The aim of the GDPR is to protect personal data and grant rights to natural persons in the European Union. The GDPR has been in force since 25 May 2018. This means that the same privacy legislation applies throughout the European Union (EU). The regulation applies to the data controller. The data controller determines the purposes for which and the means by which personal data is processed. If your company/organisation therefore decides “why” and “how” personal data must be processed, it is the data controller.
The data processor processes personal data exclusively on behalf of the data controller. The data processor is usually a third party outside the company. In the case of groups one company may however act as processor for another company.
The persons whose data is processed have far-reaching rights under the GDPR, such as the erasure of their data and the right to object to the processing of their data. The data controller and processors have many more obligations, such as documenting all the data and obtaining consent to process the data.
GDPR and the main challenges
The GDPR is centred around a few very powerful principles, including legitimate processing, transparency and clarity regarding the purpose of use. For the latter you must have the right basis for processing. This may for example be by obtaining the right explicit consent of the data subject (the person whose data is being processed) in the context of the purpose, e.g. “I agree to you selling my data to a third party.”