The General Data Protection Regulation is a consumer data privacy regulation regulated by the EU. The GDPR covers all businesses within the EU that store the personal data of citizens. Even if the location of the business is not within the borders of the European Union, it is responsible for the regulation as it collects the data of these citizens.
The GDPR proposal was accepted on 25 January 2012 and accepted by the European Parliament on 14 April 2016. In 2016, the regulation was published in the Official Journal of the European Union. At the end of the two-year harmonization process, it became applicable in all member states on 25 May 2018.
The GDPR guarantees the right of real persons to protect personal data. According to the European Commission, personal data is defined as any information about a person, whether it is related to his life or not. This information cannot be processed unless it is done as specified in the regulation or permission is obtained from the relevant personal data owner.
According to the GDPR, the data must be processed in accordance with the law. In order to be processed in accordance with the law, businesses must determine a legal basis defined as "processing conditions" before starting their personal data processing activities and write down the basis of compliance with this law. These processing conditions are regulated in GDPR art 6.
Processing must be based on consent. The consent of the data owner is regulated in article 4 of GDPR. The conditions of consent are also regulated in Article 7 of the relevant regulation. The given consent should be open, free and on a specific issue. The data owner can withdraw his/her consent at any time.
Protection of the personal data of children is also regulated in the GDPR. Accordingly, children aged 16 and over can give consent for the processing of their personal data. People with parental obligations for children under the age of 16 must give their consent.
The provision of accountability is regulated in article 5 of GDPR. Accordingly, businesses that are obliged to comply should make regulations regarding ensuring compliance by taking appropriate technical and procedural measures.
According to the GDPR, the rights of the enterprise are as follows;
• Informing users about their identity, the data they collect, why they collect them, what they store and who they share with them
• Obtaining clear consent from the user when collecting any data
• Allowing users to access and download collected data
• Allowing users to their data if they wish
• Notifying users within 72 hours of any data breach
According to the GDPR, the person whose personal data is processed has some rights. These rights are the right to be informed, the right to access, the right to rectification, the right to be forgotten, the right to restrict, the right to portability, the right to object, and the right not to be subject to automatic decision making. In case of application for these rights, the business must respond within 30 days.
Businesses specified in GDPR Art.37 are obliged to appoint a data protection officer. The data protection officer is responsible for examining the compliance of the data processing process with the GDPR. At the same time, it is required to inform the persons whose data are processed.
With this regulation, the European Data Protection Board was established. The task of this board is to ensure the proper implementation of the GDPR. GDPR Art. 70 regulated the duties of this Board.
The administrative sanction to be implemented in accordance with the GDPR is regulated in Article 83. In the event that data controllers or data processors violate the data processing rules due to intent or negligence, the total administrative fine to be imposed cannot exceed the amount specified for the grossest infringement. An administrative fine of 10 million Euros or 2% of the worldwide total turnover of the data controller in the previous fiscal year or an administrative fine of 20 million Euros or 4% of the total turnover in the previous fiscal year is imposed. In case of violation of the GDPR, high amount of administrative fines are imposed.
