Skip to main content


The General Data Protection Regulation (GDPR) is an EU regulation designed to regulate and harmonize the storage and processing of personal data. The Regulation affects companies, public authorities and web operators in the European Union. The GDPR entered into force in the EU on May 25, 2018.


The first efforts to protect personal data and consumer privacy began in the EU in the 1970s. In summary, in 1995 a common system was established for the first time by means of Directive 95/46 / EC. Despite everything, the app is the responsibility of each Member State.

In 2018, a binding regulation for all EU members in the form of GDPR.

Area of application

The basic EU data protection regulation applies throughout the EU to companies established in the European Union. At the same time, companies from other countries must also comply with the GDPR if they process data of citizens belonging to member states and maintain a branch in an EU country.

What is personal data according to GDPR?

According to the GDPR, the following data is classified as personal information. People can be identified, for example, by assigning different data to a number or location.

  • Name
  • Direction
  • Email address
  • Phone number
  • Date of Birth
  • Bank data
  • License plates
  • User location data
  • IP addresses and cookies

Responsible for the violation of data protection

According to the GDPR, if a website or online store operator detects data protection violations, the principle of "Single window". This means that EU citizens can directly contact the data protection authority of their country, regardless of where data protection has been breached. For companies, the one-stop shop principle has the advantage that they only have to work with one data protection authority. Generally, it is the data protection authority of the country in which they are based.

Responsible for data protection according to GDPR

Following the introduction of the GDPR, some companies are now required to appoint a Data Protection Officer (DPO). The data protection officer can be appointed internally or externally.

A data protection officer is mandatory in the following cases:

More than nine workers work with the automated processing of personal data, regardless of whether they are self-employed or permanent employees. For example, it might be necessary if more than nine workers have access to data from Google Analytics or other web analytics tools. The processed data is above all sensitive because it allows conclusions to be drawn about ethnic origin, political preferences or health status. The category is established in post 9 of the GDPR. This may be the case, for example, if a company offers a fitness app that collects health data and personal data. The main responsibility includes the extensive, regular and systematic surveillance of the affected people. This clause mainly affects companies whose main activity is the processing of personal data, such as credit agencies or analysts in the field of big data.

Companies can also voluntarily appoint a data protection officer, even when they are not obliged to do so. The task of the data protection officer is guarantee respect for data protection and maintain the so-called "treatment directory". At the same time, the DPO serves as a contact for customers who have questions about the storage of their personal data. The data protection officer does not need any special training, but in case of doubt he must be able to demonstrate the necessary knowledge.

Directory of procedures according to GDPR

Under the GDPR, in most cases, companies are required to maintain a so-called "procedural directory". It consists of a paper or electronic directory in which the storage of personal data is documented. These include, for example, the purpose of data processing, categories of persons or the transfer of data to third-country providers outside the EU. At the same time, the process directory contains the erasure periods for the stored data, sorted by data category.

The list is not public, but must be available at the request of the data protection authorities.

The positive news: theoretically, companies are only required to maintain such a directory if, for example, they employ more than 250 people. Despite everything, companies are also obliged to create a directory of procedures whose data is processed "not only occasionally". All companies that conduct daily web analysis must maintain a directory. In this way, all online stores and small businesses would be affected by this Regulation.

Possible sanctions for breach of the GDPR

GDPR violations can result in high fines. Fines of up to € 20 million or up to four percent of the previous year's worldwide sales can be imposed. The high level of sanctions is one of the innovations in data protection applied by the GDPR. As before, additionally warnings can be issued in case of infringement.


The implementation of the GDPR has led to strong criticism in many places. Because many web operators cannot examine the consequences of regulations and fear costly warnings, they have abandoned their websites. US media companies have also reacted to the GDPR and, in some cases, have discontinued their services in Europe immediately after the regulation came into force.

Another important point of criticism: even though the GDPR was in fact intended to simplify data protection within the EU, the law has generated chaos in some areas due to many unsolved cases. Webmasters, businesses, and online stores cannot rely on clear procedures and, in the worst case, risk high penalties. Some critics even see the end of the free internet.

Importance for online marketing

The EU Data Protection Regulation affects all those who work with personal data. This has direct consequences for online marketing. For example, in newsletter marketing, advertisers must increasingly ensure that they have the approval to send mailings. Furthermore, it is essential to be able to demonstrate precisely how the data can be processed throughout the web analysis.

In principle, all those affected should have a greater expenditure of time and the higher costs associated with their marketing campaigns.