Explore Exams
Login Signup
Sign in Open App
CLAT Exam  >  CLAT Notes  >  Legal Reasoning for CLAT  >  General Data Protection Regulation (GDPR)

General Data Protection Regulation (GDPR) | Legal Reasoning for CLAT PDF Download

Introduction

The General Data Protection Regulation (GDPR) (EU 2016/679) is a landmark regulation governing data protection and privacy, effective from May 25, 2018. It aims to protect the personal data of European Union (EU) and European Economic Area (EEA) residents by regulating how organizations collect, process, store, and share data. For CLAT UG 2026, GDPR is critical in the Legal Reasoning section (application of data protection principles) and Current Affairs section (global impact, comparison with India’s DPDPA). These notes provide a detailed overview, key provisions, enforcement mechanisms, and relevance to CLAT, tailored to the exam’s passage-based question format.

General Data Protection Regulation (GDPR) | Legal Reasoning for CLAT

Overview of GDPR

Purpose

The GDPR seeks to:

  • Protect the privacy and personal data of EU/EEA residents.
  • Empower individuals with control over their data through defined rights.
  • Standardize data protection laws across EU member states.
  • Ensure organizations adopt robust data protection practices.

 Scope

The GDPR has an extraterritorial scope, applying to:

  • Organizations in the EU/EEA processing personal data.
  • Non-EU organizations processing data of EU/EEA residents for offering goods/services or monitoring behavior.
  • Data controllers and processors, regardless of location.

Enforcement

  • Effective Date: May 25, 2018, replacing the 1995 Data Protection Directive.
  • Enforcement Bodies: Data Protection Authorities (DPAs) in each EU member state, coordinated by the European Data Protection Board (EDPB).
  • Mechanisms: Investigations, audits, fines, and corrective orders.

Key Definitions

  • Personal Data: Any information relating to an identifiable person (e.g., name, email, IP address, health records).
  • Data Subject: The individual whose data is processed (e.g., customers).
  • Data Controller: Entity deciding the purpose and means of processing (e.g., an e-commerce platform).
  • Data Processor: Entity processing data on behalf of the controller (e.g., cloud provider).
  • Processing: Any operation on personal data (e.g., collection, storage, sharing).

Core Principles of Data Processing

GDPR outlines seven principles (Article 5):

  • Lawfulness, Fairness, Transparency: Processing must have a legal basis and be transparent to data subjects.
  • Purpose Limitation: Data collected for specific, legitimate purposes cannot be repurposed.
  • Data Minimization: Collect only data necessary for the purpose.
  • Accuracy: Ensure data is accurate and updated.
  • Storage Limitation: Retain data only as long as necessary.
  • Integrity and Confidentiality: Protect data with security measures (e.g., encryption).
  • Accountability: Controllers must demonstrate compliance through policies and records.

Data Subject Rights

GDPR grants data subjects (Articles 15–22):

  • Right to Access: View data held by controllers.
  • Right to Rectification: Correct inaccurate data.
  • Right to Erasure: Request data deletion (“Right to be Forgotten”).
  • Right to Restrict Processing: Limit data use in specific cases.
  • Right to Data Portability: Transfer data to another controller.
  • Right to Object: Oppose processing (e.g., for marketing).
  • Rights re Automated Decision-Making: Protection from solely automated decisions (e.g., AI profiling).

Legal Basis for Processing

Processing is lawful if based on (Article 6):

  • Consent: Freely given, specific, informed, and unambiguous.
  • Contract: Necessary to fulfill a contract with the data subject.
  • Legal Obligation: Required to comply with law.
  • Vital Interests: Protect someone’s life.
  • Public Task: Perform tasks in public interest.
  • Legitimate Interests: Controller’s interests, balanced against data subject rights.

Question for General Data Protection Regulation (GDPR)
Try yourself:
What is the effective date of the GDPR?
View Solution

Data Protection Officer (DPO)

General Data Protection Regulation (GDPR) | Legal Reasoning for CLAT

  • Role: Advise on GDPR compliance, monitor processing, liaise with DPAs.
  • Appointment: Mandatory for public authorities or organizations with large-scale data processing.
  • Qualifications: Expertise in data protection law and IT security.

Data Breach Notification

  • Requirement: Notify DPA within 72 hours of a breach likely to risk data subjects’ rights (Article 33).
  • Data Subject Notification: Inform data subjects if high risk (Article 34).
  • Records: Maintain breach records for accountability.

Data Transfers Outside EU/EEA

  • Restrictions: Transfers require safeguards (e.g., Standard Contractual Clauses, Binding Corporate Rules).
  • Adequacy Decisions: EU recognizes certain countries’ laws as adequate (e.g., Canada, Japan).
  • Key Case: Schrems II (2020) invalidated EU-US Privacy Shield, impacting data transfers.

Penalties and Enforcement

  • Fines: Up to €20 million or 4% of annual global turnover for serious violations (Article 83).
  • Other Measures: Orders to stop processing, compensate damages.
  • Examples: Amazon (€746M, 2021), Google (€50M, 2019).

Key GDPR Concepts

Personal Data

Definition: Any information relating to an identified or identifiable individual (Article 4(1)). An identifiable individual is someone who can be directly or indirectly identified.

  • Examples: Name, email address, phone number, location data, IP address, health records, biometric data, online identifiers.
  • Scope: Broad, covering both direct (e.g., passport number) and indirect (e.g., browsing history linked to a user) data.
  • GDPR Role: Personal data is the core of GDPR’s protections, requiring lawful processing, security, and data subject rights.
  • Application: A company collecting customer names and addresses for deliveries must comply with GDPR if the customers are EU residents.

Data Subject

General Data Protection Regulation (GDPR) | Legal Reasoning for CLATDefinition: The individual whose personal data is processed, specifically EU/EEA residents under GDPR.

  • Examples: Customers shopping online, employees providing HR data, website users sharing contact details.
  • GDPR Role: Data subjects are granted rights (e.g., access, erasure) to control their data, central to GDPR’s privacy focus.
  • Application: An EU resident using an Indian e-commerce platform is a data subject, entitled to GDPR protections if their data is processed.

Data Controller

Definition: The entity (individual or organization) determining the purposes and means of processing personal data (Article 4(7)).

  • Examples: A company designing a marketing campaign using customer data, a hospital managing patient records.
  • GDPR Role: Controllers are primarily responsible for GDPR compliance, including obtaining consent, ensuring security, and respecting data subject rights.
  • Application: An Indian tech firm collecting EU users’ data for app analytics is a data controller, accountable for GDPR obligations.

Data Processor

Definition: The entity processing personal data on behalf of the data controller (Article 4(8)).

  • Examples: Cloud service providers (e.g., AWS) storing data, third-party payroll firms processing employee data.
  • GDPR Role: Processors act under the controller’s instructions, ensuring compliance with GDPR’s security and processing requirements.
  • Application: A cloud provider hosting an EU company’s customer data is a processor, bound by GDPR but not deciding data use.

Consent

Definition: Freely given, specific, informed, and unambiguous permission from the data subject for processing their personal data (Article 4(11)).

  • Requirements:
    • Freely Given: No coercion or imbalance of power.
    • Specific: Clear purpose of processing.
    • Informed: Data subject understands what they consent to.
    • Unambiguous: Clear affirmative action (e.g., ticking a box).
  • GDPR Role: Consent is one of six legal bases for processing (Article 6), often required for marketing or sensitive data.
  • Application: A website asking EU users to opt-in for targeted ads must obtain explicit consent, detailing the data use.

Data Breach

Definition: A security incident leading to unauthorized access, disclosure, alteration, or destruction of personal data (Article 4(12)).

  • Examples: Hacking of customer databases, accidental email leaks, ransomware attacks.
  • GDPR Role: Controllers must:
    • Notify the Data Protection Authority (DPA) within 72 hours if the breach is likely to risk data subjects’ rights (Article 33).
    • Inform data subjects if the breach poses a high risk (Article 34).
    • Maintain breach records for accountability.
  • Application: An Indian firm processing EU data must notify the DPA within 72 hours if hackers access customer emails.

Question for General Data Protection Regulation (GDPR)
Try yourself:
What is the role of a Data Protection Officer (DPO)?
View Solution

Core GDPR Provisions

Article 5: Principles of Data Processing

Overview: Article 5 outlines seven principles governing personal data processing, ensuring compliance and accountability.

  • Lawfulness, Fairness, Transparency: Processing must have a legal basis (e.g., consent), be fair, and transparent to data subjects.
  • Purpose Limitation: Data collected for specific, legitimate purposes cannot be used otherwise.
  • Data Minimization: Collect only data necessary for the purpose.
  • Accuracy: Ensure data is accurate and updated.
  • Storage Limitation: Retain data only as long as necessary.
  • Integrity and Confidentiality: Protect data with security measures (e.g., encryption).
  • Accountability: Controllers must demonstrate compliance through policies and records.

Application: An e-commerce platform collecting EU customers’ emails for orders must not use them for unrelated marketing without consent (purpose limitation).

Article 6: Lawful Basis for Processing

Overview: Processing personal data is lawful only if based on one of six bases (Article 6(1)):

  • Consent: Freely given, specific, informed, and unambiguous, revocable at any time.
  • Contract: Necessary to fulfill a contract with the data subject (e.g., processing payment details).
  • Legal Obligation: Required to comply with law (e.g., tax reporting).
  • Vital Interests: Protect someone’s life (e.g., medical emergencies).
  • Public Task: Perform tasks in public interest (e.g., government services).
  • Legitimate Interests: Controller’s interests, balanced against data subject rights (e.g., fraud prevention).

Articles 12–23: Rights of Data Subjects

Overview: These articles grant data subjects control over their personal data, ensuring privacy and transparency.

  • Right to Access (Article 15): Request access to data held, including purposes and recipients.
  • Right to Rectification (Article 16): Correct inaccurate or incomplete data.
  • Right to Erasure (Article 17): Request data deletion (“Right to be Forgotten”) if data is no longer needed or consent is withdrawn.
  • Right to Restrict Processing (Article 18): Limit processing in cases like disputed accuracy.
  • Right to Data Portability (Article 20): Transfer data to another controller in a structured format.
  • Right to Object (Article 21): Oppose processing for marketing or legitimate interests.
  • Rights re Automated Decision-Making (Article 22): Protection from solely automated decisions (e.g., AI profiling).

Article 25: Data Protection by Design and Default

Overview: Organizations must integrate privacy protections into systems and processes from the outset.

  • By Design: Incorporate technical and organizational measures (e.g., pseudonymization) during system development.
  • By Default: Ensure only necessary data is processed, with strict privacy settings as default.

Application: A social media platform must enable privacy settings (e.g., private profiles) by default for EU users.

Article 28: Data Processors

Overview: Data processors must comply with GDPR and process data only under the controller’s documented instructions.

  • Obligations: Ensure security, assist with data subject rights, and notify controllers of breaches.
  • Contracts: Controllers and processors must have binding agreements outlining GDPR compliance.

Application: A cloud provider (processor) storing EU customer data for an Indian firm (controller) must follow GDPR-compliant instructions.

Article 32: Security of Processing

Overview: Controllers and processors must implement technical and organizational measures to ensure data security.

  • Measures: Encryption, access controls, regular security testing.
  • Risk-Based Approach: Security measures depend on data sensitivity and processing risks.

Application: An Indian firm processing EU health data must encrypt it to prevent unauthorized access.

Articles 33–34: Data Breach Notification

Overview: Controllers must report data breaches promptly to ensure accountability and mitigate harm.

  • Article 33: Notify the Data Protection Authority (DPA) within 72 hours of a breach likely to risk data subjects’ rights.
  • Article 34: Inform data subjects if the breach poses a high risk to their rights and freedoms.
  • Records: Maintain breach records for accountability.

Application: An Indian company detecting a hack of EU customer data must notify the DPA within 72 hours.

Articles 44–50: Cross-Border Data Transfers

Overview: Data transfers outside the EU/EEA require safeguards to ensure GDPR-level protection.

  • Safeguards: Standard Contractual Clauses (SCCs), Binding Corporate Rules (BCRs).
  • Adequacy Decisions: EU recognizes countries with equivalent laws (e.g., Canada, Japan).
  • Key Case: Schrems II (2020) invalidated EU-US Privacy Shield, requiring stricter transfer assessments.

GDPR Penalties and Enforcement

Fines

Overview: GDPR imposes significant fines to deter non-compliance and ensure accountability (Article 83).

  • Two Tiers of Fines:
    • Lower Tier: Up to €10 million or 2% of annual global turnover (whichever is higher) for less severe violations, such as failing to maintain records or appoint a Data Protection Officer (DPO).
    • Higher Tier: Up to €20 million or 4% of annual global turnover (whichever is higher) for serious violations, such as breaching core principles (Article 5), unlawful processing (Article 6), or ignoring data subject rights (Articles 12–22).
  • Factors for Fines: Severity, duration, intent, number of affected data subjects, mitigation efforts, and prior violations.
  • Application: An Indian company processing EU data without consent risks a €20 million fine or 4% of turnover for violating Article 6.

High-Profile Fine Examples

Overview: GDPR’s enforcement has led to significant fines, showcasing its global impact.

  • Google (€50 million, 2019): Fined by France’s CNIL for consent violations (Article 6), as Google’s consent mechanism for personalized ads lacked transparency and clarity.
  • Amazon (€746 million, 2021): Fined by Luxembourg’s DPA for non-compliance with data processing principles (Article 5), particularly for behavioral advertising without adequate legal basis.
  • Meta (€405 million, 2022): Fined by Ireland’s DPC for mishandling children’s data on Instagram, violating data protection by design (Article 25).
  • TikTok (€345 million, 2023): Fined for improper handling of children’s data, breaching data subject rights and processing principles.

Application: These cases highlight GDPR’s focus on consent, transparency, and vulnerable groups, relevant for Indian firms processing EU data.

Data Protection Authorities (DPAs)

General Data Protection Regulation (GDPR) | Legal Reasoning for CLATOverview: Each EU member state has an independent DPA to enforce GDPR and protect data subjects (Articles 51–59).

  • Roles:
    • Investigate complaints and violations.
    • Issue fines and corrective orders (e.g., halt processing).
    • Advise organizations on GDPR compliance.
    • Handle data subject complaints (e.g., right to erasure requests).
  • Coordination: DPAs collaborate via the European Data Protection Board (EDPB) for cross-border cases.
  • Examples:
    • France’s CNIL (Google fine).
    • Ireland’s DPC (Meta, major tech firms due to Ireland’s tech hub status).
    • Luxembourg’s CNPD (Amazon fine).
  • Application: An Indian firm facing a GDPR complaint for EU data misuse would deal with the DPA in the relevant EU state (e.g., Ireland for tech firms).

Other Enforcement Measures

Overview: Beyond fines, DPAs can impose corrective measures to ensure compliance (Article 58).

  • Measures:
    • Orders to comply with data subject rights (e.g., erase data).
    • Bans on processing or data transfers.
    • Mandates to rectify systems or appoint a DPO.
    • Compensation to data subjects for damages (Article 82).
  • Application: A company breaching GDPR may be ordered to stop processing EU data until compliance is ensured, alongside fines.

Comparison with India’s DPDPA

Overview: GDPR’s enforcement contrasts with DPDPA, offering a key comparison for CLAT.

Fines:

  • GDPR: Up to €20 million or 4% of global turnover, significantly higher.
  • DPDPA: Up to ₹250 crore (approx. €28 million), fixed and lower relative to global firms’ turnover.

Enforcement Bodies:

  • GDPR: Independent DPAs in each EU state, coordinated by EDPB.
  • DPDPA: Data Protection Board of India (DPBI), a single body, potentially less decentralized

Scope:

  • GDPR: Extraterritorial, applies globally to EU data processing.
  • DPDPA: Primarily India-focused, with limited extraterritorial reach.
  • Context: India’s privacy framework, reinforced by the Puttaswamy case (2017), draws from GDPR but adapts to local needs.

Question for General Data Protection Regulation (GDPR)
Try yourself:
What is required for data processing to be considered lawful under GDPR?
View Solution

GDPR’s Global and Indian Relevance

Extraterritorial Application

Overview: GDPR applies to organizations worldwide processing personal data of EU/EEA residents, regardless of their location (Article 3).

  • Scope:
    • Organizations in the EU/EEA processing personal data.
    • Non-EU organizations offering goods/services to EU residents or monitoring their behavior (e.g., tracking online activity).
  • Impact on Global Businesses:
    • Indian tech firms (e.g., Infosys, Zomato) serving EU clients must comply with GDPR, including consent (Article 6) and data subject rights (Articles 12–23).
    • Non-compliance risks fines up to €20 million or 4% of global turnover (Article 83).
  • Application: An Indian e-commerce platform targeting EU customers with personalized ads must obtain explicit consent and ensure data security under GDPR.

Influence on DPDPA, 2023

Overview: GDPR inspired key aspects of India’s DPDPA, 2023, but differences in enforcement and scope exist, reflecting India’s unique context.

Similarities:

  • Consent: Both require informed, specific consent for data processing (GDPR Article 6; DPDPA Section 6).
  • Data Subject Rights: Rights to access, rectification, erasure, and portability align (GDPR Articles 12–23; DPDPA Sections 11–13).
  • Data Minimization: Collect only necessary data (GDPR Article 5; DPDPA Section 5).

Differences:

  • Scope: GDPR applies to all personal data (digital and non-digital); DPDPA is limited to digital personal data.
  • Enforcement: GDPR’s fines reach €20 million or 4% of global turnover; DPDPA’s cap at ₹250 crore (approx. €28 million) is lower.
  • Government Exemptions: DPDPA allows exemptions for government entities (Section 17); GDPR applies uniformly, with limited exceptions.
  • Extraterritoriality: GDPR’s global reach contrasts with DPDPA’s focus on data processed in India or by Indian entities.

Comparison with IT Rules, 2011

Overview: The IT (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011, were India’s pre-DPDPA data protection framework, with a narrower scope and weaker enforcement compared to GDPR.

Scope:

  • IT Rules, 2011: Apply only to body corporates and intermediaries handling sensitive personal data or information (SPDI) (e.g., financial data, biometrics).
  • GDPR: Comprehensive, covering all personal data (digital and non-digital) for EU residents, with extraterritorial reach.

Consent:

  • IT Rules, 2011: Require informed consent for SPDI collection (Rule 5), but enforcement was weak.
  • GDPR: Mandates explicit, revocable consent (Article 6), with strict compliance via Data Protection Authorities (DPAs).

Penalties:

  • IT Rules, 2011: Compensation for negligence under Section 43A of the IT Act, 2000, with no fixed fines, leading to inconsistent enforcement.
  • GDPR: Fines up to €20 million or 4% of global turnover, ensuring strong deterrence.

Security Practices:

  • IT Rules, 2011: Mandate reasonable security practices (Rule 8), but lack detailed standards.
  • GDPR: Requires robust measures like encryption and regular audits (Article 32).
  • Gaps Highlighted by GDPR: IT Rules’ limited scope (excluding government entities), lack of a dedicated enforcement body, and weaker penalties underscored the need for DPDPA’s comprehensive framework.

GDPR Landmark Cases and Incidents

Schrems I and Schrems II Cases

The Schrems I and Schrems II cases are pivotal in the realm of data protection law, particularly concerning cross-border data transfers between the European Union (EU) and the United States (US). These cases, initiated by Austrian privacy activist Max Schrems, challenged the adequacy of US data protection frameworks, impacting global data transfer mechanisms.

Schrems I (2015)

  • Background: Max Schrems filed a complaint against Facebook Ireland, alleging that the transfer of his personal data from the EU to the US under the Safe Harbour framework violated his privacy rights, especially in light of US surveillance programs revealed by Edward Snowden.
  • Issue: The Safe Harbour agreement allowed companies to transfer data between the EU and US, but Schrems argued it failed to provide adequate protection against US government surveillance.
  • Outcome: The European Court of Justice (ECJ) invalidated the Safe Harbour framework in 2015, ruling that it did not ensure an adequate level of protection for EU citizens' data as required by EU law.
  • Impact: Companies had to rely on alternative mechanisms like Standard Contractual Clauses (SCCs) or Binding Corporate Rules (BCRs) for data transfers, prompting a reevaluation of transatlantic data flows.

Schrems II (2020)

  • Background: Following Schrems I, the EU and US introduced the Privacy Shield framework to replace Safe Harbour. Schrems challenged this new framework, again targeting Facebook’s data transfers.
  • Issue: Schrems argued that Privacy Shield, like Safe Harbour, failed to protect EU data from US surveillance, particularly under laws like Section 702 of the FISA Amendments Act.
  • Outcome: The ECJ invalidated Privacy Shield in July 2020, citing inadequate protections. The court also upheld SCCs but required case-by-case assessments to ensure compliance with EU data protection standards.
  • Impact: Businesses faced increased scrutiny over data transfers, necessitating robust compliance measures. The ruling emphasized the EU’s stringent approach to data protection and the need for equivalence in third-country laws.

Notable GDPR Fines

The General Data Protection Regulation (GDPR), implemented in 2018, empowers EU regulators to impose significant fines for non-compliance. The following cases illustrate GDPR’s enforcement rigor and serve as critical examples for CLAT preparation.

Amazon (€746 million, 2021)

  • Violation: Luxembourg’s data protection authority (CNPD) fined Amazon for non-compliant data processing practices, specifically related to its use of personal data for targeted advertising without proper user consent.
  • Details: The fine was one of the largest under GDPR, reflecting Amazon’s extensive data processing operations and the scale of the violation.
  • Significance: This case underscores the importance of obtaining explicit, informed consent for data processing, particularly in industries reliant on user data for monetization.

Meta (€405 million, 2022)

  • Violation: Ireland’s Data Protection Commission (DPC) fined Meta for mishandling children’s data on Instagram, including the public disclosure of minors’ email addresses and phone numbers.
  • Details: The investigation revealed that Instagram’s default settings and data processing practices violated GDPR’s strict requirements for protecting vulnerable users, such as minors.
  • Significance: This case highlights GDPR’s focus on safeguarding children’s data and the accountability of social media platforms in managing sensitive information.
Key for CLAT: Study these fines to grasp GDPR’s enforcement mechanisms. Focus on the principles of consent, transparency, and special protections for vulnerable groups (e.g., children). These cases demonstrate the financial and reputational risks of non-compliance.

Indian Context

While GDPR is an EU regulation, its extraterritorial scope affects Indian companies and data breaches involving EU residents. Understanding its relevance in India is crucial for CLAT aspirants, especially in the context of global business and data protection laws.

GDPR Compliance for Indian Companies

  • Applicability: Indian IT firms like Tata Consultancy Services (TCS), Infosys, and Wipro, which serve EU clients, must comply with GDPR when processing personal data of EU residents.
  • Requirements: These companies must implement GDPR-compliant measures, such as data minimization, lawful processing, and robust security protocols, to avoid penalties.
  • Challenges: Compliance involves significant costs for updating systems, training staff, and appointing Data Protection Officers (DPOs). Non-compliance risks fines and loss of EU contracts.

Indian Data Breach Cases and GDPR Relevance

  • Air India Data Breach (2021): A cyberattack exposed personal data of approximately 4.5 million passengers, including names, passport details, and credit card information.
  • GDPR Implications: If EU residents were affected, Air India could face GDPR scrutiny for failing to implement adequate security measures, as required under Article 32 (security of processing).
  • Lessons: Indian companies handling global data must adopt GDPR-like standards to mitigate risks, especially in light of India’s own evolving data protection laws (e.g., the Digital Personal Data Protection Act, 2023).
Example: An Indian BPO handling customer data for a German bank must ensure GDPR compliance by encrypting data, obtaining consent for processing, and reporting breaches within 72 hours. Failure to do so could result in fines up to €20 million or 4% of annual global turnover.
The document General Data Protection Regulation (GDPR) | Legal Reasoning for CLAT is a part of the CLAT Course Legal Reasoning for CLAT.
All you need of CLAT at this link: CLAT
63 videos|174 docs|38 tests
Join Course for Free

FAQs on General Data Protection Regulation (GDPR) - Legal Reasoning for CLAT

1. What is the General Data Protection Regulation (GDPR) and why is it important?
Ans. The General Data Protection Regulation (GDPR) is a comprehensive data protection law enacted by the European Union (EU) that came into effect on May 25, 2018. It aims to enhance individuals' control over their personal data and to simplify the regulatory environment for international business by unifying data protection regulations across Europe. GDPR is important because it establishes clear guidelines for data collection, processing, and storage, ensuring that individuals' privacy rights are respected and protected.
2. What are the core principles of data processing under GDPR?
Ans. The core principles of data processing under GDPR include: 1. Lawfulness, fairness, and transparency – data must be processed legally, fairly, and transparently. 2. Purpose limitation – data should be collected for specific, legitimate purposes and not further processed in a way incompatible with those purposes. 3. Data minimization – only the necessary data for the intended purpose should be collected. 4. Accuracy – data must be accurate and kept up to date. 5. Storage limitation – data should not be kept longer than necessary for its intended purpose. 6. Integrity and confidentiality – data must be processed securely to protect against unauthorized access or processing.
3. What rights do data subjects have under GDPR?
Ans. Under GDPR, data subjects have several rights, including: 1. The right to access – individuals can request access to their personal data and receive information about how it is processed. 2. The right to rectification – individuals can request correction of inaccurate or incomplete data. 3. The right to erasure – individuals can request deletion of their data under certain conditions (also known as the right to be forgotten). 4. The right to restrict processing – individuals can request a limitation on the processing of their data. 5. The right to data portability – individuals can request to receive their data in a structured, commonly used format and transfer it to another controller. 6. The right to object – individuals can object to the processing of their data in certain circumstances.
4. What is the role of a Data Protection Officer (DPO) under GDPR?
Ans. A Data Protection Officer (DPO) is responsible for overseeing an organization's data protection strategy and ensuring compliance with GDPR. The DPO's key responsibilities include informing and advising the organization and its employees about their obligations under GDPR, monitoring compliance, providing training to staff involved in data processing, conducting audits, and serving as a point of contact for data subjects and data protection authorities. Organizations are required to appoint a DPO if they process large amounts of sensitive personal data or if their core activities involve regular monitoring of individuals.
5. What are the penalties for non-compliance with GDPR?
Ans. Non-compliance with GDPR can result in significant penalties. Organizations can be fined up to €20 million or 4% of their global annual turnover, whichever is higher, for serious infringements. Lesser violations can lead to fines of up to €10 million or 2% of global turnover. In addition to financial penalties, non-compliance can damage an organization's reputation and lead to loss of customer trust, legal actions, and other sanctions imposed by data protection authorities.
About this Document
4.70/5 Rating
Sep 05, 2025 Last updated
Related Exams
Document Description: General Data Protection Regulation (GDPR) for CLAT 2025 is part of Legal Reasoning for CLAT preparation. The notes and questions for General Data Protection Regulation (GDPR) have been prepared according to the CLAT exam syllabus. Information about General Data Protection Regulation (GDPR) covers topics like Introduction, Overview of GDPR, Key Definitions, Core Principles of Data Processing, Key GDPR Concepts, Core GDPR Provisions, GDPR Penalties and Enforcement, Comparison with India’s DPDPA, GDPR’s Global and Indian Relevance, GDPR Landmark Cases and Incidents, Indian Context and General Data Protection Regulation (GDPR) Example, for CLAT 2025 Exam. Find important definitions, questions, notes, meanings, examples, exercises and tests below for General Data Protection Regulation (GDPR).
Introduction of General Data Protection Regulation (GDPR) in English is available as part of our Legal Reasoning for CLAT for CLAT & General Data Protection Regulation (GDPR) in Hindi for Legal Reasoning for CLAT course. Download more important topics related with notes, lectures and mock test series for CLAT Exam by signing up for free. CLAT: General Data Protection Regulation (GDPR) | Legal Reasoning for CLAT
Description
Full syllabus notes, lecture & questions for General Data Protection Regulation (GDPR) | Legal Reasoning for CLAT - CLAT | Plus excerises question with solution to help you revise complete syllabus for Legal Reasoning for CLAT | Best notes, free PDF download
Information about General Data Protection Regulation (GDPR)
In this doc you can find the meaning of General Data Protection Regulation (GDPR) defined & explained in the simplest way possible. Besides explaining types of General Data Protection Regulation (GDPR) theory, EduRev gives you an ample number of questions to practice General Data Protection Regulation (GDPR) tests, examples and also practice CLAT tests
63 videos|174 docs|38 tests
Join Course for Free
Download as PDF
Explore Courses for CLAT exam
Related Searches

General Data Protection Regulation (GDPR) | Legal Reasoning for CLAT

,

Viva Questions

,

MCQs

,

study material

,

Summary

,

Sample Paper

,

Exam

,

Previous Year Questions with Solutions

,

pdf

,

ppt

,

Free

,

Extra Questions

,

General Data Protection Regulation (GDPR) | Legal Reasoning for CLAT

,

past year papers

,

practice quizzes

,

General Data Protection Regulation (GDPR) | Legal Reasoning for CLAT

,

Important questions

,

mock tests for examination

,

Objective type Questions

,

video lectures

,

Semester Notes

,

shortcuts and tricks

;
Additional Information about General Data Protection Regulation (GDPR) for CLAT Preparation

General Data Protection Regulation (GDPR) Free PDF Download

The General Data Protection Regulation (GDPR) is an invaluable resource that delves deep into the core of the CLAT exam. These study notes are curated by experts and cover all the essential topics and concepts, making your preparation more efficient and effective. With the help of these notes, you can grasp complex subjects quickly, revise important points easily, and reinforce your understanding of key concepts. The study notes are presented in a concise and easy-to-understand manner, allowing you to optimize your learning process. Whether you're looking for best-recommended books, sample papers, study material, or toppers' notes, this PDF has got you covered. Download the General Data Protection Regulation (GDPR) now and kickstart your journey towards success in the CLAT exam.

Importance of General Data Protection Regulation (GDPR)

The importance of General Data Protection Regulation (GDPR) cannot be overstated, especially for CLAT aspirants. This document holds the key to success in the CLAT exam. It offers a detailed understanding of the concept, providing invaluable insights into the topic. By knowing the concepts well in advance, students can plan their preparation effectively. Utilize this indispensable guide for a well-rounded preparation and achieve your desired results.

General Data Protection Regulation (GDPR) Notes

General Data Protection Regulation (GDPR) Notes offer in-depth insights into the specific topic to help you master it with ease. This comprehensive document covers all aspects related to General Data Protection Regulation (GDPR). It includes detailed information about the exam syllabus, recommended books, and study materials for a well-rounded preparation. Practice papers and question papers enable you to assess your progress effectively. Additionally, the paper analysis provides valuable tips for tackling the exam strategically. Access to Toppers' notes gives you an edge in understanding complex concepts. Whether you're a beginner or aiming for advanced proficiency, General Data Protection Regulation (GDPR) Notes on EduRev are your ultimate resource for success.

General Data Protection Regulation (GDPR) CLAT Questions

The "General Data Protection Regulation (GDPR) CLAT Questions" guide is a valuable resource for all aspiring students preparing for the CLAT exam. It focuses on providing a wide range of practice questions to help students gauge their understanding of the exam topics. These questions cover the entire syllabus, ensuring comprehensive preparation. The guide includes previous years' question papers for students to familiarize themselves with the exam's format and difficulty level. Additionally, it offers subject-specific question banks, allowing students to focus on weak areas and improve their performance.

Study General Data Protection Regulation (GDPR) on the App

Students of CLAT can study General Data Protection Regulation (GDPR) alongwith tests & analysis from the EduRev app, which will help them while preparing for their exam. Apart from the General Data Protection Regulation (GDPR), students can also utilize the EduRev App for other study materials such as previous year question papers, syllabus, important questions, etc. The EduRev App will make your learning easier as you can access it from anywhere you want. The content of General Data Protection Regulation (GDPR) is prepared as per the latest CLAT syllabus.
© EduRev
Education Revolution
Signup on EduRev and stay on top of your study goals
10M+ students crushing their study goals daily