The GDPR applies since 25.05.2018 directly in all EU countries. The purpose of the GDPR is to harmonize the data protection law within the EU.
This should strengthen the protection of personal data as well as the citizens' personal rights.
Both non-public facilitys (self-employed, companies, membership associations) and public facilitys like authorities must comply with the GDPR.
Private persons do not have to pay attention to the GDPR as long as they process personal data only for personal or family purposes.
The responsible person is usually the owner or manager within a company. The data protection officer is never responsible for the comliance. He only takes on an advisory or supporting role.
A facility needs a data protection as far as usually at least ten persons constantly deal with the processing of personal data. It does not matter whether the ten people are in paid employment or volunteers.
Personal data is any information that relates to an identified or identifiable natural person, as well as any information about the personal or material circumstances of a particular or identifiable natural person.
In contrast to the old legal situation, the GDPR extended the duties of the responsible person.
Furthermore, the accountability was introduced by the GDPR. This means that the responsible person hast to be able to prove that his personal data is processed in compliance with data protection laws.
The information obligations were extended. This means that the responsible person must inform in a more transparent and comprehensive manner.
In addition, the money fine has drastically increased in breaches of data protection rules and the responsible person has to take appropriate technical organizational measures, which protect the personal data processed by him.