EuroComply
Konto erstellen
Back to blog
GDPR 10 min read

What Is GDPR? A Complete Guide for Businesses

What Is GDPR? A Complete Guide for Businesses?

GDPR (Regulation 2016/679) is the EU's data protection law. This guide covers the 6 lawful bases, data subject rights, ROPA, DPO, DPIA, and Article 83 fines — with practical guidance for SMEs.

Source: EuroComply Editorial (2026-04-14)Reviewed:
EuroComply Team
EU regulatory specialistsContent reviewed against official EUR-Lex texts
EuroComply Editorial Team
0 views

The General Data Protection Regulation (Regulation 2016/679) is the European Union's foundational data protection law. It entered into force on 25 May 2018, replacing the 1995 Data Protection Directive, and applies to any organisation that processes personal data of individuals located in the EU — regardless of where that organisation is headquartered.

This guide covers the key obligations every business needs to understand: lawful bases, data subject rights, record-keeping, specialist roles, impact assessments, breach notification, international transfers, and enforcement fines.

What Is GDPR?

GDPR establishes rules for how organisations collect, store, use, and share personal data. Personal data means any information that can identify a living individual — names, email addresses, IP addresses, device identifiers, location data, health records, and much more.

The regulation has extraterritorial scope under Article 3. It applies to:

  • Any organisation established in the EU, regardless of where processing takes place
  • Any organisation outside the EU that offers goods or services to EU residents, or that monitors the behaviour of EU residents (e.g. through cookies, analytics, profiling)

A US SaaS company with European customers, a Singapore retailer shipping to Germany, and a Brazilian recruiter screening EU candidates — all are subject to GDPR.

The two roles under GDPR are:

  • Controller (Art. 4(7)) — determines the purposes and means of processing. Bears primary compliance responsibility.
  • Processor (Art. 4(8)) — processes data on behalf of a controller. Must act under a Data Processing Agreement (Art. 28).

The Six Lawful Bases (Article 6)

Every act of processing personal data must rest on one of six lawful bases. There is no hierarchy — the right basis depends on the context and purpose of processing.

| Basis | Description | Typical Use Case | |-------|-------------|-----------------| | Consent (Art. 6(1)(a)) | Freely given, specific, informed, unambiguous indication of agreement | Marketing emails, optional cookies | | Contract (Art. 6(1)(b)) | Processing necessary to perform a contract with the data subject | Processing an order, delivering a service | | Legal obligation (Art. 6(1)(c)) | Processing required to comply with EU or Member State law | Tax records, employment law obligations | | Vital interests (Art. 6(1)(d)) | Processing necessary to protect life | Medical emergencies | | Public task (Art. 6(1)(e)) | Processing in the exercise of official authority | Government functions, public bodies | | Legitimate interests (Art. 6(1)(f)) | Processing necessary for legitimate interests, not overridden by data subject rights | Fraud prevention, network security, B2B marketing |

Consent requires a positive opt-in. Pre-ticked boxes, bundled consent, and consent as a condition of service do not satisfy Article 6(1)(a). Legitimate interests (Art. 6(1)(f)) requires a three-part test: identify the legitimate interest, demonstrate necessity, and balance it against the data subject's rights and freedoms.

Data Subject Rights (Articles 15–22)

GDPR grants individuals eight enforceable rights against controllers. Each right has specific conditions, exemptions, and response timeframes (generally one calendar month, extendable by two months for complex cases under Art. 12(3)).

| Right | Article | What It Means | |-------|---------|---------------| | Access | Art. 15 | Right to obtain confirmation of processing and a copy of personal data held | | Rectification | Art. 16 | Right to correct inaccurate or incomplete data | | Erasure ("right to be forgotten") | Art. 17 | Right to deletion where processing was unlawful, consent withdrawn, or data no longer necessary | | Restriction | Art. 18 | Right to pause processing while accuracy or lawfulness is contested | | Portability | Art. 20 | Right to receive data in a structured, machine-readable format (applies to consent and contract bases only) | | Objection | Art. 21 | Right to object to processing based on legitimate interests or for direct marketing (absolute right for marketing) | | Not to be subject to automated decisions | Art. 22 | Right not to be subject to decisions based solely on automated processing that produce legal or similarly significant effects | | Withdraw consent | Art. 7(3) | Right to withdraw consent at any time without detriment |

Organisations must provide a mechanism for data subjects to exercise these rights and must not charge a fee for standard requests (Art. 12(5)).

Key Compliance Obligations

Records of Processing Activities — ROPA (Article 30)

Controllers must maintain a written record of all processing activities. The ROPA must include:

  • Name and contact details of the controller (and DPO if applicable)
  • Purposes of processing
  • Categories of data subjects and personal data
  • Categories of recipients, including third-country transfers
  • Retention periods (or criteria used to determine them)
  • General description of technical and organisational security measures

The ROPA exemption for organisations with fewer than 250 employees (Art. 30(5)) is narrow — it does not apply where processing is not occasional, involves special categories of data (Art. 9), or could result in a risk to rights and freedoms. Most businesses cannot rely on it.

Data Protection Officer — DPO (Articles 37–39)

Appointing a DPO is mandatory for:

  • Public authorities and bodies (Art. 37(1)(a))
  • Controllers or processors whose core activities require large-scale, regular and systematic monitoring of data subjects (Art. 37(1)(b)) — e.g. adtech, tracking platforms
  • Controllers or processors whose core activities involve large-scale processing of special categories of data (Art. 37(1)(c)) — health data, biometrics, criminal records

Businesses that do not meet these thresholds may appoint a DPO voluntarily. The DPO must have expert knowledge of data protection law (Art. 37(5)), cannot be dismissed or penalised for performing their role (Art. 38(3)), and must report to the highest management level (Art. 38(3)).

Data Protection Impact Assessment — DPIA (Article 35)

A DPIA is required before commencing any processing that is "likely to result in a high risk to the rights and freedoms of natural persons." The GDPR specifies three categories requiring a DPIA:

  1. Systematic and extensive automated profiling with significant effects
  2. Large-scale processing of special categories of data (Art. 9) or criminal conviction data (Art. 10)
  3. Systematic monitoring of publicly accessible areas on a large scale

Supervisory authorities publish lists of processing operations requiring a DPIA (Art. 35(4)). A DPIA must include a description of the processing, an assessment of necessity and proportionality, the risks identified, and the measures envisaged to address those risks (Art. 35(7)).

Where the DPIA reveals a high residual risk, the controller must consult the supervisory authority before proceeding (Art. 36).

Breach Notification (Articles 33–34)

Article 33 — Personal data breaches must be notified to the competent supervisory authority within 72 hours of the controller becoming aware, unless the breach is unlikely to result in a risk to individuals. If notification is made after 72 hours, the reasons for the delay must be explained.

Article 34 — Where a breach is likely to result in a high risk to individuals, those individuals must be notified without undue delay in clear and plain language.

Processors must notify their controller without undue delay on becoming aware of a breach (Art. 33(2)).

Privacy by Design and Default (Article 25)

Controllers must implement appropriate technical and organisational measures — both at the time of designing the processing and at the time of processing itself — to give effect to data protection principles and integrate necessary safeguards. Data minimisation (collecting only what is necessary) and purpose limitation (not using data beyond the original purpose) are the core obligations here.

International Data Transfers (Chapter V)

Transferring personal data outside the European Economic Area (EEA) is restricted. A transfer may only take place where one of the following mechanisms applies:

  • Adequacy decision (Art. 45) — The European Commission has assessed the destination country's data protection as equivalent. Current adequacy decisions cover: UK, Switzerland, Japan, South Korea, Israel, New Zealand, Canada (commercial organisations), and the EU-US Data Privacy Framework (DPF, adopted July 2023 following the Schrems II Court of Justice judgment that invalidated Privacy Shield).

  • Standard Contractual Clauses — SCCs (Art. 46(2)(c)) — Model contract clauses adopted by the European Commission, providing appropriate safeguards. The 2021 SCCs replaced the legacy 2001/2004/2010 versions. Post-Schrems II, controllers must conduct a Transfer Impact Assessment (TIA) before relying on SCCs to verify that the destination country's law does not impair the SCCs' effectiveness.

  • Binding Corporate Rules — BCRs (Art. 47) — Approved intra-group transfer mechanisms for multinationals. Require supervisory authority approval.

  • Derogations (Art. 49) — Used sparingly: explicit consent, contract performance, public interest, legal claims, vital interests.

The Schrems II judgment (C-311/18, July 2020) remains the controlling case law. The EU-US DPF addresses many of its concerns, but its durability under a future legal challenge is not guaranteed. Organisations relying on US transfers should maintain SCC + TIA documentation as a fallback.

Fines (Article 83)

GDPR has a two-tier fine structure. Fines are assessed against whichever is higher — the absolute figure or the percentage of global annual turnover.

| Tier | Violations | Maximum Fine | |------|-----------|-------------| | Article 83(4) — Lower tier | Art. 8, 11 (children's consent), Arts. 25–39 (DPO, DPIA, ROPA, Privacy by Design), Arts. 42–43 (certification), Arts. 41–44 (supervisory authority cooperation) | €10,000,000 or 2% of global annual turnover | | Article 83(5) — Upper tier | Arts. 5–7, 9 (basic principles, lawful basis, special categories), Art. 12–22 (data subject rights), Arts. 44–49 (international transfers), any obligation under Member State law adopted pursuant to Chapter IX | €20,000,000 or 4% of global annual turnover |

The EU supervisory authorities have demonstrated willingness to impose significant fines. Meta was fined €1.2 billion by the Irish DPC in May 2023 for unlawful EU-US data transfers. Amazon received a €746 million fine from Luxembourg's CNPD in 2021. TikTok was fined €345 million by Ireland's DPC in 2023 for failures in children's data processing.

Practical Checklist for SMEs

GDPR compliance is not a one-time project — it is an ongoing programme. For SMEs new to GDPR, the following five steps establish the foundation:

  1. Map your data flows. Identify every category of personal data you collect, where it comes from, what you do with it, who you share it with, and how long you retain it. This is the basis for your ROPA.

  2. Establish lawful bases. For each processing activity, document the lawful basis. Update your privacy notice to reflect this accurately and in plain language (Art. 13–14).

  3. Review consent mechanisms. Ensure marketing consent is opt-in, specific, and recorded. Audit cookie banners — pre-checked boxes and legitimate interest for advertising cookies are non-compliant in most EU jurisdictions.

  4. Assess third-party processors. For every vendor or SaaS tool handling personal data on your behalf, ensure a compliant DPA is in place (Art. 28). For any US-based processors, complete a TIA and ensure SCCs are signed (or verify DPF certification).

  5. Implement a breach response procedure. Designate who is responsible for breach identification, internal escalation, supervisory authority notification, and individual notification. Run a tabletop exercise.

For organisations that process health data, criminal records, biometric data, or conduct large-scale profiling, add DPIA obligations and consider whether a DPO is required.

Last updated: April 2026. For informational purposes only — not legal advice.

EC

EuroComply Editorial Team

EU regulatory compliance specialists covering the AI Act, GDPR, NIS2, and related legislation. Content reviewed against official EU regulation texts and enforcement guidance.

For informational purposes only. Consult qualified legal counsel.

Share:

Ready to check compliance?

Start auditing your AI systems and tech stack today.

Related Posts

GDPR

DPIA Step-by-Step: When You Need One and How to Write It

14 Apr

GDPR

How to Build a ROPA Under GDPR: A Practical Guide

14 Apr

GDPR

GDPR DPIA: When and How

1 Feb

← Back to blog