From past to policy
Before GDPR became a nightmare (or a savior) for companies across Europe, its creation was a response to the digital revolution and the growing concerns about data privacy.
How did GDPR come about and why was it necessary?
It all started like this...
General Data Protection Regulation (GDPR) The General Data Protection Regulation (GDPR) came into effect on May 25, 2018, replacing the outdated Data Protection Directive from 1995. In the world of nearly three decades ago, the internet was in its infancy, social media didn’t exist, and data processing mainly took place offline. However, the digital revolution brought an explosion of online services, e-commerce, social media, and artificial intelligence, creating the need for more modern and stricter privacy protection rules.
GDPR is not just a new regulation – it is a response to the growing concerns about privacy and data security. Its main goal is to strengthen individuals' rights by giving them greater control over their personal data, while simultaneously imposing stricter obligations on companies and organizations that collect and process that data.
A key innovation introduced by GDPR is a stronger enforcement mechanism: supervisory bodies now have the authority to impose hefty fines, which can reach up to 20 million euros or 4% of a company's global revenue – whichever is higher. Additionally, citizens now have the right to seek compensation if their rights are violated.
As a candidate country for EU membership, Serbia adopted a new law in 2019. The Personal Data Protection Law, which is largely aligned with GDPR. This established modern data protection standards in business, but domestic companies and institutions are also faced with the challenges of implementing it.
Key Terms of GDPR
To better understand how GDPR works in practice, it's important to know the basic terms that are frequently used in this regulation:
🔹Personal data – Any information that can identify an individual, either directly or indirectly. This can include name, email address, IP address, as well as biometric data, political beliefs, and other sensitive information.
🔹 Data processing – Any action performed on personal data, whether automated or manual. This includes collecting, storing, using, sharing, and even deleting data.
🔹 Data subject – The person whose data is being processed. This can include clients, website users, employees – in short, anyone whose personal data is stored in an organization's systems.
🔹 Data controller – An organization or individual who decides how and why personal data is processed. This can be a company, a government institution, or even an entrepreneur who collects data from their clients.
🔹 Data processor – A third party that processes data on behalf of the data controller. These can include cloud services like Google Drive, email services like ProtonMail, or external call centers that process customer data for a company.
These terms are the foundation for understanding GDPR and are essential for the proper implementation of the regulation in business.
Basic Principles of GDPR
Every company that processes personal data must adhere to seven key principles of GDPR. These are not just formal rules – their goal is to ensure privacy protection and transparency when handling data.
🔹 Lawfulness, fairness, and transparency – Data must be processed lawfully. Users must be informed about how their data is being used.
Example: Companies must have an easily accessible and clear privacy policy that explains the purpose of data processing.
🔹 Purpose limitation – Data can only be used for the purposes for which it was collected. It should not be processed further in a way that is incompatible with those purposes.
Example: If a user provides their email during registration, that email should not be used for sending advertisements without their consent.
🔹 Data minimization – Only data that is truly necessary should be collected. Less data means lower risk.
Example: When creating an account for online shopping, it is sufficient to request an email and delivery address, without additional personal information.
🔹 Accuracy and currency of data – Companies must ensure the accuracy and currency of the data they store.
Example: Banks must allow users to regularly update their contact information to avoid errors in delivering important communications.
🔹 Storage limitation – Data should not be kept longer than necessary. Once the purpose has been fulfilled, the data must be deleted or anonymized.
Example: A company may retain data about former employees only as long as necessary for tax and legal obligations.
🔹 Integrity and confidentialit – Personal data must be protected from unauthorized access, loss, or misuse.
Example: The use of encryption and two-factor authentication prevents identity theft and data leaks.
🔹 Accountability – Companies must comply with GDPR and demonstrate adherence to the regulation.
Example: Maintaining records of data processing, conducting audits, and appointing a Data Protection Officer (DPO).
These principles are fundamental to GDPR. If a company understands and applies them, it will avoid legal issues and gain the trust of users.
Individuals' Rights under GDPR
GDPR gives citizens of the European Union strong rights that allow them to maintain control over their personal data. Here are the rights they have:
🔹 Right to be informed – Users have the right to be informed about how their data is being used and who is processing it.
Example: Every organization must clearly inform users about the purpose of processing their data through a privacy policy or other channels.
🔹 Right of access to data – Users can request a copy of all the data an organization holds about them.
Example: If a user wants to know what data about them exists in a company's database, they can request it and receive a response.
🔹 Right to rectification – If the data is inaccurate or incomplete, users can request correction.
Example: If a user notices an error in their address data, they can request a correction of that data.
🔹 Right to erasure ("right to be forgotten") – Users can request that their data be deleted, especially if it is no longer necessary for the original purpose.
Example: If a user no longer wishes to use an online service, they can request the deletion of their account and data.
🔹 Right to restriction of processing – Users can request that the processing of their data be temporarily paused in certain situations.
Example: If a user disputes the accuracy of the data, they can request that processing be paused until its accuracy is confirmed.
🔹 Right to data portability – Users can download their data in a standard format and transfer it to another service provider.
Example: If a user wants to switch to another service, they can transfer their data (such as contacts or emails) from one service to another.
🔹 Right to object Users may object to the processing of their data, especially when it is used for direct marketing.
Example: If a user does not want to receive marketing messages, they can object to the further processing of their data for that purpose.
🔹 The right to human intervention in automated decision-making. If a user is subjected to an automated process (such as creditworthiness screening for loan applications), they can request human intervention.
Example: If an automated algorithm rejects a loan application, the user can request that someone from the company reviews the decision.
These rights allow EU citizens to actively manage their personal data and ensure that their privacy is respected.
Conclusion
GDPR has significantly changed the way companies process personal data, setting high standards for privacy protection. Its impact is felt across all sectors of the economy, especially in the IT industry, where user data is processed on a large scale. Proper implementation of these standards is crucial. Compliance with this regulation, it's not just a legal obligation, but also a way to build user trust and ensure the long-term success of a company.
English 
Serbian
Leave a Reply