GDPR

What does GDPR stand for?

The General Data Protection Regulation (GDPR) is the European Union's comprehensive data protection law. It sets a global standard for protecting the privacy rights of individuals and has influenced privacy legislation worldwide since it took effect on May 25, 2018. The GDPR applies to any organization, regardless of where it is established, that processes the personal data of individuals in the EU or European Economic Area (EEA), or that offers goods or services to, or monitors the behavior of, people in those jurisdictions (Article 3). Failure to comply can result in administrative fines of up to €20 million or 4% of total worldwide annual turnover, whichever is higher (Article 83).

Enforcement is substantial and sustained. According to the DLA Piper GDPR Fines and Data Breach Survey (January 2026), European supervisory authorities issued approximately €1.2 billion in fines during 2025, bringing the cumulative total since 2018 to €7.1 billion. Daily breach notifications reached an average of 443 per day, a 22% increase over the prior year and the first time since 2018 that the average exceeded 400.

Legal Context

The GDPR replaced the 1995 EU Data Protection Directive (Directive 95/46/EC), which had governed data protection across EU member states for over two decades but was not directly applicable law. By enacting the GDPR as a regulation rather than a directive, the EU created a single, directly applicable legal framework across all member states, eliminating the patchwork of national implementing laws that had characterized the earlier regime.

The GDPR draws on the right to respect for private life under Article 8 of the European Convention on Human Rights (1950) and the right to the protection of personal data under Article 8 of the EU Charter of Fundamental Rights. However, the GDPR is not an extension of the ECHR. It is a standalone regulation rooted in Article 16 of the Treaty on the Functioning of the European Union, which grants every person the right to the protection of their personal data and empowers the European Parliament and Council to legislate on this subject.

The GDPR is complemented by the ePrivacy Directive (Directive 2002/58/EC), a specialized EU law governing the confidentiality of electronic communications, the use of cookies and similar tracking technologies, and direct marketing. The ePrivacy Directive requires prior consent for most uses of cookies and tracking technologies, and the GDPR's consent standards (freely given, specific, informed, and unambiguous, per Article 7) apply to that consent.

Personal Data and Special Categories

The GDPR's scope depends on its definitions of personal data and special categories of personal data.

"Personal data" means any information relating to an identified or identifiable natural person (Article 4(1)). A person is "identifiable" if they can be identified, directly or indirectly, by reference to an identifier such as a name, identification number, location data, online identifier, or one or more factors specific to their physical, physiological, genetic, mental, economic, cultural, or social identity. This definition is intentionally broad. It covers traditional identifiers like names and addresses, but also IP addresses, cookie identifiers, device fingerprints, and pseudonymized data where re-identification is possible.

"Special categories of personal data" are defined in Article 9 and subject to heightened protection. These categories are: racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, genetic data, biometric data processed for the purpose of uniquely identifying a natural person, data concerning health, and data concerning a person's sex life or sexual orientation. Processing special category data is prohibited by default unless one of the specific exceptions in Article 9(2) applies, such as explicit consent or substantial public interest.

Note that precise geolocation, financial data, and government identifiers are not special categories under the GDPR, though they are classified as sensitive personal information under the CCPA/CPRA and several other U.S. state privacy laws. Organizations operating across jurisdictions should be aware of these definitional differences.

GDPR Principles

The GDPR's compliance requirements are grounded in seven foundational principles set out in Article 5:

• Lawfulness, fairness, and transparency: processing must have a valid legal basis (one of the six lawful bases in Article 6), must be conducted fairly, and must be transparent to the data subject.
• Purpose limitation: personal data may only be collected for specified, explicit, and legitimate purposes, and may not be further processed in a manner incompatible with those purposes.
• Data minimization: the data collected must be adequate, relevant, and limited to what is necessary for the stated purposes.
• Accuracy: personal data must be accurate and, where necessary, kept up to date. Inaccurate data must be erased or rectified without delay.
• Storage limitation: personal data may only be retained in a form that permits identification of individuals for no longer than is necessary for the purposes of processing.
• Integrity and confidentiality: personal data must be processed in a manner that ensures appropriate security, including protection against unauthorized or unlawful processing and against accidental loss, destruction, or damage, using appropriate technical and organizational measures (Article 32).
• Accountability: the controller is responsible for, and must be able to demonstrate, compliance with all of the above principles. The GDPR requires demonstrable compliance, not merely asserted compliance.

Lawful Bases for Processing

Article 6 specifies six lawful bases for processing personal data. A controller must identify and document at least one lawful basis before any processing begins:

• Consent of the data subject.
• Necessity for the performance of a contract.
• Compliance with a legal obligation.
• Protection of vital interests.
• Performance of a task carried out in the public interest or in the exercise of official authority.
• Legitimate interests pursued by the controller or a third party, except where overridden by the interests, rights, or freedoms of the data subject.

The choice of lawful basis has practical consequences. Consent can be withdrawn at any time, and withdrawal must be as easy as giving consent. Legitimate interests requires a balancing test. Different lawful bases affect which data subject rights are available.

Rights of the Data Subject

The GDPR grants individuals a set of enforceable rights, expanded and strengthened from the 1995 Directive:

• Right to be informed (Articles 13–14): individuals must receive clear, concise information about how their data is collected and used, at the time of collection (Article 13) or within a reasonable period if data is obtained from other sources (Article 14).
• Right of access (Article 15): individuals can obtain confirmation of whether their data is being processed, access to that data, and supplementary information including purposes, categories, recipients, retention periods, and the existence of automated decision-making.
• Right to rectification (Article 16): individuals can require correction of inaccurate personal data and completion of incomplete data.
• Right to erasure (Article 17): also known as the "right to be forgotten," individuals can request deletion of their personal data in specified circumstances, including where the data is no longer necessary for its original purpose or where consent has been withdrawn.
• Right to restriction of processing (Article 18): individuals can request that processing be restricted in certain circumstances, such as when accuracy is contested.
• Right to data portability (Article 20): individuals can receive their personal data in a structured, commonly used, machine-readable format and transmit it to another controller, where processing is based on consent or contract and carried out by automated means.
• Right to object (Article 21): individuals can object to processing based on legitimate interests or public interest grounds, and the controller must cease processing unless it demonstrates compelling legitimate grounds that override the individual's interests.
• Rights related to automated decision-making (Article 22): individuals have the right not to be subject to decisions based solely on automated processing, including profiling, that produce legal effects or similarly significant effects, except in limited circumstances. Where such decisions are permitted, individuals have the right to obtain human intervention, express their point of view, and contest the decision.

Individuals may not be discriminated against for exercising their rights. Organizations must respond to data subject requests (DSRs) without undue delay and within one month, with a possible extension of two additional months for complex requests (Article 12).

Key Organizational Obligations

Beyond the principles and data subject rights, the GDPR imposes several structural compliance obligations:

• Data Protection Impact Assessments (Article 35): required before processing that is likely to result in a high risk to individuals' rights and freedoms, including systematic and extensive profiling, large-scale processing of special categories, and large-scale systematic monitoring of publicly accessible areas.
• Data Protection Officers (Articles 37–39): mandatory for public authorities and for organizations whose core activities involve regular and systematic monitoring of individuals at scale, or large-scale processing of special category data.
• Records of processing activities (Article 30): controllers and processors must maintain written records of their processing activities, including purposes, data categories, recipients, transfers, and retention periods.
• Data breach notification (Articles 33–34): controllers must notify the competent supervisory authority of a personal data breach within 72 hours of becoming aware of it, unless the breach is unlikely to result in a risk to individuals. Where the breach is likely to result in a high risk, the controller must also notify the affected individuals without undue delay.
• International data transfers (Chapter V, Articles 44–49): personal data may only be transferred to countries outside the EU/EEA that provide an adequate level of protection (as determined by an EU adequacy decision), or where appropriate safeguards are in place (such as Standard Contractual Clauses or Binding Corporate Rules), or where a specific derogation applies.
• Data processing agreements (Article 28): controllers must have written contracts with any processors that handle personal data on their behalf, specifying the subject matter and duration of processing, the nature and purpose, the types of personal data, and the obligations of the processor.
• Data protection by design and by default (Article 25): controllers must implement appropriate technical and organizational measures both at the time of determining the means for processing and at the time of processing itself, to ensure that data protection principles are effectively implemented.

Enforcement and Supervision

Each EU/EEA member state has an independent supervisory authority responsible for monitoring and enforcing the GDPR within its jurisdiction. The European Data Protection Board (EDPB) coordinates between national authorities and issues guidelines, recommendations, and opinions on the interpretation of the GDPR.

The GDPR's two-tier penalty structure under Article 83 provides for:

• Fines of up to €10 million or 2% of total worldwide annual turnover (whichever is higher) for infringements of obligations relating to controllers and processors, certification bodies, and monitoring bodies.
• Fines of up to €20 million or 4% of total worldwide annual turnover (whichever is higher) for infringements of the basic principles of processing, data subject rights, conditions for consent, and international transfer provisions.