Skip to main content
NormaGrid

General Data Protection Regulation (GDPR)

In force Data & Privacy Regulation Adopted: 27 April 2016 · Applies from: 25 May 2018

AI-assisted content notice: this page includes AI-assisted summaries, FAQs, and glossary entries prepared for navigation purposes. Verify the underlying legal text before relying on this content.

Summary

The General Data Protection Regulation (GDPR) is the EU’s core legal framework for the protection of personal data, replacing Directive 95/46/EC and harmonising data protection rules across the EU/EEA. It sets out principles and lawful bases for processing, strengthens individuals’ rights (including access, rectification, erasure, restriction, portability and objection), and imposes obligations on controllers and processors (including security, accountability, DPIAs and, in certain cases, DPO appointment). It also regulates international transfers of personal data and establishes enforcement by independent supervisory authorities, including a one-stop-shop mechanism for cross-border processing and significant administrative fines.

Who is affected?

Controllers and processors in the EU/EEA, and organisations outside the EU/EEA that offer goods or services to, or monitor the behaviour of, individuals in the EU/EEA. It also affects public authorities, employers, online platforms, app providers, advertisers, and any entity handling personal data in a professional context.

Scope

Processing of personal data wholly or partly by automated means, and non-automated processing forming part of a filing system, including certain extraterritorial processing linked to offering goods/services to or monitoring individuals in the EU/EEA.

Key Points

  • Applies to controllers/processors and, in specified cases, to non-EU/EEA organisations offering goods/services to or monitoring individuals in the EU/EEA
  • Requires a lawful basis for processing (e.g., consent, contract, legal obligation, vital interests, public task, legitimate interests) and compliance with core principles (lawfulness, fairness, transparency, purpose limitation, data minimisation, accuracy, storage limitation, integrity/confidentiality, accountability)
  • Strengthens data subject rights (information, access, rectification, erasure, restriction, portability, objection, and safeguards around automated decision-making/profiling)
  • Imposes accountability and governance duties (records of processing, privacy by design/by default, processor contracts, and—where required—DPO appointment and DPIAs for high-risk processing)
  • Mandates personal data breach notification to the competent supervisory authority within 72 hours where required, and communication to affected individuals in certain high-risk cases
  • Regulates international transfers via adequacy decisions or appropriate safeguards (e.g., Standard Contractual Clauses, Binding Corporate Rules) and provides for strong enforcement and fines (up to EUR 20 million or 4% of worldwide annual turnover, whichever is higher)

Key Deadlines

  • — Application date (GDPR applies from this date)

Related Regulations

Frequently Asked Questions

Who must comply with the GDPR?

The GDPR applies to all controllers and processors located in the EU/EEA, as well as organisations outside the EU/EEA that offer goods or services to, or monitor the behaviour of, individuals in the EU/EEA.

What types of data processing fall within the scope of the GDPR?

The GDPR covers the processing of personal data wholly or partly by automated means, and non-automated processing that forms part of a filing system. It also applies to certain extraterritorial processing linked to offering goods/services to or monitoring individuals in the EU/EEA.

What are the key obligations for organisations under the GDPR?

Organisations must ensure a lawful basis for processing, comply with core data protection principles, uphold data subject rights, maintain accountability (including records and contracts), implement appropriate security measures, and notify authorities of certain data breaches.

What penalties can be imposed for non-compliance with the GDPR?

Supervisory authorities can impose administrative fines of up to EUR 20 million or 4% of the organisation's total worldwide annual turnover, whichever is higher, for the most serious infringements.

What rights do individuals have under the GDPR?

Individuals have rights to information, access, rectification, erasure (right to be forgotten), restriction of processing, data portability, objection, and safeguards regarding automated decision-making and profiling.

How does the GDPR regulate international transfers of personal data?

International transfers are permitted only if the destination ensures adequate data protection, or if appropriate safeguards (such as Standard Contractual Clauses or Binding Corporate Rules) are in place.

When must a data breach be reported under the GDPR?

Personal data breaches that may result in a risk to individuals' rights and freedoms must be reported to the competent supervisory authority within 72 hours, and to affected individuals if the risk is high.

Are organisations required to appoint a Data Protection Officer (DPO)?

A DPO must be appointed if the organisation is a public authority, carries out large-scale systematic monitoring, or processes special categories of data on a large scale.

How does the GDPR interact with other EU data protection laws?

The GDPR harmonises data protection laws across the EU/EEA, replacing Directive 95/46/EC, but allows Member States to introduce specific provisions in certain areas, such as employment or national security.

What practical steps should organisations take to comply with the GDPR?

Organisations should map data flows, review and update privacy policies, ensure contracts with processors are GDPR-compliant, implement technical and organisational measures for data security, and train staff on data protection responsibilities.

Key Terms

Personal Data
Any information relating to an identified or identifiable natural person (data subject), such as names, identification numbers, location data, or online identifiers.
Controller
The natural or legal person, public authority, agency, or other body that determines the purposes and means of processing personal data.
Processor
A natural or legal person, public authority, agency, or other body that processes personal data on behalf of the controller.
Data Subject
The individual whose personal data is processed under the GDPR.
Data Protection Officer (DPO)
A designated individual responsible for overseeing data protection strategy and compliance within an organisation, required in certain cases under the GDPR.
Data Protection Impact Assessment (DPIA)
A process to assess and mitigate the risks to individuals' rights and freedoms arising from high-risk personal data processing activities.
Lawful Basis
A valid legal ground for processing personal data, such as consent, contract, legal obligation, vital interests, public task, or legitimate interests.
Supervisory Authority
An independent public authority established by an EU/EEA Member State to monitor and enforce compliance with the GDPR.
One-Stop-Shop Mechanism
A system allowing organisations engaged in cross-border processing to interact primarily with a single lead supervisory authority within the EU/EEA.
Standard Contractual Clauses (SCCs)
Pre-approved contractual terms used to ensure adequate safeguards for international transfers of personal data outside the EU/EEA.