Request demo
Site language:
A biometric software product for increasing the level of security at the facility during video surveillance
A biometric software product for biometric identity verification in access control and management systems
A biometric software product for displaying personalized media content
A biometric software product with facial recognition for reliable identity check
A biometric software product with facial recognition that expands the electronic queue systems with personalized services for visitors
A software product that provides simple and reliable working time and attendance by identifying faces using tablets, IP cameras, or terminals
A biometric software product with robust user authentication for unlocking a device or gaining access to operating systems or apps
A biometric software product with facial recognition that provides enhanced communication with clients
A biometric software product that provides a reliable and quick check of the gym clients access right without employee’s participation
A new level of work with visitors and employees of Business centers opened with the help of biometric products
Biometrics for convenient service to citizens, including remote monitoring of the quality of personnel work
Biometric monitoring of working hours and additional security tools for industrial facilities
Modern methods of biometric analytics for safe operation of sports facilities
Convenient and secure transport solutions based on the digital identity of the passenger
Biometric solutions for a new level of security and interaction with visitors
Biometric video Analytics for targeted marketing and personnel control in distributed networks
Biometric products for proctoring and video surveillance systems in educational institutions
Keyless biometric access to rooms, targeted approach to each client and information about the time of work for employees
Necessary tool for the security and competitiveness of a modern Bank
Improving the level of security, speed of investigations and timely prevention of illegal acts in the urban public space
Customer-oriented solutions, acceleration of the work process of the registry area, control of the staff of the entire institution
RecFaces makes facial biometrics simple and applicable. We provide a wide range of ready-made biometric solutions for businesses to upgrade their security and technological efficiency.
We are ready for cooperation and sales through the partner network. To get advice on your project, please contact us by e-mail
It is our principal and invaluable resource. Talented and energetic people of our team unite the like-minded ones which helps to expand expertise and company’s growth.
Join us!
We are always happy to answer all your questions. Contact us in any way convenient for you.
We share our long-term expertise
in the development of biometric software.
Discover our latest news and updates
on facial recognition technology
Find out more about
RecFaces company here

What Is GDPR? Understanding General Data Protection Regulation

What Is GDPR? General Data Protection Regulation: Laws, Compliance & Rules | RecFaces

The GDPR is nothing more than Europe’s data privacy and security law that comprises numerous pages of new requirements for companies and businesses around the globe. It is also the toughest set of rules imposing obligations onto institutions anywhere if they collect or target information related to people in the EU.

This regulation is effective as of May 25, 2018, and it levies harsh fines against those who break the protection standards. The penalties can be millions of euros; consequently, it is crucial to understand this law and figure out which parts are applicable to you.

Table of Contents

What Is the Definition and Meaning of GDPR?
The GDPR Key Principles
Who Is to Be Compliant With GDPR?
What Do We Need GDPR For?
Steps to the Validation of General Data Protection Regulation
The GDPR Requirements 2018
Who Is the General Data Protection Regulation Applicable To?
What Kinds of Privacy Data Are Under the GDPR Protection?
Which Organizations Are Affected by the GDPR?
Does This Regulation Have an Impact on Large Tech Organizations?
What Does Protection Regulation Mean for Citizens?
What Does a Breach Notification Mean?
What Are the Largest Fines Associated With the GDPR?
1. Google
2. British Airways
3. Marriott
Have There Been Any Changes in the GDPR?
Customers Remain Skeptical
Brands Are More Pressurized to Utilize Information Responsibly
The Regulation Has Already Cost Some Companies Dearly
Will the United States Apply GDPR?
Steps to Provide the Protection Law Compliance
What Should the Result Be?
What About GDPR in the UK?

What Is the Definition and Meaning of GDPR?

The GDPR stands for the General Data Protection Regulation issued by the European Parliament and Council in 2006. The law replaced the Data Protection Directive 95/46/EC as the major set of rules that regulates how organizations protect the personal data of EU citizens. Hence, the institutions that are already compliant with the Directive must make sure that they are in compliance with the GDPR’s new requirements as well. Any company that fails to do so will be subject to strict penalties and fines.

The GDPR requirements are applicable to every state of the European Union, and the goal is to provide a safe environment for consumers and personal information across EU nations. The GDPR key issues include:

  1. Consent
  2. First of all, consent must be carried freely, and it also must be informed, clear and specific. Freely given consent implies that it is the data subject’s real choice. Consequently, the consent is regarded as invalid if inappropriate pressure or influence took place to affect the final result. It was made clear by the European data protection authorities that if a controller decided to count on consent at any stage of the processing, they must show respect for that choice and stop the procedure if the consent is withdrawn.

  3. Data Protection Officer
  4. The concept of a Data Protection Officer was established by the GDPR in Europe. In defiance of common belief, the key processing activities that are crucial to reach the company’s goals are decisive for the legal obligation to get a Data Protection Officer appointed. The size of the company is not a significant factor in this case. If the core activities imply processing sensitive personal details, such a business must obtain a DPO.

  5. Email Marketing
  6. Email marketing and newsletter mailings are a significant part of online marketing. Generally, the principle that processing is not allowed but can be authorized is also pertinent to the personal information that is utilized to send emails. The General Data Protection Regulation allows processing if there is consent from the data subject or another legal basis exists.

  7. Encryption
  8. It is possible for companies to minimize the probability of a data breach and thus lessen the risk of penalties in the future if they apply personal data encryption. Simply put, encryption is the procedure that turns clear text into a hashed code using a key, where the outgoing data can only be read again with the help of the correct key. Hence, encryption is mentioned as an organizational and technical measure to protect data in the list of Article 32/1.

  9. Fines/Penalties
  10. The fines must be not only effective but also proportionate for each case. The authorities obtain a statutory catalog of criteria that is to be considered for the decision of whether and what level of penalty should be. The penalties can be increased due to a failure to act to minimize the damage that occurred, intentional infringement, or absence of collaboration with authorities.

  11. Personal Data
  12. The data subjects happen to be identifiable if it is possible to identify them directly or indirectly. It may be a name, location data, an identification number, etc. Moreover, these also involve personal details that can be assigned to an individual in any way — for instance, credit card number, telephone number, appearance, account data, or address.

  13. Privacy by Design
  14. Privacy by Design implies data protection through technology design. The main idea is that data is protected best in data processing procedures if it is integrated with the technology when generated. According to the law, a few protective measures must be applied to meet statutory requirements. Thus, recognized certification can be an indicator to authorities that the company has complied with the Privacy by Design requirements.

  15. Privacy Impact Assessment
  16. The instrument for a privacy impact assessment refers to the controller's obligation to carry out an impact assessment and record it before the intended data processing began. It is allowed to bundle a few processing procedures into one assessment.

  17. Processing
  18. The GDPR offers a uniform for “commissioned data processing”, which is nothing more than the collection, processing, or utilization of personal information by a processor as per the instructions of the controller contingent on a contract.

  19. Records of Processing Activities
  20. According to the GDPR, procedures by which personal information is processed must be documented. Records of such activities must comprise essential information about the process, including data categories, the aim of processing, the data subjects’ group, and the data recipients. All the information must be provided to authorities upon request.

  21. Right of Access
  22. The first thing to be done by the controller is to check whether any personal details of the individual seeking information are being processed at all. One must claim a positive or negative outcome in either of the cases. This process is complicated and can take up to one month.

  23. Right to Be Forgotten
  24. The right to be forgotten mainly regulates the erasure procedure. Personal information must be deleted immediately when the data is no longer necessary for the primary processing procedure — or the subject has withdrawn consent, which means that further processing is illegal. In addition to that, data must be deleted if the processing itself was not legitimate in the first place.

  25. Right to Be Informed
  26. Transparent processing is necessary to let EU citizens exercise their right to personal data protection. Hence, the GDPR provides people with a right to be aware of the gathering and use of their personal details, which results in various information liabilities by the controller.

  27. Third Countries
  28. These days, it is crucial to have the ability to transfer data to third countries to make international cooperation and trade possible. In this case, secure and insecure third countries are to be differentiated. Secure third countries are the ones for which the European Commission has confirmed an appropriate level of data protection. It means that their national laws align themselves with the EU law when it comes to personal data protection.

The GDPR Key Principles

The GDPR puts forward seven principles to ensure lawful private data processing. This process involves gathering, organizing, storing, structuring, changing, utilizing, consulting, combining, communicating, erasing, restricting, or destroying personal information. To sum it up, several principles are as follows:

  • Purpose limitation;
  • Lawfulness, fairness, and transparency;
  • Data minimization;
  • Storage limitation;
  • Accuracy;
  • Accountability;
  • Integrity and security.

The above points are the core of the GDPR, so data controllers must ensure that the process complies with the principles. The full version of these key principles offers an in-depth explanation regarding their application.

Who Is to Be Compliant With GDPR?

The General Data Protection Regulation aims to impose data safety and security rules on all EU citizens so that every state does not have to come up with its own laws to protect data. Hence, the GDPR is consistent across the entire European Union. Any organization that supplies residents with services or goods is subject to the GDPR, regardless of its location. As a result, the regulation will influence data protection requirements around the world.

What Do We Need GDPR For?

The quick answer to the above question is a public interest in privacy. In general, Europe had more strict guidelines on how organizations utilize citizens’ personal data. The General Data Protection Regulation replaces the Data Protection Directive, which appeared in 1995. It became outdated, though, because it does not deal with many cases where details are collected, stored, and transferred these days.

The public concern over privacy keeps growing due to new data breaches that attract a lot of attention. As stated in the RSA Data Privacy and Security Report, they surveyed around 8,000 clients in Germany, France, the UK, Italy, and the United States, and 80% of them claimed that lost financial data happens to be a big issue.

There is an alarming statistic for organizations that deal with customer data, which is that 62% of those clients would blame the organization for the lost data in the case of a breach. Some consumers have taken their own measures because they do not trust companies when it comes to personal information protection. Hence, around 41% of the respondents stated that they falsify data when signing up online. Approximately half of the respondents are sure that they would be more likely to buy something from a company that is able to prove they take data protection seriously.

Steps to the Validation of General Data Protection Regulation

The GDPR did not appear in one day; it took several years before the law was released. Here are the most significant dates connected with the GDPR validation:

  • January 25, 2012 — They issued the proposal for the GDPR.
  • October 21, 2013 — The LIBE (the European Parliament Committee on Civil Liberties, Justice and Home Affairs had its orientation vote.
  • December 15, 2015 — A joint proposal appeared as the result of a parley between the European Parliament, Commission, and Committee.
  • December 17, 2015 — The LIBE Committee of the European Parliament decided that the negotiation between three members should take place.
  • April 8, 2016 — The Council of the European Union adopted the GDPR. Austria was the only state that voted against the rules, as it stated that the 1995 directive surpasses the new law in some respects.
  • April 14, 2016 — The European Parliament embraced the GDPR.
  • May 24, 2016 — In 20 days, the regulation became effective after being published in the Official Journal of EU.
  • May 25, 2018 — The new data regulation started operating in all member states.
  • July 20, 2018 — The EEA Joint Committee and 3 countries (Liechtenstein, Iceland, and Norway) reached the agreement regarding the regulation, so the set of laws entered into force in the EEA countries.

The GDPR Requirements 2018

The General Data Protection Regulation consists of 11 chapters and 91 articles. Below, you can see the most significant ones:

  • Articles 17 and 18 — Due to these Articles, data subjects have more control over private information that goes through automated processing. As a result, they can easily transfer their information between service providers, and they are also allowed to contact a controller to get their personal information deleted in the case of specific circumstances.
  • Articles 23 and 30 — According to them, organizations are required to take measures to protect the personal data and privacy of their consumers against exposure or loss.
  • Articles 31 and 32 — Data breach notifications are important on the regulation’s text. Article 31 highlights the single data breaches’ requirements, so controllers are to inform Supervising Authorities within 72 hours if it happens. In addition to that, they are to provide certain details, like the nature of the violation and how many data subjects were affected. According to Article 32, the controllers are obliged to inform data subjects of breaches as soon as possible because their freedoms and rights are threatened.
  • Articles 33 and 33a — These oblige organizations to conduct Data Protection Impact Assessments to understand how high risks to personal data are. Furthermore, they must conduct Data Protection Compliance Reviews to make sure that those risks are dealt with.
  • Article 35 — It states that data protection officers are to be appointed at particular companies. Hence, any organization that comprises information revealing a consumer’s racial or ethnic origin, genetic data, religious beliefs, etc., must have a DPO. Their task is to provide organizations with advice regarding compliance with the laws.
  • Articles 36 and 37 — They describe the position and responsibilities of the Data protection officer that must be performed to ensure compliance with the GDPR requirements.
  • Article 45 — This article contains data protection laws for international organizations that gather or process the personal information of EU citizens. According to it, such companies are also subject to the same fines and requirements as EU-based organizations.
  • Article 79 — The penalties for non-compliance are outlined in this article, and they might make up around 4% of the annual revenue of the organization that contravened the law. The penalty depends on the violation’s nature.

Who Is the General Data Protection Regulation Applicable To?

The data protection regulation is applicable to any business that operates within the European Union, as well as any companies from other countries that provide services of goods to businesses or consumers in the EU. Hence, most organizations worldwide require a compliance strategy.

Two kinds of data-handlers exist, and the legislation is applicable to both. They are “controllers” and “processors”, while one can find their definition in the GDPR, Article 4.

A controller is an individual, agency, public authority, or any body that specifies the means and purposes of processing personal information and does it alone or in tandem with others. At the same time, the process is a public authority, individual, or agency that must get personal data processed in support of the controller.

According to the GDPR, legal obligations are imposed on a processor to document personal data and how they process it, which ensures more legal liability in the event of a breach.

The task of controllers is to make sure that all contracts with processors are compliant with the laws.

What Kinds of Privacy Data Is Under the GDPR Protection?

Everybody knows that the aim of the GDPR is to protect personal data, and it has a set of laws that are to regulate this process. However, many may wonder which privacy data is under its protection. Here is a list of information that should be kept secure:

  • Basic identity details, such as address, full name, and ID number;
  • Health and genetic information;
  • Web data like IP address, location, RFID tags, and cookie data;
  • Racial and ethnic information;
  • Biometric data;
  • Sexual orientation;
  • Political opinions.

Which Organizations Are Affected by the GDPR?

As mentioned before, any organization that processes and stores the Eu citizens’ personal details must comply with the protection law, even if they are not located within the European Union. Certain requirements for an organization that must comply are as follows:

  • It has a presence in an EU member state;
  • It is not in the EU, but the company processes the personal information of residents;
  • It employs more than 250 people;
  • It employs fewer than 250 individuals, but information processing has an influence on the freedoms and rights of data subjects.

Propeller Insights carried out a survey, the sponsor of which was Netsparker LTD. They asked executives which organizations would be affected by the protection regulation. 53% of respondents believe that the technology sector will be most impacted by the laws. The sector is followed by online retailers, financial services, and consumer packaged goods.

Does This Regulation Have Impact on Large Tech Organizations?

The tech titans have already updated their websites so that they comply with the regulation. Facebook, for example, launched a wide variety of tools to allow consumers to control their own privacy, and one of them is an “access your information” instrument. Thanks to it, people can search, download, or erase some information on the website. The company also made its clients agree to new terms of service, and it encouraged them to opt for facial recognition technology.

What Does Protection Regulation Mean for Citizens?

One of the most significant changes brought by the regulation is providing people with the right to be aware of a data breach. Companies must notify certain national bodies shortly to allow citizens to take measures to avoid data abuse.

Another beneficial change is that consumers can figure out when their personal data was hacked. Besides, they can access information on how their personal information is processed because companies must report how they utilize customer data. To sum it up, the GDPR enforces organizations to always remember consumer rights, so it is advantageous to citizens.

What Does a Breach Notification Mean?

A breach notification implies that companies must report specific types of breaches to the supervisory authority in the event of illegal access or personal information loss. Sometimes, people affected by the breach are also informed.

Organizations must report any breach that can be a great risk to the freedoms and rights of people and result in damage to reputation, discrimination, loss of confidentiality, etc. They are obliged to do that with the help of a breach notification, which is to be received by the victims.

What Are the Largest Fines Associated With the GDPR?

The issued fines can be large, which means that can be millions of euros. Victims are allowed to claim for damages, and the amount depends on how extensive the damage is. Below, there is a list of the largest GDPR fines so far.

1. Google

In May 2019, France issued a fine of 57 million euros to Google, which was accused of lacking consent and transparency in its personalized advertisements. As a result, the company admitted their fault and released a statement that they will change.

2. British Airways

For not respecting the protection regulation, British Airways had to go through the highest fine in history. In 2018, 500,000 customers were affected by a data breach because the airline company failed to implement strong security. Hence, they had to pay 183 million pounds, which made up approximately 1.5% of their revenue.

3. Marriott

Cyber hackers managed to access over 300 million consumer records from the hotel in 2019. The results of this breach were disastrous, so Marriot paid a 123 million dollars fine. The amount is large because it is over 3% of the company’s gross revenue.

Have There Been Any Changes in the GDPR?

The GDPR was developed to protect the privacy of personal data, and the main reason is that modern consumers do not trust organizations with their information. Nobody wants their confidential details to be sold for profit. By May 2019, four in ten organizations have become more transparent about personal information due to GDPR.

Customers Remain Skeptical

In general, people still do not trust companies when it comes to user privacy online. As Ipsos Mori survey has shown, 36% of females and 43% of males suppose that brands do not care if they break the protection laws. Around 47% of consumers trust organizations that they share their personal details with.

Brands Are More Pressurized to Utilize Information Responsibly

Currently, brands are not allowed to gather data just because they want to; there must be a legitimate reason for doing so. Organizations also have to erase the information after its target purpose, which means they cannot keep it forever as they did before.

The Regulation Has Already Cost Some Companies Dearly

The rules influenced how some US organizations run their businesses significantly. Mobile marketing agency Verve, for instance, closed its operations in the EU in two years. The reason is that they have come to the conclusion that the regulations are not favorable to their business model. Verve is not the only company that had to stop working in Europe because of the GDPR.

Will the United States Apply GDPR?

American data privacy was thrown into the spotlight due to political and public scrutiny. Currently, federal data privacy legislation does not exist. Meanwhile, there is an increase in discussions on this issue, so approximately two-thirds of organizations in the United States might rethink their strategies because of the GDPR. Some American companies, though, expect an increase in protection regulations, as it is high time to take more strict measures.

Steps to Provide the Protection Law Compliance

All companies, both small and large, must learn these requirements and be ready to comply with them. This process is not easy, so some efforts are required. It is also essential to be aware of changes to the enforcement methods even when they are compliant.

Here are a few steps to ensure certification compliance:

  • Read the regulation physically. Every individual that can be affected by GDPR must try to read and understand it, even though it contains sections that are hard to understand;
  • Look at other companies. All organizations all over the globe depend on GDPR, even if they are not in the EU. If you fail to understand what is to be done to reach compliance, you should connect with those who happen to be compliant;
  • Look at your site attentively. Opt-ins and cookies can be set up on an online platform easily, but you should always bear in mind that they must be compliant;
  • Pay attention to data. All information in your company must comply with the regulation if you operate in the EU. If you know every step of data processing, it is easier to avoid breaches.

What Should the Result Be?

Even if consumers do not pressurize, information commissioners have more power across the European Union; consequently, data processors should be more responsible when utilizing data.

On the other hand, it can help the dominant players entrench. A new company may fail to persuade potential customers to data collection. At the same time, if a business like Facebook makes a take-it-or-leave offer, millions of people will agree.

What About GDPR in the UK?

The United Kingdom is a part of the EU, so there is even a guide to GDPR, which was developed for data protection officers and others who are responsible for personal information protection.

There, one will find the general regime that is applicable to the majority of UK companies. The UK GDPR is covered there, and it also links to more informative resources where relevant.


All the key points of the GDPR have been covered in this article, and it should be extremely helpful if you want to learn more about this set of laws. If you happen to be affected by the regulation, we recommend that you read it, and you should also talk to an attorney to make sure that you are compliant.


What Does the GDPR Imply?

GDPR is nothing but the General Data Protection Regulation. It is a set of laws that aims to protect personal data while it is being processed. Thanks to it, consumers can be sure that no third parties can access their personal details and use them for their benefit.

Why Is the GDPR Being Implemented?

The regulation appeared because most consumers stopped trusting companies when they require personal data. The risk of the breach also increased, so it was necessary to take some measures. GDPR also appeared because the directive could no longer deal with modern issues.

How Is Personal Data Defined by GDPR?

Personal data is any information that can cause issues, such as abuse. Hence, personal data includes health and genetic data, name, political opinions, etc. This information is regarded as sensitive and is to be protected.

What Is a GDPR Breach?

A GDPR breach occurs if personal data is stolen, lost, or released to someone illegally. It is not an idle threat because people can face big problems as a result. Hence, companies must ensure it does not happen.

What Data Does GDPR Protect?

GDPR protects any sensitive personal data, such as photos, addresses, IP addresses, and more. This information is usually provided to companies if consumers want to access their goods or services. At the same time, the organizations must make sure that they comply with GDPR.

Who Is Subject to GDPR?

Any company that operates in an EU member state is subject to this law. However, if an organization provides its services to EU citizens, it must also make sure that it is compliant with the regulation. Otherwise, it will be fined.

Can They Enforce GDPR in the USA?

Currently, the USA is not subject to GDPR, but the country has its own set of laws. Meanwhile, more and more people are concerned about the safety of their personal details. It implies that they may enforce this regulation in the USA.

How Does the Regulation Affect the US Businesses?

The regulation does affect US businesses if they want to offer their services in Europe. If they do not want to deal with GDPR, they have to stop operating in the EU. Thus, most of them do their best to comply with it.

When Is GDPR Not applicable?

The regulation is not applicable if a company does not need to process customer data. It is true even for organizations located in the EU. The reason is that the laws are only about personal data processing.

Here you can rate our article

Subscribe to our newsletter