General Data Protection Regulation GDPR
Stands for: General Data Protection Regulation
The EU regulation governing personal data processing, in force since 25 May 2018, with extraterritorial reach over any controller or processor handling EU residents' data.
Definition
The **General Data Protection Regulation (GDPR)** is Regulation (EU) 2016/679, applicable from 25 May 2018. It replaced the 1995 Data Protection Directive and harmonised data-protection law across the European Economic Area. Its territorial scope under Article 3 is famously broad: GDPR applies to any controller or processor established in the EU, and to any non-EU controller or processor that offers goods or services to EU data subjects or monitors their behaviour in the EU.\n\nThe regulation rests on six lawful bases for processing under Article 6 plus stricter conditions for special-category data under Article 9, and on six core principles in Article 5: lawfulness, fairness, and transparency; purpose limitation; data minimisation; accuracy; storage limitation; integrity and confidentiality. Accountability is the seventh, overarching principle: controllers must be able to demonstrate compliance, not just claim it.\n\nEnforcement is delegated to national supervisory authorities (the ICO in the UK, the CNIL in France, the BfDI in Germany, the Garante in Italy), coordinated through the European Data Protection Board (EDPB). Maximum administrative fines reach 20 million EUR or 4 percent of total worldwide annual turnover, whichever is higher.
When you'll encounter it
You will encounter GDPR as soon as you process the personal data of anyone in the EU or EEA, regardless of where your company is incorporated. Typical touchpoints are the website privacy notice, cookie consent banner, processor agreements with vendors, Records of Processing Activities, Data Protection Impact Assessments for high-risk processing, and breach notifications to the supervisory authority within 72 hours.
Used in our guides
- Turkey Business Laws and Compliance: What Every Foreign Investor Must Know
- UK Business Laws and Compliance: Companies House Filing Guide
- UK Data Protection and GDPR: Compliance Guide for Businesses
- UAE Data Protection Law (PDPL): Compliance Guide for Businesses
- Germany Business Laws and Compliance: Essential Guide
FAQ
Does GDPR apply to non-EU companies?
Yes, when the company offers goods or services to people in the EU or monitors their behaviour in the EU. The test is the location of the data subject, not the company. A US SaaS with EU customers is in scope and typically must designate an Article 27 EU Representative.
What are the six lawful bases for processing?
Consent, contract performance, legal obligation, vital interests, public task, and legitimate interests. Each has specific conditions, and consent has the strictest requirements: freely given, specific, informed, unambiguous, and withdrawable at any time without detriment.
When must a Data Protection Officer be appointed?
Under Article 37, a DPO is mandatory when the controller is a public authority, when core activities require regular and systematic monitoring of data subjects on a large scale, or when core activities involve large-scale processing of special-category or criminal-conviction data. Outside those triggers, designation is voluntary but the same protections apply if appointed.
References
- Regulation (EU) 2016/679 (GDPR), Official Journal of the European Union https://eur-lex.europa.eu/eli/reg/2016/679/oj
- European Data Protection Board (EDPB) Guidelines https://edpb.europa.eu/our-work-tools/general-guidance/guidelines-recommendations-best-practices_en
- UK Information Commissioner's Office GDPR Guide https://ico.org.uk/for-organisations/data-protection-and-the-eu/data-protection-and-the-eu-in-detail/the-uk-gdpr/