life or sexual orientation.
2. Territorial Scope of the GDPR — (Article 3)
The GDPR applies to data controllers and data processors with an establishment in the EU, or
with an establishment outside the EU that targets individuals in the EU by offering goods and
services (irrespective of whether a payment is required) or that monitor the behavior of
individuals in the EU (where that behavior takes place in the EU).

Example: A Japanese web shop, offering products, available online in English

with payments to be made in Euros, processing multiple orders a day from
individuals within the EU, and shipping these products to them, should be
compliant with the GDPR
3. Fundamental principles relating to processing — (Article 5)
4. Lawfulness of processing — (Article 6)
Under the GDPR, the processing of personal data will only be lawful if, at least one of the
conditions below is met:
1. the data subject has provided consent to the processing,
2. the processing is necessary for the performance of a contract to which the data subject is
party or in order to take steps at the request of the data subject prior to entering into a
contract,
3. the processing is necessary for compliance with a legal obligation to which the controller
is subject,
4. Lawfulness of processing — (Article 6)
Under the GDPR, the processing of personal data will only be lawful if, at least one of the
conditions below is met:

4. the processing is necessary to protect the vital interests of the data subject or of another
natural person, or
5. the processing is necessary for the performance of a task carried out in the public interest
6. the processing is necessary for the purposes of the legitimate interests pursued by the
controller or by a third party, except where such interests are overridden by the interests or
fundamental rights and freedoms of the data subject which require protection of personal data,
in particular where the data subject is a child.
5. Consent — (Articles 4, 7 and 8)
The GDPR devotes several articles to clarify the notion of consent.
Under the GDPR, which reflects the WP29's opinion on consent requirements', consent must be
freely given, specific, informed and an unambiguous indication of the data subject's wishes which
by a statement or by a clear affirmative action, signifies agreement to processing.
Specific requirements apply in relation to children's consent for information society services.
If an individual below 16 years wishes to use information society services, consent must be
obtained from the child's parent or the holder of parental responsibility of the child in
question. However, Member States may introduce domestic laws to lower this age to not less
than 13 years.
6. Individual Rights — (Articles 12— 23)
The GDPR maintains, often reinforces and further develops the rights of the individuals
(information, access, rectification, objection, erasure restriction right to be forgotten right to
data portability.
o The right to information requires data controllers to give individuals certain information about
the processing of their personal data free of charge (exceptions apply — Article 14).

o The right to be forgotten,also referred to as the right to erasure as it includes both the right to
have the data erased and the right to delisting in certain circumstances. The individuals have the
right to require data controllers to delete their data in certain
6. Individual Rights — (Articles 12— 23)
The GDPR maintains, often reinforces and further develops the rights of the individuals
(information, access, rectification, objection, erasure restriction right to be forgotten right to
data portability.
o The right to restriction of processing applies in some specific circumstances including for
example, for an interim period allowing the data controller to verify the accuracy of the
personal data that is contested by the data subject, or when the controller no longer needs the
personal data for the purposes of the processing but are required by the data subject for, for
example, the establishment of legal claims.
6. Individual Rights — (Articles 12— 23)
The GDPR maintains, often reinforces and further develops the rights of the individuals
(information, access, rectification, objection, erasure restriction right to be forgotten right to
data portability.

The right to data portability refers to the right of an individual to receive personal data that
he/she has provided to the data controller in a structured, commonly used and machine readable
format and to transmit that data to another data controller without hindrance.
7. Accountability obligations of data controllers— (Articles 5, 25,
30, 35 —43)
According to the accountability principle (Article 5(2)), data controllers (i.e. the entities that
define the purposes and means of the processing) have to ensure compliance with the GDPR and
be able to demonstrate such compliance. The data controllers generally must implement
appropriate technical and organizational measures, including data protection policies. In
assessing which or how such measures should be implemented, the data controllers should
consider the nature, scope, context and purposes of the processing as well as the risks for the
rights and freedoms of individuals.
8. Obligations of data processors — (Article 28)
The GDPR introduces new requirements which apply directly to data processors giving them as
such a separate legal status from that of the data controllers particularly with regards to security
measures and international data transfers.

Data processors, must provide the expected guarantees just as data controllers do and must also
implement appropriate technical and organizational measures to ensure that the processing will
meet the requirements of the GDPR. Data processors must also assist data controllers in matters
of security, DPIA and data breach notifications and alert the controller if their processing
instructions would lead to a possible violation of the GDPR or of a provision of Union or
Member State law.
9. Data breach notifications — (Articles 33 and 34)
Under the GDPR data breach notifications to the Data protection Authority (DPA) are
mandatory unless such data breach is unlikely to impact the rights and freedoms of
individuals. Data controllers must provide such notification to the DPA without
undue delay and, where feasible, not later than 72 hours after having become aware
of it.
10.International Transfers — (Articles 44 — 49)
Under the GDPR, personal data may be transferred outside the EU to third countries or
international organizations that provide an "adequate level of data protection", meaning
"essentially equivalent" to the level of protection afforded within the EU.
A transfer of personal data to a third country or international organization that is not afforded a
European Commission decision of adequacy can be made where appropriate specific
safeguards are in place. Such safeguards can be brought through a number of available tools
such as standard data protection clauses, binding corporate rules, and by new tools -approved
codes of conduct or certification.
11.Supeivision, Cooperation, Remedies — (Articles 50 and 83)
In general, GDPR reinforces the independence requirements and the role of DPAs. They benefit
from a wide range of consultative, investigation and corrective powers, among which the one to
impose administrative fines.

The GDPR significantly toughens the approach to and the level of administrative fines foreseen
in the EU and harmonizes it.

DPAs will have the power to impose administrative fines reaching up to 20 million euros or
4% of the annual worldwide turnover for certain infringements of the GDPR provisions.
12. European Data Protection Board (EDPB) — (Articles 641651 66 and 68)
The Article 29 Working Party (WP29), set up under Directive 95/46/EC, is composed of the EU's national
supervisory authorities, the European Data Protection Supervisor ("EDPS") and the European Commission. The
WP29 will be replaced by the "European Data Protection Board" ("EDPB").

The EDPB is given a long and detailed list of tasks, but its primary role will be to contribute to the consistent
application of the GDPR throughout the Union.

The EDPB will have the status of an EU body with legal personality and extensive powers to settle disputes
between national supervisory authorities and issue opinions on specific matters such as list of risky processing,
codes of conduct and certification bodies' accreditation criteria. The EDPB will also be responsible for issuing
guidelines, recommendations and best practices.
13.0ne Stop Shop
The GDPR provides new methods of co-operation and consistency through for example, the
"one stop shop" mechanism, for entities having cross-border processing in multiple EU Member
States.

Cross-border processing exists when either controllers or processors carry out activities through
establishments in more than one Member State or where there is a single establishment but with
processing activities that substantially affect or are substantially likely to affect data subjects in
more than one Member State.