EuroComply
Sign up

General Data Protection Regulation

The General Data Protection Regulation (Regulation (EU) 2016/679) is the EU's data protection law, in force since 25 May 2018. It governs the processing of personal data of people located in the EU, applies regardless of where the controller or processor is based, and is enforced by national Data Protection Authorities. Maximum administrative fines: €20 million or 4% of global annual turnover, whichever is higher (Article 83).

Free GDPR Fine Risk Calculator

What does GDPR require and when does it apply?

GDPR applies to All sectors processing EU personal data organisations across all EU member states. The key deadline is In force since May 25, 2018. Non-compliance carries a maximum penalty of €20M or 4% of global turnover. Core obligations include maintain records of processing activities (ropa) and conduct data protection impact assessments.

  • Maintain records of processing activities (ROPA)
  • Conduct Data Protection Impact Assessments
  • Appoint a Data Protection Officer (if required)
  • Implement data subject rights procedures
  • Report breaches within 72 hours
DeadlineIn force since May 25, 2018
Max fine€20M or 4% of global turnover
Primary sectorsAll sectors processing EU personal data
Source: Official Journal of the EU — General Data Protection RegulationReviewed:
TL;DR

GDPR: €20M or 4% of global turnover max fine

GDPR applies to All sectors processing EU personal data organisations in all EU member states. Key deadline: In force since May 25, 2018.

Source: Official Journal of the European Union — General Data Protection Regulation

Who does GDPR apply to?

GDPR applies to any organisation — public or private, EU-based or not — that processes the personal data of individuals located in the EU, either by offering them goods or services or by monitoring their behaviour.

  • Controllers and processors established in the EU, irrespective of where the processing occurs
  • Non-EU controllers and processors offering goods or services to people in the EU
  • Non-EU controllers and processors monitoring the behaviour of people in the EU
  • All sectors — there is no industry carve-out
Source: Regulation (EU) 2016/679 — EUR-Lex Official Journal — Article 3 (Territorial scope)Reviewed:

What are the penalties for GDPR non-compliance?

Two penalty tiers apply. The lower tier covers procedural breaches (records, DPO designation, data-breach notification). The upper tier covers breaches of core data-subject rights and the lawful-basis principles.

Maximum fine€20 million or 4% of global annual turnover, whichever is higher
Source: Regulation (EU) 2016/679 — EUR-Lex Official Journal — Article 83 (General conditions for imposing administrative fines)Reviewed:

When does GDPR apply?

GDPR has applied in full across all EU member states since 25 May 2018. Subsequent national implementing acts (e.g. Germany's BDSG, France's loi Informatique et Libertés revision) add country-specific rules on top of the regulation itself.

  • 2016-05-24 — Entry into force
  • 2018-05-25 — Direct applicability across all EU member states
Source: Regulation (EU) 2016/679 — EUR-Lex Official Journal — Article 99 (Entry into force and application)Reviewed:

How to build a GDPR Record of Processing Activities (ROPA)

Article 30 of the GDPR requires controllers and processors with 250+ employees (or processing high-risk or special-category data) to maintain a written record of their processing activities. These are the steps the regulation prescribes.

  1. 1

    Inventory processing activities

    List every distinct purpose for which the organisation processes personal data (HR, marketing, customer support, analytics, etc.).

  2. 2

    Document required fields per activity

    For each activity, record: controller name and contact, processing purposes, categories of data subjects and personal data, recipients, international transfers and safeguards, retention period, and a general description of security measures.

  3. 3

    Identify the lawful basis

    Tag each activity with the Article 6 lawful basis (consent, contract, legal obligation, vital interest, public task, legitimate interest) and — if special-category data — an Article 9 condition.

  4. 4

    Maintain in writing and on request

    Keep the record in writing, including electronic form, and make it available to the supervisory authority on request.

  5. 5

    Review on change

    Update the record whenever processing purposes, recipients, retention periods, or technical measures change materially.

€2.92 billion

Cumulative GDPR fines reported by national Data Protection Authorities since 25 May 2018, according to enforcement trackers compiled from official DPA decisions.

EUR-Lex + national DPA decision registers (publicly aggregated)

Deadline

In force since May 25, 2018

Max Fine

€20M or 4% of global turnover

Sectors Affected

All sectors processing EU personal data

€2.92 billion

Cumulative GDPR fines reported by national Data Protection Authorities since 25 May 2018, according to enforcement trackers compiled from official DPA decisions.

EUR-Lex + national DPA decision registers (publicly aggregated)

Key regulatory facts: General Data Protection Regulation
Official nameRegulation (EU) 2016/679 of the European Parliament and of the Council on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (General Data Protection Regulation)
Reg. No.(EU) 2016/679
CELEX32016R0679
Typeregulation
In force2016-05-24
Applies from2018-05-25
Max fine€20 million or 4% of global annual turnover, whichever is higher
Authorities
National Data Protection Authorities (member-state)
European Data Protection Board (EDPB) (EU)
European Data Protection Supervisor (EU)for EU institutions
Source(EU) 2016/679 — EUR-Lex Official Journal

How do I comply with GDPR?

  • Maintain records of processing activities (ROPA)
  • Conduct Data Protection Impact Assessments
  • Appoint a Data Protection Officer (if required)
  • Implement data subject rights procedures
  • Report breaches within 72 hours

Does GDPR apply to your business?

Find out in 2 minutes with our free regulation checker.

Check now — free

GDPR by Country

🇩🇪

Germany

🇫🇷

France

🇳🇱

Netherlands

🇪🇸

Spain

🇮🇹

Italy

🇦🇹

Austria

🇧🇪

Belgium

🇵🇱

Poland

🇸🇪

Sweden

🇮🇪

Ireland

🇵🇹

Portugal

🇩🇰

Denmark

🇫🇮

Finland

🇨🇿

Czech Republic

🇷🇴

Romania

🇭🇺

Hungary

🇸🇰

Slovakia

🇧🇬

Bulgaria

🇭🇷

Croatia

🇬🇷

Greece

🇱🇺

Luxembourg

🇪🇪

Estonia

🇱🇻

Latvia

🇱🇹

Lithuania

🇸🇮

Slovenia

🇲🇹

Malta

Explore GDPR in depth

Penalties & Fines

Maximum fine tiers, Article-by-Article breakdown, and mitigation factors.

Enforcement Timeline

Key dates, application milestones, and per-Member-State transposition status.

GDPR by Industry

💻

SaaS & Software

💳

Fintech & Financial Services

🏥

Healthcare & MedTech

🏭

Manufacturing & Industry

🛒

E-commerce & Retail

🎓

EdTech & Education

🚚

Logistics & Transport

Energy & Utilities

📡

Telecoms & Media

👥

HR & Recruitment

⚖️

Legal & Professional Services

🏛️

Public Sector & NGOs

GDPR by Role

Non-EU Companies

GDPR applies to organisations established outside the EU whenever they offer goods or services to people in the EU, or monitor the behaviour of people in the EU. Article 27 requires most non-EU controllers to designate, in writing, a representative established in the Union — a frequently overlooked obligation.

Related Regulations

AI Act

The EU AI Act classifies AI systems by risk level and imposes obligations on providers and deployers. High-risk systems face mandatory conformity assessments, documentation, and human oversight requirements.

NIS2

NIS2 expands cybersecurity obligations to essential and important entities across critical sectors. It mandates risk management, incident reporting, and supply chain security.

eIDAS 2.0

eIDAS 2.0 updates the framework for electronic identification and trust services, introducing the EU Digital Identity Wallet. It enables cross-border digital identity verification and expands recognised trust services.

Explore GDPR in depth

Penalties & Fines

See enforcement patterns, fine tier tables, and real enforcement cases across EU member states.

Deadline Timeline

Key milestones, implementation phases, and country-specific deadlines and phased rollout dates.

Industry Guides

Sector-specific GDPR guidance for SaaS, fintech, healthcare, and other affected industries.

Next step — classify

Classify your AI systems

Use the free regulation checker to find out exactly which GDPR obligations apply to your business in 2 minutes.

Classify your AI systems

Check Your Compliance Obligations

Find out which GDPR obligations apply to your organisation in under 2 minutes.

Run EU Compliance Checker

Recent GDPR Articles

EDPB/EDPS: Clinical Trials—Health Data Safeguards Required

8 Jun 2026

Ex machina : financial stability in the age of artificial intelligence

8 Jun 2026

Screening credibility : artificial Intelligence, evidence and fair asylum procedures in EU law

8 Jun 2026

Frequently Asked Questions

What are the GDPR Article 32 technical measures for a SaaS company in Frankfurt?
GDPR Article 32 requires SaaS companies to implement technical measures proportionate to risk: encryption of personal data in transit (TLS 1.2+) and at rest; pseudonymisation of production datasets; regular automated backups with tested restore procedures; access control with least-privilege principles and audit logs; and a documented incident response procedure with 72-hour breach notification capacity. For a Frankfurt-hosted SaaS, using an EU-first infrastructure stack — EU LLM, EU database, EU-hosted data — directly reduces Article 32 exposure.
What GDPR compliance software works for EU startups?
EU startups need GDPR software covering data mapping (ROPA under Article 30), DPIA automation (Article 35), processor agreement tracking (Article 28), and breach notification workflows (Articles 33–34). EuroComply is free for up to one system, EU-hosted in Frankfurt, and adds AI Act and NIS2 coverage in one platform. Iubenda (Italian company) covers cookie consent and policy generation from €27.99/yr. For startups that have grown to more than 50 employees, DataGuard (Munich) provides a managed service.
What are GDPR fines for SMEs in 2025?
Under GDPR Article 83, fines fall into two tiers. Less severe infringements carry a maximum of €10M or 2% of global annual turnover, whichever is higher. More severe infringements — core principles, data subject rights, international transfers — carry a maximum of €20M or 4% of global annual turnover. The EDPB's 2023 guidelines clarify that supervisory authorities must account for the organisation's size. Germany (BfDI) and the Netherlands (AP) are the most active enforcement jurisdictions for SME fines.
What is a DPIA under GDPR?
A Data Protection Impact Assessment (DPIA) is a mandatory pre-deployment risk assessment under GDPR Article 35. It is required when processing is likely to result in a high risk to individual rights — large-scale profiling, processing biometric or health data, or systematic monitoring of public areas. A DPIA must describe the processing, assess necessity and proportionality, identify risks and mitigation measures, and record the outcome. Failing to complete a required DPIA is an Article 35 infringement carrying fines of up to €10M or 2% of global turnover.
How do I generate an EU-compliant privacy policy?
An EU-compliant privacy policy under GDPR Articles 13–14 must disclose: controller identity and contact details; DPO contact if applicable; lawful basis for each processing activity; data categories collected; recipients and cross-border transfers; retention periods; and data subject rights. It must be written in clear, plain language. Automated generators can produce a compliant base document — iubenda (Italian company, from €27.99/yr) and EuroComply both cover GDPR Articles 13–14 policy generation. Legal counsel should review anything involving sensitive data or complex transfer chains.
How do I set up a GDPR-compliant cookie consent banner?
A GDPR-compliant cookie consent banner must require active opt-in (pre-ticked boxes are unlawful); allow granular consent by category (functional, analytics, marketing); present options without dark patterns; link to the privacy policy; and record consent with a timestamp and version number. Cookiebot (EU-sovereign, from €9/month) and Usercentrics (EU-sovereign, from €60/month) are the leading EU CMPs meeting EDPB guidelines. Both are operated by Usercentrics GmbH (Munich, Germany) — not subject to the US CLOUD Act.
What is a GDPR processor agreement template?
A GDPR Data Processing Agreement (DPA) under Article 28 must bind the processor to: process personal data only on documented controller instructions; maintain confidentiality; implement Article 32 security measures; assist with data subject rights requests; delete or return data on contract termination; and make available all information necessary to demonstrate compliance. Standard Contractual Clauses (Module 2 or 3) are required for transfers to countries without an adequacy decision. EuroComply provides a standard DPA template under its editorial framework.

For informational purposes only. This is not legal advice — consult qualified legal counsel.

Last verified: · Source: EUR-Lex 32016R0679 · Editorial policy