GDPR – General Data Protection Regulation
Regulation (EU) 2016/679 on the protection of natural persons with regard to the processing of personal data (GDPR)
Overview
The General Data Protection Regulation (GDPR) has been the central legal framework for data protection in the European Union since 25 May 2018. It applies directly in all EU member states.
Core Principles
- Lawfulness, transparency: Data processing only with a legal basis
- Purpose limitation: Collect data only for specified purposes
- Data minimisation: Collect only necessary data
- Storage limitation: Do not retain data longer than necessary
- Integrity and confidentiality: Appropriate security measures
Data Subject Rights
- Right of access
- Right to rectification
- Right to erasure (“right to be forgotten”)
- Right to data portability
- Right to object
Obligations for Companies
- Records of processing activities
- Data protection impact assessment for high-risk processing
- Breach notification within 72 hours
- Data Protection Officer appointment (where required)
- Data processing agreements with processors
Legal Sources
- Regulation (EU) 2016/679 on the protection of natural persons with regard to the processing of personal data (GDPR) EUR-Lex
- BDSG – Federal Data Protection Act DE In force since 25.05.2018
- DSG – Data Protection Act AT In force
- revDPA – Revised Federal Act on Data Protection CH In force since 01.09.2023
Frequently Asked Questions
Does the GDPR apply to small businesses?
Yes, the GDPR generally applies to all companies that process personal data of EU citizens, regardless of size.
What is a Data Protection Officer?
A DPO is a person who oversees GDPR compliance within the organisation. Appointment is mandatory in many cases, for example when more than 20 employees regularly process personal data.