Introduction to the GDPR: Privacy, Rights and Data Governance
An essential guide to the General Data Protection Regulation, your rights, your obligations, and the future of digital privacy.
In Switzerland, it's the Federal Act on Data Protection
The General Data Protection Regulation
Entry into Force
Came into force on 25 May 2018; in Portugal, implemented through Law No. 58/2019
Core Focus
The protection of human beings and their self-determination in a digital world
Scope of Application
Applies to any organisation worldwide that processes data of data subjects who are in the European Union (residents and event tourists or non-residents)
Part I
For Individuals: Your Data, Your Rules
Let's learn a bit about your fundamental rights as a data subject in the European digital space.
(Image generated by GPT Image 2)
What are Personal Data?
Any information relating to an identified or identifiable natural person: name, NIC, geolocation, IP address.
The processing of sensitive data is, in principle, prohibited, except in cases such as explicit consent.
The Power of Consent
Freely Given
Without pressure or conditioning: the person decides of their own free will
Specific
For a concrete and defined purpose, not a generic one
Informed
The data subject knows exactly what they are authorising and who is processing the data
Unambiguous
Never through pre-ticked options or silence, as it requires an affirmative action
Your Fundamental Rights - Arts. 13 to 22
Information - Arts. 13 and 14
Know who processes your data, for what purpose, and for how long
Access - Art. 15
Obtain a copy of your data being processed
Rectification and Erasure - Art. 16 and 17
Correct or delete inaccurate or unnecessary data — the "Right to be forgotten"
Portability - Art. 20
Receive your data in digital format so you can transfer it to another company
Objection - Art. 21
Object to processing, especially for direct marketing and profiling
Not Being Subject to Automated Decisions - Art. 22
Not be the subject of decisions made exclusively by algorithms
Part II
For Businesses: Obligations and Technical Aspects
The responsibilities of organisations in the processing of personal data and the technical requirements for GDPR compliance.
Key Actors in Data Processing
Data Controller - Art. 4(7) GDPR
The natural or legal person, public authority or body that, alone or jointly with others, determines the purposes and means of the processing — the why and the how.
- Decides what data is collected, for what ends, and how it is used
- Bears primary accountability for compliance (Art. 5(2))
- May share that role with others as joint controllers (Art. 26)y that determines the purposes and means of the processing of personal data is called the data controller.
Example: a company that decides to run payroll for its employees.
Data Processor - Art. 4(8) GDPR
The natural or legal person or body that processes personal data on behalf of the controller, acting solely on its documented instructions.
- No autonomy over purposes — it executes, it does not decide
- The relationship must be governed by a written contract (DPA, Art. 28)
- If it starts determining purposes and means on its own, it becomes a controller for that processing (Art. 28(10))
Example: an accounting firm that runs payroll on the company's behalf — or a cloud / SaaS provider.
Fundamental Principles of Processing
1
Data Minimisation
Collect only what is strictly necessary for the intended purpose
2
Purpose Limitation
Data collected for one purpose must not be used incompatibly for another
3
Storage Limitation
Delete or anonymise data as soon as its purpose has ended
4
Integrity and Confidentiality
Ensure data security against unlawful access or accidental destruction
The Data Protection Officer (DPO)
Mandatory for public bodies and companies that process sensitive data or carry out regular, systematic monitoring on a large scale.
Some jurisdictions also require DPOs on companies with 20+ employees (eg., Germany)
Independence
Informs, advises and monitors the organisation’s compliance autonomously
Institutional Link
Acts as the liaison with the competent authority
Technical and Cybersecurity Aspects
Privacy by Design/Default
Systems must be created from the outset to protect data; by default, only the strictly necessary is processed
Pseudonymisation and Encryption
Encryption of disks and communications to prevent direct identification
Access Control and Logs
Segregation of duties and recording of who accessed what
Backups and Redundancy
Regular backups to ensure availability and recovery
Impact Assessments and Data Breaches
DPIA (Data Protection Impact Assessment - Article 35)
Before using high-risk technologies (such as mass surveillance or AI performance assessment) the organisation must carry out a rigorous risk assessment.
Notification of Breaches (Data Breach)
Obligation to notify the competent authority within 72 hours; in the event of high risk, also notify affected data subjects.
72h
Notification Period
For reporting breaches to the authority
20M€
Maximum Fine
Or 4% of annual global turnover — whichever is higher
Conclusion: The GDPR as a Competitive Advantage
The GDPR is not there to stop progress; it exists to discipline it.
Strategic Mistake
Seeing the GDPR as an administrative burden is a limited and harmful view for the business
Real Advantage
Integrated into Corporate Governance and Social Responsibility, it generates trust, competitive advantages and sustainability in the digital market
Advantages of Being Compliant
Being compliant is not a case of avoiding fines
It's a case of showing the market that you not only follow rules, but that you understand their value
It gives your business credibility and sustainability