The GDPR provides one uniform set of rules, for all companies and persons in the EU. According to GDPR, data subjects have the below rights:
|Data subject right||GDPR provision|
|1. A right to know what data is processed, how it is processed and shared and to receive a copy of their personal data||Art. 15|
|2. A right to erasure, where there are no laws or regulations which mandate the retention of that data||Art. 17|
|3. A right to rectification of inaccurate personal data||Art. 16|
|4. A right to withdraw their consent||Art. 7 sec. 3|
|5. A right to data portability||Art. 20|
|6. A right to restriction of processing of specific personal data items||Art. 18|
|7. A right to object to processing performed in the legitimate interests of European University Cyprus subject with the objection evaluated in the context of the risk to the data subject||Art. 21|
|8. A right to object to direct marketing and have the direct marketing ceased immediately.||Art. 21|
|9. A right not to be subject to a decision based solely on automated processing||Art. 22|
|10.A right to claim compensation for damages caused by a breach of the Act||Art. 82|
Apart from the rights awarded to data subjects, GDPR also imposes a lot of obligations on data controllers (the person (or business) who determines the purposes for which, and the way in which, personal data is processed) and data processors.
In particular, Chapter IV, of the GDPR, is devoted to the obligations of controllers and processors. Particular attention should be given to data protection by default and by design, set out in Article 25, which obliges companies to implement appropriate technical and organizational measures, such as pseudonymization, and data minimization, when determining the means for processing and at the time of the processing itself. In addition, if companies assign or outsource some processing activities to external contractors (the processors), particular attention should be devoted to Article 28 which governs the relation between companies and contractors, in their respective capacity as controller and processors.
Articles 34 and 35 of the GDPR oblige companies to inform the Data Protection Authority and data subjects of data breaches, under certain conditions.
If the core activities of a company consist of processing operations which, by virtue of their nature, scope and/ or purpose, require regular and systematic monitoring of its customers on a large scale, according to Article 37, this company is obliged to designate a Data Protection Officer (the DPO). The position and tasks of the DPO are regulated by Articles 38 and 39, respectively. It should be noted that the role of the DPO is advisory and he acts as a liaison with data subjects and the supervisory authority. It should also be noted that all the legal responsibilities derived from the GDPR, burden the controller and the processor, but not the appointed DPO.
In addition, the Principle of Accountability obliges businesses to be able to demonstrate their compliance with the GDPR. There are several tools for demonstrating compliance with the GDPR. Articles 40 and 41 regulate the codes of conduct and their monitoring. Codes of conduct are voluntary, but they can be used for demonstrating GDPR compliance. Also, they can serve as appropriate safeguards for the transfer of personal data from the EU to controllers or processors established in third countries who commit, via contractual or other legally binding instruments, to apply those appropriate safeguards and to respect the rights of data subjects. The same mechanism applies to certifications, data protection seals and marks.
The GDPR follows a risk- based approach. In other words, businesses have obligations proportional to the risks associated with their core activities. Lower risk means fewer obligations to a business and higher risk means more statutory obligations. Such risks should always be eliminated or mitigated. Article 30 obliges companies to keep a record of all processing activities and to make this record available to the Data Protection Commissioner, on request. This obligation does not apply to SMEs, i.e., companies with less than 250 employees, unless their core activities pose privacy and data.
Transfers to third countries can be carried out on the basis of an adequacy decision where the Commission has decided that a country, a territory or a sector therein ensures an adequate level of protection. Such transfers do not require a prior authorization. In the absence of an adequacy decision, transfers can be carried out on the basis of appropriate safeguards such as standard contractual clauses adopted by the Commission or standard contractual clauses adopted by the DPA and approved by the Commission, or by binding corporate rules, approved codes of conduct or approved certification mechanisms with enforceable commitments. Where the transfer affects citizens in several Member States, it may also rely on contractual clauses authorized by a DPA in the frame of the consistency mechanism. In specific situations, transfers may be carried out on the basis of the derogations set out in Article 49 of the GDPR that may rely, inter alia, on consent, performance or conclusion of a contract and the exercise of legal claims.