# GDPR — Regulation (EU) 2016/679 **Primary source:** EUR-Lex — https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX:32016R0679 **Official citation:** Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (General Data Protection Regulation). **In force:** May 25, 2018. Directly applicable in all EU Member States — no national transposition required. --- ## Scope GDPR applies to any organisation that: - Processes personal data of individuals who are in the EU, OR - Offers goods or services to EU residents, OR - Monitors EU residents' behaviour It applies regardless of where the organisation is established. A US company selling to EU customers must comply. **Personal data** includes any information that can identify a natural person: names, email addresses, IP addresses, location data, cookies, biometric data. --- ## Key Obligations ### Lawful Basis (Article 6) Every processing activity needs a lawful basis: consent, contract, legal obligation, vital interests, public task, or legitimate interests. Consent must be freely given, specific, informed, and unambiguous. ### Privacy Notices (Articles 13–14) Individuals must be informed about what data is collected, why, how long it is kept, who it is shared with, and what their rights are. ### Data Subject Rights (Articles 15–22) - Right to access, rectification, erasure ("right to be forgotten") - Right to data portability - Right to object to processing - Rights related to automated decision-making ### Records of Processing Activities — ROPA (Article 30) Organisations with 250+ employees (or processing that carries risk) must maintain written records of all processing activities. ### Data Protection Officer — DPO (Articles 37–39) Required for: public authorities, organisations carrying out large-scale systematic monitoring, or processing of special categories of data at scale. ### Data Breach Notification (Articles 33–34) Personal data breaches must be reported to the supervisory authority within **72 hours**. Individuals must be notified if the breach is likely to result in high risk. ### Data Protection Impact Assessment — DPIA (Article 35) Required before high-risk processing: large-scale profiling, systematic monitoring of publicly accessible areas, processing of special categories at scale. ### International Transfers (Chapter V) Personal data can only be transferred to third countries with: an adequacy decision (Article 45), appropriate safeguards such as Standard Contractual Clauses (Article 46), or binding corporate rules (Article 47). **Schrems II (ECJ C-311/18):** Invalidated Privacy Shield. US-based transfers require a Transfer Impact Assessment. The EU-US Data Privacy Framework (2023) provides a new adequacy mechanism but does not neutralise CLOUD Act law enforcement access. --- ## Maximum Penalties (Article 83) - €20,000,000 or 4% of global annual turnover — most severe violations (data transfers, consent, core principles) - €10,000,000 or 2% of global annual turnover — other violations (breach notification, DPIA, DPO obligations) --- ## Supervisory Authorities Each EU Member State has a national Data Protection Authority (DPA). Examples: - CNIL (France) — https://www.cnil.fr - BfDI (Germany) — https://www.bfdi.bund.de - ICO (Ireland) — https://www.dataprotection.ie - AEPD (Spain) — https://www.aepd.es The European Data Protection Board (EDPB) issues binding decisions and guidance: https://edpb.europa.eu --- ## Canonical Pages (EuroComply) - Full guide: https://eurocomply.app/regulations/gdpr - SME compliance guide: https://eurocomply.app/gdpr-compliance-sme - GDPR checker tool: https://eurocomply.app/tools/regulation-checker --- Last updated: 2026-05-12