GDPR

GDPR (General Data Protection Regulation) is the EU regulation on the protection of personal data. It came into effect on 25 May 2018 and sets requirements for how organisations collect, store and process personal data. All organisations that process data about individuals in the EU must comply.

Back to Dictionary

Table of Contents

    What is GDPR?

    GDPR stands for General Data Protection Regulation (EU Regulation 2016/679). It replaced the former EU Data Protection Directive from 1995 and established a single, harmonised standard for data protection across the entire EU.

    The purpose is straightforward: to give individuals control over their own personal data and ensure that organisations process it responsibly. In practice, this means your organisation must be able to document that you have proper control over your data processing activities.

    The seven principles of GDPR

    The entire regulation rests on seven fundamental principles (Article 5). They form the framework for everything you do with personal data:

    • Lawfulness, fairness and transparency: You must have a lawful basis for processing, and data subjects must know what you do with their data.
    • Purpose limitation: You may only use data for the purpose you have specified.
    • Data minimisation: Collect only what is necessary.
    • Accuracy: Data must be correct and kept up to date.
    • Storage limitation: Delete data when you no longer need it.
    • Integrity and confidentiality: Protect data with appropriate security measures.
    • Accountability: You must be able to demonstrate that you comply with the principles.

    Who must comply with GDPR?

    In short: everyone who processes personal data about individuals in the EU. This includes:

    • Organisations of all sizes established in the EU
    • Organisations outside the EU that offer goods or services to individuals in the EU
    • Organisations that monitor the behaviour of individuals in the EU (e.g. website tracking)


    Also applies to small businesses:     There is no minimum threshold. A sole trader with a customer list must also comply with GDPR. However, the requirements can be proportionate to the scale of the data processing.

    Key requirements in practice

    GDPR contains many articles, but here are the requirements most organisations need to address:

    • Lawful basis: You must have a lawful basis for all processing of personal data.
    • Transparency and information: Inform data subjects about how you use their data.
    • Records of processing activities: Document all your processing activities (Article 30).
    • Data processing agreements: Enter into agreements with all suppliers that process data on your behalf.
    • Data subject rights: Have procedures in place for access, erasure, rectification and other rights.
    • DPIA: Carry out data protection impact assessments for high-risk processing.
    • Personal data breaches: Report to the supervisory authority within 72 hours.

    Fines and enforcement

    Infringements can result in fines of up to EUR 20 million or 4% of global annual turnover, whichever is higher. In practice, fines vary, and the Danish Data Protection Agency (Datatilsynet) has typically issued smaller fines and orders.

    But fines are only part of the picture. Lack of GDPR compliance can also mean loss of customer trust, negative publicity and lost business deals, particularly with larger organisations that require supplier compliance.

    Frequently Asked Questions about GDPR

    What does GDPR stand for?

    GDPR stands for General Data Protection Regulation. It is EU Regulation 2016/679 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data.

    Who must comply with GDPR?

    All organisations that process personal data about individuals in the EU. This includes organisations outside the EU if they offer goods or services to individuals in the EU or monitor their behaviour.

    What are the penalties for breaching GDPR?

    Fines can reach up to EUR 20 million or 4% of global annual turnover, whichever is higher. In practice, fines vary considerably, and the Danish Data Protection Agency typically issues smaller fines to Danish organisations.

    What are the seven principles of GDPR?

    The seven principles are: lawfulness, fairness and transparency; purpose limitation; data minimisation; accuracy; storage limitation; integrity and confidentiality; and accountability.

    Does GDPR apply to small businesses?

    Yes. There is no minimum size threshold. Any organisation that processes personal data about individuals in the EU must comply, though the requirements can be proportionate to the scale of the processing.

    Still unsure?

    Ask Johannes directly, he runs most demos personally

    Book him here
    +400 companies use .legal
    Region Sjælland
    Aarhus Universitet
    aj_vaccines_logo
    Realdania
    Right People
    IO Gates
    PLO
    Finans Danmark
    geia-food
    Vestforbrænding
    Evida
    Klasselotteriet
    NRGI1
    BLUE WATER SHIPPING
    Karnov
    Ingvard Christensen
    VP Securities
    AH Industries
    Lægeforeningen
    InMobile
    AK Nygart
    ARP Hansen
    DEIF
    DMJX
    Axel logo
    qUINT Logo
    KAUFMANN (1)
    SMILfonden-logo
    kurhotel_skodsborg
    nemlig.com
    Molecule Consultancy
    Novicell
    Footer topswirl

    Info

    .legal A/S

    hello@dotlegal.com
    +45 7027 0127

    VAT-no: DK40888888

    Support

    support@dotlegal.com
    +45 7027 0127
    Need help?

     

    Office

    Aarhus

    Store Torv 14, 2.
    8000 Aarhus C

    We care about safety

    Download our declarations

    ISAE 3000

    ISAE 3402

    Modules

    Let me help you get started

    joa i blob
    Reach out to me on phone
    +45 7027 0127 and I'll get you started
    arrow-right-white Get a demo

    .legal is not a law firm and is therefore not under the supervision of the Bar Council.

    Footer bottomswirl