Every organization or company who is deal with the personal or private data of people in any regard is accountable under GDPR laws. They are accountable for using private data and are bound to comply with GDPR laws. This legislation applies to two types of data handlers known as “Processors” or “controllers”. A controller is a person, organization or any other body that defines the means of handling or processing the data while the processor is the body or organisation or any company which processes the personal data on behalf of controllers. So, inside the Europe or outside transferring of Europian folks data transfer controllers and processors are liable to comply with GDPR law.

The process for obtaining consent under GDPR is quite specific and requires several key elements to be in place. Consent must be freely given: This means that individuals must be able to freely choose whether or not to give consent, without being coerced or influenced in any way. Consent must be specific: Organizations must provide individuals with clear and specific information about what they are consenting to, including details about how their personal data will be used. Consent must be informed: Individuals must be provided with all of the information necessary to make an informed decision about whether or not to give consent. This includes information about the data controller, the purpose of the processing, the types of data that will be processed, and how long the data will be retained. Consent must be unambiguous: The language used to obtain consent must be clear and easy to understand, with no room for interpretation. Consent must be documented: Organizations must keep a record of when and how consent was obtained, including the specific wording used to obtain consent. Consent must be revocable: Individuals must have the right to withdraw their consent at any time, and it must be just as easy to withdraw consent as it was to give it. It's important to note that GDPR requires a higher standard of consent than previous data protection laws, and organizations must be able to demonstrate that they have obtained valid consent from individuals. Failure to obtain valid consent can result in severe penalties, including fines of up to 4% of a company's global annual revenue or €20 million (whichever is greater).

Non-compliance with GDPR can result in severe penalties and fines, depending on the nature and severity of the violation. The maximum fines are: Up to €20 million or 4% of the company's total worldwide annual revenue from the preceding financial year, whichever is higher, for violations related to the basic principles of data protection, such as lack of consent, failure to conduct a data protection impact assessment, or failure to notify authorities or data subjects of a data breach. Up to €10 million or 2% of the company's total worldwide annual revenue from the preceding financial year, whichever is higher, for violations related to the obligations of data controllers and processors, such as failure to implement adequate data security measures or failure to maintain accurate records. These fines are the maximum penalties that can be imposed, and the actual amount of the fine will depend on several factors, such as the nature and severity of the violation, the number of data subjects affected, the measures taken by the organization to mitigate the harm caused, and the level of cooperation with regulatory authorities. In addition to fines, non-compliance with GDPR can also result in damage to an organization's reputation, loss of customer trust, and legal action from affected individuals or regulatory authorities. It is therefore important for organizations to take GDPR compliance seriously and implement robust data protection policies and procedures to ensure that they are meeting their obligations under the law.