GDPR
Also known as: General Data Protection Regulation, Regulation (EU) 2016/679
The General Data Protection Regulation is the European Union’s data protection law, in force since 25 May 2018. Article 3 sets its extraterritorial reach: it applies to processing in the context of an EU establishment, and to any non-EU controller or processor that offers goods or services to people in the EU or monitors their behaviour within the EU.
Core obligations
- Lawfulness: a legal basis for every processing activity (consent, contract, legal obligation, vital interests, public task, or legitimate interests).
- Purpose limitation and data minimisation. Collect only what you need, use it only for the purpose you stated.
- Records of processing. A Record of Processing Activities (ROPA) covering every processing operation. Controllers and processors above the size and risk thresholds must maintain one.
- Data subject rights: access, rectification, erasure, restriction, portability, objection. All to be honoured within one month of the request.
- Breach notification. Report personal data breaches to the supervisory authority within 72 hours of becoming aware.
- International transfers. Rely on an adequacy decision, Standard Contractual Clauses, or another valid transfer mechanism for data leaving the EEA.
Penalties
Two tiers of administrative fines. Lower tier: up to €10 million or 2% of global annual turnover, whichever is higher (for breaches of organisational obligations such as recordkeeping). Upper tier: up to €20 million or 4% (for breaches of the core principles, data subject rights, or international transfer rules). Cumulative fines since 2018 have exceeded €4 billion, with multi-hundred-million-euro decisions against major platforms and ad-tech operators driving most of the total.