General Data Protection Regulation (GDPR)

About

Who We Are : Our Journey

Mission, Purpose, Vision & Values

Our Founder

Key People

Become Our Member Firm

Harsh Patel: A Global Visionary - Featured in UAE Achievers by Gulf News Harsh Patel, Founder & Global CEO of Water & Shark, has been featured as a Global Visionary in UAE Achievers, a Gulf News report. From spearheading transformative legal and financial solutions across continents to guiding multinational corporations and high-net-worth individuals, Harsh’s remarkable journey exemplifies innovation, integrity, and impact. This feature celebrates his dedication to reshaping the global business landscape and fostering international collaboration. Read more about his inspiring journey and vision for a synergistic future in auditing, law, and entrepreneurship.

Harsh Patel Featured in GrayMatter and Gulf News Super 100 Edition: Celebrating Indian Entrepreneurs in the UAE We are proud to announce that our Founder and Global CEO, Harsh Patel, is featured in the latest edition of the GrayMatter and Gulf News Super 100 series, celebrating the achievements of Indian entrepreneurs in the UAE. This prestigious recognition highlights Harsh's remarkable journey and the global impact of Water & Shark. The Super 100 series continues to spotlight visionary leaders whose contributions are shaping industries and strengthening ties between nations. We are honored to be part of this exceptional group of leaders.
Services

Advisory

Audit & Assurance

Tax

Legal

Advisory

Global Business Set Up

Business Process Solutions

Consultancy Services

Risk Advisory Service

Deal Advisory

Valuation

Global Forensic Services

View More

Audit & Assurance

Financial Reporting

Financial Statement Audit

Assurance over Internal Controls

Other Assurance

ESG Audit

Forensic Audit & Investigation

AML Audit

View More

Tax

Personal and Corporate International Tax

Corporate and Business Tax

Global Transfer Pricing

Global Mobility Service

Indirect Tax

Tax Service for M&A Deals

Family Office and Private Client

View More

Legal

Corporate Mergers And Acquisition

Restructuring and Insolvency

Private Equity and Venture Capital

Estate and Succession Planning

Private Client Practice

Intellectual Property

Privacy and Data Protection

View More

Check out our blogs

8 Successful Business Ideas in Dubai for Ladies Are you planning to setup business as a woman? Check out the best business Ideas in Dubai for ladies that can help you grow. Click now.

Opportunities For Tourism Business Dubai Dubai is best for tourism. Check out the blog and learn about the best opportunities for tourism Dubai. Learn more.

Check out our blogs

Eco-Friendly Startups Dubai: Promoting Sustainability Discover creative eco-friendly startups Dubai that are paving the road towards sustainability. Discover how these businesses are creating a greener future.

Everything you need to know about ESG Discover the need for and importance of ESG Framework in todays business world.

Check out our blogs

What do you need to know about Backup Withholding in the USA? Understand backup withholding, its triggers, and how to prevent unnecessary deductions from your earnings.

All you should know about Foreign Bank Account Reporting in the US Learn about FBAR filing, key rules, deadlines, and exemptions to stay compliant with US laws.

Check out our blogs

How to Effectively Respond to Trademark Opposition in the UAE: A comprehensive Guide 15 Words Short Description: Learn to navigate trademark oppositions in the UAE with expert tips and strategic guidance.

Who are the Anti Money Laundering (AML) Laws applicable to in the UAE? Comprehensive guide to UAE's AML laws, compliance essentials, and who must adhere to regulations.

April 04, 2022

Introduction

The General Data Protection Regulation (“GDPR” or “Regulation”) is the privacy and security law of the European Union (“EU”). Passed by the European Parliament and coming into force in 2016, GDPR requires all organizations that target or collect data related to people in the EU to be compliant as of May 25, 2018. The primary objective of the Regulation is to protect the fundamental rights and freedoms of natural persons, particularly their right to the protection of personal data.

The Regulation outlines rules concerning the processing of personal data and the free movement of such data within the EU.

Scope

According to Article 2 of GDPR, the Regulation applies to the processing of personal data by automated means as well as processing by other means of personal data that forms part of, or is intended to form part of, a filing system.

The GDPR applies if the data controller (an organization that collects data from EU residents), or the data processor (an organization that processes data on behalf of a data controller), or the data subject (person) is based in the EU. It also applies to organizations outside the EU if they collect or process personal data of individuals located inside the EU. However, it does not apply to data processing by a person for purely personal or household activities.

Key Terms and Definitions

Data Subject:: The person whose data is processed.
Data Controller:: The person who decides why and how personal data will be processed.
Data Processor:: A third party that processes personal data on behalf of a data controller.
Personal Data:: Any information relating to an identified or identifiable natural person; an identifiable natural person is one who can be identified, directly or indirectly, by reference to an identifier such as a name, identification number, location data, online identifier, or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural, or social identity of that person.
Processing:: Any operation or set of operations performed on personal data, whether by automated means or not, such as collection, recording, organization, structuring, storage, adaptation, alteration, retrieval, consultation, use, disclosure by transmission, dissemination, alignment, combination, restriction, erasure, or destruction.

Key Principles of GDPR

Article 5 of the Regulation outlines key principles regarding personal data:

Lawfulness, Fairness, and Transparency: Processing must be done lawfully, fairly, and in a transparent manner in relation to the data subject.
Purpose Limitation: Personal data should be collected for specified, explicit, and legitimate purposes and not further processed in a manner incompatible with those purposes.
Data Minimization: Only adequate, relevant, and limited personal data necessary for the purposes for which they are processed should be collected.
Accuracy: Personal data must be kept accurate and up to date. Reasonable steps should be taken to ensure that inaccurate data is erased or rectified without delay.
Storage Limitation: Personal data should be kept in a form which allows identification of data subjects for no longer than necessary for the purposes for which the data is processed.
Integrity and Confidentiality: Personal data must be processed securely, with protection against unauthorized or unlawful processing and against accidental loss, destruction, or damage, using appropriate technical or organizational measures.

The data controller is responsible for demonstrating compliance with these principles.

Lawful Basis for Processing

Article 6 of the Regulation specifies that processing is lawful if at least one of the following applies:

The data subject has given consent for processing personal data for one or more specific purposes.
Processing is necessary for the performance of a contract to which the data subject is a party or to take steps at the data subject's request prior to entering into a contract.
Processing is necessary for compliance with a legal obligation to which the controller is subject.
Processing is necessary to protect the vital interests of the data subject or another natural person.
Processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller.
Processing is necessary for the purposes of the legitimate interests pursued by the controller or a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject.

Rights of the Data Subject

Articles 15-22 of the Regulation outline the rights of data subjects:

Right to Access (Article 15): The data subject has the right to obtain confirmation from the controller on whether personal data concerning them are being processed and access to such data and related information.
Right to Rectification (Article 16): The data subject has the right to obtain the rectification of inaccurate personal data concerning them.
Right to Erasure (Article 17): The data subject has the right to obtain the erasure of personal data in certain circumstances, such as when data is no longer necessary or has been unlawfully processed.
Right to Restriction of Processing (Article 18): The data subject has the right to obtain restriction of processing in certain circumstances, such as when the accuracy of data is contested.
Notification Obligation (Article 19): The controller must communicate any rectification, erasure, or restriction of processing to each recipient to whom the data have been disclosed.
Right to Data Portability (Article 20): The data subject has the right to receive personal data provided to a controller and to transmit it to another controller without hindrance.
Right to Object (Article 21): The data subject has the right to object at any time to processing of their personal data. The controller must cease processing unless compelling legitimate grounds override the data subject's interests.
Automated Individual Decision-Making (Article 22): The data subject has the right not to be subject to decisions based solely on automated processing, including profiling, that produces legal effects or significantly affects them.

Remedies, Liabilities, and Penalties

Articles 77-84 of the Regulation outline remedies, liabilities, and penalties. Data subjects have the right to lodge complaints with a supervisory authority in their state of residence, place of work, or where the infringement occurred.

Individuals who suffer material or non-material damage due to GDPR infringement can receive compensation from the controller or processor. Fines may also be imposed, with less severe infringements resulting in fines up to €10 million or 2% of the firm's worldwide annual revenue, and more severe infringements up to €20 million or 4% of the firm's annual revenue.

Given the scope of the Regulation and potential fines for non-compliance, it is crucial for entities processing personal data of EU residents to implement mechanisms to ensure GDPR compliance.

Who We Are : Our Journey

Mission, Purpose, Vision & Values

Our Founder

Key People

Become Our Member Firm

Advisory

Audit & Assurance

Tax

Legal

Global Business Set Up

Business Process Solutions

Consultancy Services

Risk Advisory Service

Deal Advisory

Valuation

Global Forensic Services

View More

Financial Reporting

Financial Statement Audit

Assurance over Internal Controls

Other Assurance

ESG Audit

Forensic Audit & Investigation

AML Audit

View More

Personal and Corporate International Tax

Corporate and Business Tax

Global Transfer Pricing

Global Mobility Service

Indirect Tax

Tax Service for M&A Deals

Family Office and Private Client

View More

Corporate Mergers And Acquisition

Restructuring and Insolvency

Private Equity and Venture Capital

Estate and Succession Planning

Private Client Practice

Intellectual Property

Privacy and Data Protection

View More

Global

Asia Pacific

Europe, Middle East & Africa

America

Australia

India

Hong Kong

Singapore

Africa

UAE

UK

Qatar

Egypt

KSA

Canada

USA

General Data Protection Regulation (GDPR)

Introduction

Scope

Key Terms and Definitions

Key Principles of GDPR

Lawful Basis for Processing

Rights of the Data Subject

Remedies, Liabilities, and Penalties

Subscribe to our newsletter to stay up to date