EU's General Data Protection Regulations

The EU’s primary personal data law, the Data Protection Directive 95/46/ec was replaced by the General Data Protection Regulation (GDPR) which took effect on 25 May 2018.  

What Is the GDPR

The General Data Protection Regulation (GDPR) aims to create consistent protection of consumers and the personal data of all individuals within the European Union (EU) and the European Economic Area (EEA). It standardizes data protection law across all 28 EU countries, removing the need for each state to write its own data protection laws. The GDPR also stipulates that any company that markets goods or services to EU residents, regardless of its geographical location, adhere to the regulation. 

What Are The Differences between the DPD and the GDPR?

The most important change with the new GDPR is the definition of personal data and the processing of personal data. Its focus is to give consumers control of their personal data collected by companies. This means that it applies to any organization that sells, services, or monitor the behavior of people.

What is the definition of "personal data"?

Under GDPR, personal data is any information relating to an "identifiable person". Identifiable information includes such things as a name, ID number, location, ethnicity, or political standing. Data doesn't have to be confidential or sensitive to qualify as "personal". Personal data includes but is not limited to; name, email, IP address, 3rd party hosted services, email form signups, and contact forms. To better understand the regulation, take a look at the publication of the regulations in the Official Journal of the European Union, which defines all terms related to the law. As defined broadly under European Union competition law the law does not apply to lawful interception, statistical or scientific analysis, or the processing of personal data in a purely personal activity.

What is the punishment for non-compliance?

Non-compliance can result in fines up to 4 percent of the organization's annual global turnover or 20 million euros ($24.6 million), whichever is bigger. There is however a tiered approach to fines, e.g. a company can be fined 2% for not having their records in order, not notifying the supervising authority and data subject about a breach, or not conducting an impact assessment. It is important to note that these rules apply to both controllers and processors.

Privacy Shield 

AVOXI complies with the EU-US Privacy Shield Framework and the Swiss-US Privacy Shield Framework as set forth by the U.S. Department of Commerce regarding the collection, use, and retention of Personal Information from European Union member countries and Switzerland to the United States, respectively. AVOXI has certified to the Department of Commerce that it adheres to the Privacy Shield Principles of notice, choice, accountability, for onward transfer, security, data integrity, and purpose limitation, access, and recourse, enforcement, and liability. If there is any conflict between the terms in this privacy policy and the Privacy Shield Principles, the Privacy Shield Principles shall govern. To learn more about the Privacy Shield program, and to view AVOXI certification, please visit

Closing Thoughts 

While these changes may seem confusing and worrisome, the regulation is focused on some of the world's biggest technology companies, including Facebook and Google. If you have any questions or concerns you can view the FAQ section of the GDPR portal.  You can also view the AVOXI  privacy policy which is also available on our website or email us at

Give feedback about this article

Was this article helpful?

Have more questions? Submit a request

Can’t find what you’re looking for?

Contact our award-winning customer care team.