What Is the GDPR?｜IT Passport Exam Study Guide

What Is the GDPR?

The GDPR (General Data Protection Regulation) is an EU regulation that has uniformly governed the protection of personal data within the EU since May 2018. It is notable for its extremely high penalties for violations, with a maximum fine of up to 4% of annual global turnover.

Scope of Application

The GDPR has a broad scope. Any company with an establishment in the EU is subject to the regulation, regardless of size. Even companies based outside the EU are covered if they offer services to individuals residing in the EU, which includes many Japanese companies. For example, if a Japanese e-commerce site accepts orders from the EU, it must comply with the GDPR.

The Seven Principles

The GDPR establishes seven principles: lawfulness, fairness, and transparency; purpose limitation; data minimization; accuracy; storage limitation; integrity and confidentiality; and accountability. These principles form the foundation for all personal data processing.

Key Rights

Data subjects are granted the right to access their own data (right of access). The right to rectification, allowing individuals to correct inaccurate data, and the right to erasure (the right to be forgotten), which allows individuals to request deletion of their data, are also important rights. Additionally, there is the right to data portability, enabling individuals to transfer their data to another service, and the right to object, for example, to profiling.

Penalties

Penalties for GDPR violations are very severe. The maximum fine is the higher of 4% of annual global turnover or €20 million. Even for less serious violations, fines can reach 2% of turnover or €10 million. There have been cases where Google and Meta were fined hundreds of millions of euros.

Differences from Japan's Personal Information Protection Law

Compared to Japan's Personal Information Protection Law, the most significant difference is the vastly higher penalty amounts under the GDPR. The GDPR also recognizes rights not found in Japanese law, such as the "right to be forgotten" and the "right to data portability." Furthermore, transferring personal data outside the EU is subject to strict restrictions, and an adequacy decision is required (Japan received this in 2019).

Key Points for the IT Passport Exam

In the IT Passport exam, frequently tested points include that the GDPR's scope covers EU residents, that the maximum fine is 4% of annual turnover, and among the key rights, the right to be forgotten is particularly common.

Typical Past Exam Question Patterns

• "Which of the following correctly describes a feature of the GDPR?"
• "In which case would a Japanese company be subject to the GDPR?"

Related Terms

• Personal Information Protection Law (Basics of Personal Information Protection Law)
• Encryption (Basics of Encryption)

Study Tips

As a study tip, first understand the concept that "Japanese companies providing services to EU residents are also subject to the regulation." Be sure to memorize the fine figures: "4% of annual turnover or €20 million." Also, make sure to grasp the two major differences from Japanese law: the right to be forgotten and the right to data portability.

Summary

You can score points on GDPR-related questions by mastering three key areas: scope of application, penalties, and key rights. For comprehensive practice on the Strategy domain, see the Strategy Summary. For full-length practice, the Practice Exam is helpful.