GDPR: what it is, why it exists and who is responsible

1) What is the GDPR

The General Data Protection Regulation (GDPR) is the European Union regulation that sets out rules for the processing of personal data of individuals located in the European Economic Area (EEA). In Portuguese it is often referred to as the Regulamento Geral sobre a Proteção de Dados (RGPD). The United Kingdom has its own version, the UK GDPR, which is broadly aligned with the EU GDPR but adapted to the UK context.

The GDPR promotes transparency, control by data subjects and accountability across the ecosystem, aligning privacy with innovation in a responsible way.

2) Why the GDPR exists

• Harmonise data protection rules within the EU and EEA;
• Protect fundamental rights and freedoms;
• Give control back to individuals (access, rectification, portability, objection and more);
• Build trust and support the digital single market;
• Reduce risks of misuse, discrimination and data breaches.

3) Scope and territoriality (EU/EEA and UK GDPR)

The GDPR applies to organisations established in the EU or EEA and also to organisations outside the EU or EEA that offer goods or services to people in the EEA or monitor their behaviour within the EEA. In the United Kingdom, the UK GDPR applies, mirroring the main principles and obligations with some local adjustments.

4) GDPR principles

• Lawfulness, fairness and transparency;
• Purpose limitation;
• Data minimisation;
• Accuracy (keeping data correct and up to date);
• Storage limitation (retaining data only for as long as necessary);
• Integrity and confidentiality (security);
• Accountability.

5) Legal bases (Article 6)

• Consent (freely given, specific, informed and unambiguous);
• Performance of a contract or steps taken at the data subject request prior to entering into a contract;
• Legal obligation;
• Vital interests of the data subject or another person;
• Public task or exercise of official authority;
• Legitimate interests pursued by the controller or a third party, with appropriate balancing and safeguards.

6) Special category and criminal data (Articles 9 and 10)

The GDPR provides additional protection for special category data (for example health data, biometrics, racial or ethnic origin, political opinions, religious or philosophical beliefs) and for data relating to criminal convictions and offences. In general, processing such data requires extra conditions (for example explicit consent, legal obligations, preventive or occupational medicine, substantial public interest).

7) Who is responsible: roles and duties

• Data subject: the individual to whom the personal data relates.
• Controller: determines the purposes and means of the processing.
• Processor: processes personal data on behalf of the controller, under a contract (Article 28).
• DPO (Data Protection Officer): advises, monitors compliance and acts as a contact point for supervisory authorities and data subjects (mandatory in certain scenarios).
• Supervisory Authorities (for example CNPD in Portugal, AEPD in Spain, ICO in the UK): supervise, provide guidance and can impose sanctions.

8) Rights of data subjects

• Right of access and right to be informed;
• Right to rectification;
• Right to erasure ("right to be forgotten", subject to exceptions);
• Right to restriction of processing;
• Right to data portability;
• Right to object to processing (including direct marketing);
• Rights related to automated decision making and profiling (including the right to human intervention where appropriate).

Organisations must respond within an appropriate time frame (as a rule, within one month, extendable in complex cases) and must verify the identity of the requester.

9) Obligations for organisations

• Record of processing activities (RoPA - Article 30);
• Data Protection Impact Assessments (DPIAs) where processing is likely to result in a high risk (Article 35);
• Contracts with processors (Data Processing Agreements - Article 28);
• Security appropriate to the risk (Article 32);
• Privacy by design and by default (Article 25);
• Governance and accountability (policies, training, audits, logging);
• Transparency (clear and accessible privacy notices - Articles 13 and 14);
• Consent and preference management where applicable, including attention to ePrivacy and cookies;
• Documenting legal bases and purposes, applying data minimisation and appropriate retention periods;
• Sanctions: fines of up to EUR 20 million or 4% of the worldwide annual turnover, whichever is higher, depending on the case.

10) International data transfers

Transferring personal data outside the EEA or the UK requires appropriate mechanisms such as adequacy decisions, Standard Contractual Clauses (SCCs) issued by the EU, addenda such as the IDTA in the UK, Binding Corporate Rules (BCRs) or other safeguards, alongside transfer risk assessments.

11) Incidents and notifications (72 hours)

Personal data breaches that are likely to result in a risk to the rights and freedoms of individuals must be notified to the competent supervisory authority within 72 hours of becoming aware of the breach (Article 33). Affected data subjects may also need to be informed without undue delay (Article 34).