Iubenda logo
Start generating


Table of Contents

Demo post – What is the GDPR?


What does GDPR stand for

GDPR stands for General Data Protection Regulation (Regulation (EU) 2016/679) and at its most basic, it specifies how personal data should be lawfully processed (including how it’s collected, used, protected or interacted with in general).

It’s intended to strengthen data protection for all people whose personal information fall within its scope of application , putting personal data control back into their hands.

What exactly does “Personal Data” comprise of?

Personal data within the context of the GDPR refers to any data that relates to an identified or identifiable living person. This includes pieces of information that, when collected together, can lead to the identification of a person.

This applies even to data that has been pseudonymized or encrypted as long as the encryption / anonymization is reversible. In terms of meeting data protection obligations under the regulation, it means that decryption keys will need to be kept separately from the pseudonymized data .

Examples of personal data include (but are not limited to) basic identity data such as names, health, genetic & biometric data, web data such as IP addresses, personal email addresses, political opinions, and sexual orientation data.

Examples of non-personal data include company registration numbers, generic company email addresses such as info@company.com , and anonymized data.

Special definitions used below
  • The term ” user ” here means an individual whose personal data is processed by a controller or processor (also known as the data subject ).
  • The term ” data controller ” means any person or legal entity involved in determining the purpose and ways of processing the personal data.
  • The term ” data processor ” means any person or legal entity involved in processing personal data on behalf of the controller.

For example, an internet company may collect user information via their website and store it using a 3rd party cloud service. In this scenario, the internet company is the data controller and the organization running the cloud service is the data processor.

Where does it apply

The GDPR can apply where:

  • an entity’s base of operations is in the EU (this applies whether the processing takes place in the EU or not);
  • an entity not established in the EU offers goods or services (even if the offer is for free) to people in the EU. The entity can be government agencies, private / public companies, individuals and non-profits; or where
  • an entity is not established in the EU but it monitors the behavior of people who are in the EU, provided that such behavior takes place in the EU.

This scope effectively covers almost all companies and, therefore, means that the GDPR can apply to you whether your organization is based in the EU or not. As a matter of fact, this PwC survey showed that the GDPR is a top data protection priority for up to 92 percent of US companies surveyed.

A common misconception is that only EU users are covered by the protections of the GDPR, however the protections of the GDPR also extend to users outside the EU if the data controller is EU based . Therefore, if you are an EU-based data controller you must, and by default, apply GDPR standards to ALL your users.

The GDPR became fully enforceable on May 25th, 2018 .

See also