Article 25 – Data protection by design and by default
A controller must:
- implement technical and organizational measures to protect the rights of the data subject,
- protect personal data at the time of implementation and design,
- protect personal data throughout its lifecycle,
- control access to that personal data.
Article 47 – Binding corporate rules
Any organization wishing to transfer personal data to a third party (country or international organization) must specify that the destination has also complied with the GDPR.
Article 83 – General conditions for imposing administrative fines
If the controller fails to protect the rights of the data subject, his organization will be subject to a fine of up to:
- €10 million or 2% of the worldwide turnover, whichever is higher, if breach is under Article 8, 11, 25-39, 42, 43
- €20 million or 4% of the worldwide turnover, whichever is higher, if breach is under Article 5, 6, 7, 9, 12-22, 44-49