Complete guide to the General Data Protection Regulation — 7 principles, legal bases for processing, data subject rights, DPO requirements, 72-hour breach notification, and fines up to €20M or 4% of global annual turnover.
Extraterritorial scope — applies globally. GDPR applies to any organization that processes personal data of EU/EEA residents, regardless of where the organization is based. U.S. companies serving EU customers are subject to GDPR. Article 3(2) explicitly covers non-EU controllers targeting EU data subjects. (GDPR Art. 3)
The General Data Protection Regulation (EU) 2016/679 (GDPR) is a regulation of the European Union on data protection and privacy. It became enforceable on May 25, 2018, replacing Directive 95/46/EC. GDPR is one of the toughest data protection laws in the world. (EUR-Lex)
The regulation applies to the processing of personal data — any information relating to an identified or identifiable natural person (a "data subject"). GDPR distinguishes between data controllers (determine the purpose and means of processing) and data processors (process data on behalf of controllers).
All processing of personal data must comply with Article 5's seven principles. Failure to demonstrate compliance with these principles is a Tier 2 violation. (GDPR Article 5)
Every processing activity must be based on at least one of the six lawful bases. Consent is not the only option — and is often not the most appropriate one. (GDPR Article 6)
| Basis | When Applicable | Key Considerations |
|---|---|---|
| Consent (Art 6(1)(a)) | Data subject has freely given specific, informed, unambiguous consent | Must be withdrawable; no bundled consent; records required |
| Contract (Art 6(1)(b)) | Processing necessary to perform a contract with the data subject, or pre-contractual steps | Must be genuinely necessary; cannot rely on this for additional purposes |
| Legal Obligation (Art 6(1)(c)) | Processing required by EU or Member State law | Must identify the specific legal obligation in your privacy notice |
| Vital Interests (Art 6(1)(d)) | Processing necessary to protect someone's life (last resort) | Only when data subject is incapable of giving consent |
| Public Task (Art 6(1)(e)) | Processing necessary for a public task or official authority | Primarily for public authorities; some public interest bodies |
| Legitimate Interests (Art 6(1)(f)) | Processing necessary for legitimate interests of controller/third party, not overridden by data subject's interests | Must conduct and document a balancing test (LIA); cannot use for public authorities |
GDPR grants eight enforceable rights to data subjects. Organizations must facilitate these rights within one month of receiving a valid request (extendable by two months for complex requests). (GDPR Articles 12–22)
Article 37 mandates a DPO for three categories of organizations. Even where not mandatory, appointing a DPO voluntarily is a recognized best practice. (GDPR Article 37)
The DPO must be independent, have expert knowledge of data protection law, and cannot be dismissed or penalized for performing their tasks. Organizations with a DPO must publish DPO contact details and communicate them to supervisory authorities.
A personal data breach that risks the rights and freedoms of individuals must be reported to the supervisory authority within 72 hours of becoming aware. (GDPR Article 33)
| Tier | Violations | Maximum Fine |
|---|---|---|
| Tier 1 | Violations of controller/processor obligations (Arts 8, 11, 25–39, 42, 43), supervisory authority orders (Art 58(2)) | €10,000,000 or 2% of total worldwide annual turnover — whichever is higher |
| Tier 2 | Violations of the basic principles for processing (Arts 5, 6, 7, 9), data subject rights (Arts 12–22), international transfer rules (Arts 44–49), national law requirements | €20,000,000 or 4% of total worldwide annual turnover — whichever is higher |
| Company | Fine | Authority | Year | Violation |
|---|---|---|---|---|
| Meta (Facebook) | €1.2B | DPC (Ireland) | 2023 | Unlawful transfer of EU user data to U.S. without adequate safeguards |
| Amazon | €746M | CNPD (Luxembourg) | 2021 | Advertising targeting system violated GDPR consent rules |
| Instagram (Meta) | €405M | DPC (Ireland) | 2022 | Children's data published publicly; inadequate privacy defaults |
| WhatsApp (Meta) | €225M | DPC (Ireland) | 2021 | Transparency failures in data processing information |
| Google LLC | €60M | CNIL (France) | 2021 | Cookie rejection mechanism inadequate (3 clicks vs 1 for acceptance) |
Source: CMS Law GDPR Enforcement Tracker (enforcementtracker.com)
Transferring personal data to countries outside the EU/EEA requires an appropriate safeguard unless the destination country has received an adequacy decision. (GDPR Chapter V)
| Mechanism | Description | Notes |
|---|---|---|
| Adequacy decision (Art 45) | EC declares recipient country has "essentially equivalent" protection | UK, Switzerland, Japan, Canada, Israel, South Korea among others; U.S. Data Privacy Framework (July 2023) |
| Standard Contractual Clauses (Art 46(2)(c)) | EC-approved contract templates (SCCs) between data exporters and importers | 2021 SCCs replaced old versions; Transfer Impact Assessment (TIA) recommended post-Schrems II |
| Binding Corporate Rules (Art 47) | Internal policies for intra-group transfers, approved by lead supervisory authority | Suitable for multinational groups; time-intensive to obtain |
| Derogations (Art 49) | Specific situations: explicit consent, contract performance, vital interests, public interest, legal claims | Cannot be used for systematic/repetitive transfers; last resort |
GDPR enforcement updates, regulatory changes, and compliance guides — free weekly.
Market pulse, stock spotlights, and actionable frameworks — delivered every week.
No spam · Unsubscribe anytime · View all issues →