The General Data Protection Regulation (GDPR)
The General Data Protection Regulation (GDPR), in German Datenschutz-Grundverordnung (DSGVO) is a legal framework for the protection of person-centric data within the European Union. The regulation was finalized in 2016 and came into force in 2018 and applies to all companies that process data of EU citizens, regardless of the company’s location (Jarmul 2023).
GDPR regulates the fundamental rights and freedoms of personal data of natural persons (meaning, real individuals and not the data of, e.g., companies) and, in particular, their right to the protection of data.
The GDPR is based directly on EU law (Article 16 TFEU) and replaced the older Data Protection Directive (1995). Unlike a directive, which requires member states to implement it in their national laws, the GDPR is a ‘Regulation’, meaning it applies directly throughout the entire EU and, in this case, the EEA, meaning, additionally to all EU countries, Iceland, Liechtenstein, and Norway. This also means that all EU countries must not provide less data protection and privacy than laid out within the GDPR (Hildebrandt 2020). However, they are allowed to adapt their own laws governing certain freedoms, which the GDPR leaves to the national legislations. Germany made use of this in its Federal Data Protection Act, allowing some specification also to its states (see e.g., the Bavarian Data Protection Law).
The GDPR in Brief
All laws and articles of the GDPR can be found online.
The GDPR guarantees eight fundamental rights for people residing in the EU, and for their data:
| Data Right | Description |
|---|---|
| Right to be informed | People must be informed on how their data is being used, processed, collected, and so forth. |
| Right to access | People can access what information is held about them. |
| Right to rectification | People can correct information that is false or misleading. |
| Right to deletion/erasure | People can ensure companies delete their data. |
| Right to restrict processing | People can opt out or restrict how their data is being used and processed. |
| Right to data portability | People can take their data with them—to use themselves or to try competitor services. |
| Right to object | People can object to the usage of their data for particular uses (like marketing, research). |
| Right to opt out of automated decision making | People can opt out of automated decision making processes, such as algorithmic or machine learning systems. |
Definitions in the GDPR
Below are some definitions that the GDPR operates on. Click on the arrow to the right to expand.
Add explanations and examples in terms of the usual research business
is any information connected to a person who can be identified, either directly (for example, by their name or ID number) or indirectly (for example, through location, online accounts, or details about their body, health, finances, culture, or social life). See the next chapter for a more extensive explanation.
means doing anything with personal data, whether by hand or with a computer. This includes things like collecting, recording, organizing, storing, changing, looking up, using, sharing, combining, limiting, deleting, or destroying the data.
means the person, company, public authority, or organization that decides why personal data is processed and how it is processed. In some cases, the law itself decides who the controller is or sets rules for how the controller is chosen.
means doing anything with personal data, whether by hand or with a computer. This includes things like collecting, recording, organizing, storing, changing, looking up, using, sharing, combining, limiting, deleting, or destroying the data.
It is important to know that these rights apply to all EEA residents, whether they are currently in the EEA or not.
Integration with Other Legal Frameworks
To date, an overarching international framework for anonymization does not exist - it would also be quite hard to find a common group between varying legal frameworks.
Learning Objective
- After completing this part of the tutorial, you will have an overview of the legal obligations when collecting and processing personal data according to GDPR.
Exercises
(none)