The GDPR is based on principles. The new European Data Protection Act came into force on 25 May 2018. It aims, among other things, to harmonise European data protection legislation to reflect the increasing digitisation and thus cross-border use of personal data.
The Art. 6 GDPR defines lawfulness of the processing in detail. This is particularly the case if the subject to personal data has given consent.
This principle relates, above all, to whether the actions of companies processing personal data are upright. This cannot be defined as clearly as consent and must, consequently, be assessed on a case-by-case basis. Certifications of various kinds are a way of expressing one's honesty.
The principle of transparency intends to guarantee the person concerned the right to informational self-determination. The GDPR defines the duty to inform, the right to information of the person concerned and technically, requirements regarding privacy by design and privacy by default. This is specified in Art. 12 ff and Art. 25 GDPR.
The GDPR requires a specific assignment of the collected personal data to a specific purpose. The purpose must also be clearly stated during the collection.
This principle intends to ensure that personal data is not collected and processed inappropriately.
Organisations must assure the accuracy of the personal data being processed and are obliged to make corrections or deletions as necessary.
The storage limitation limits the duration of the retention of personal data. If storage is no longer necessary for the processing purpose, the personal data must be deleted per the statutory retention periods.
Anyone collecting personal data must also protect it accordingly. To this end, the GDPR obliges companies to use technical and organisational measures (TOMs) to ensure the protection of personal data. The GDPR specifies the TOMs in Art. 32. These include, for example, encryption and access regulations, role concepts, disposal and more.
The GDPR also regulates the consequences of violations. Anyone who violates the GDPR faces fines of up to € 20 million or up to 4% of worldwide annual sales for companies. Also, companies have to reckon with measures taken by the supervisory authorities.