Europe’s General Data Protection Regulation (EU GDPR) is currently a gold standard for Privacy and personal data protection.

Data Protection Principles (Article 5)

1. Lawfulness, Fairness, and Transparent
2. Purpose Limitation
3. Data Minimization
4. Accuracy (links to Data Governance)
5. Storage Limitation
6. Integrity and Confidentiality (links to Security)

Legal Basis for Processing (Article 6)

1. Consent
2. Contractual Obligation
3. Legal Obligation
4. Legitimate Interest
5. Vital Interest
6. Public Interest
7. Exceptional Areas (e.g., Journalistic, Research, Historical, etc). See if your industry falls for this exception

Special Categories of Data (Article 9)

1. Health
2. Religion
3. Politics
4. Union Membership
5. Genetic, and Biometric
6. Sexual Orientation, and Life

Rights of the Data Subjects

1. Right of Access (Article 15)
2. Right to Rectify (Article 16)
3. Right to Erasure/forgotten (Article 17)
4. Right to Restrict Processing (Article 18)
5.  Right to Data Portability (Article 20)
6. Right to Object (Article 21)

Rights must be fulfilled within 30 days from the request. You may extend to a maximum of 90 days with notification.

Data Breach Notification

• Notify Supervisorily authority with 72 hours of a comfirmed breach
• May require to notify Data Subject if the breach can cause a high risk
• May require to notify law enforcement authority

Online Privacy

• A separate ePrivacy Regulation is under development. But existing Directive is adopted into law by most EU countries.

Others

• Special care for Children (under 16 years, but each jurisdiction can set the minimum to be 13 years)
• Appointment of a Data Protection Officer may be required
• Data Transfer outside of EEA needs a specific derogation (Adequacy, Consent, Binding Contractual, Standard Contractual Clause, etc)
• Requires to conduct Data Protection Impact Assessment (DPIA) for high-risk processing
• Requires to maintain a registry of processing activities