The General Data Protection Regulation (GDPR) came into force on 24 May 2016 and applies from 25 May 2018. GDPR is an essential step to strengthen citizens' fundamental rights in the digital age and facilitate business by simplifying rules for companies in the digital single market. The Directive ensures that personal data processing across the EU complies with the principles of legality, proportionality, and necessity, with appropriate safeguards for individuals. It also ensures completely independent supervision by national data protection authorities, and e ective judicial remedies.
Personal data is any information that relates to an identified or identifiable living individual (deceased persons or legal entities are not considered as entities with personal data). Moreover, different pieces of information, which collected together can lead to the identification of a particular person, also constitute personal data. The Law, including the Directive, protects personal data regardless of the technology used for processing that data: doesn’t matter how the data is stored – in an IT system, through video surveillance, or on paper.
Several examples of personal data: a name and surname, a home address, an email address such as email@example.com, an identification card number, location data, an Internet Protocol (IP) address, a cookie ID.
Several examples of non-personal data: a company registration number, an email address such as firstname.lastname@example.org.
GDPR regulates the data processing performed by an individual, a company or an organisation of personal data relating to individuals in the EU. Data processing an individual for purely personal reasons is out of scope of GDPR.
Under GDPR, processing covers a wide range of operations performed on personal data, including by manual or automated means. It includes the collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction of personal data.
Several examples of processing: staff management and payroll administration; access to/consultation of a contacts database containing personal data; sending promotional emails*; shredding documents containing personal data; posting/putting a photo of a person on a website; storing IP addresses or MAC addresses; video recording (CCTV).