Regulation 2016/679: Complete Guide to the GDPR
Learn what Regulation 2016/679 is, what it requires, and how to comply. Covers the official GDPR text, key articles, rights, penalties, and practical steps.
Regulation 2016/679 is the official legislative number of the General Data Protection Regulation, commonly known as the GDPR. If you have encountered the reference "2016/679" or "679 2016" in a legal document, a privacy policy, or a data processing agreement, it points to the single most important data protection law affecting websites and online businesses worldwide.
This guide explains what Regulation 2016/679 contains, who it applies to, what it requires, and how to comply. The information here is educational and does not constitute legal advice. Consult a qualified attorney for guidance specific to your organization.
What Is Regulation 2016/679?
Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016, known as the GDPR, is a comprehensive data protection law that applies directly across all EU and EEA member states. The regulation was published in the Official Journal of the European Union on May 4, 2016, and became enforceable on May 25, 2018, after a two-year transition period.
The number "2016/679" follows the standard EU legislative numbering system. The "2016" refers to the year of adoption, and "679" is the sequential number assigned to this particular regulation that year. You may see it cited as "Regulation (EU) 2016/679," "EU Reg. 679/2016," or simply "679 2016" in shorthand references.
Regulation 2016/679 replaced the earlier Data Protection Directive 95/46/EC. Unlike its predecessor, which was a directive requiring each member state to pass its own implementing legislation, Regulation 2016/679 is directly applicable. This means the same rules apply uniformly in all 27 EU member states plus Iceland, Liechtenstein, and Norway through the EEA Agreement, though some articles permit limited national derogations.
Structure of the regulation
The full text of Regulation 2016/679 comprises 173 recitals and 99 articles organized into 11 chapters:
- Chapter I (Articles 1 to 4): General provisions, including scope, definitions, and territorial application
- Chapter II (Articles 5 to 11): Principles of data processing and conditions for lawful processing
- Chapter III (Articles 12 to 23): Rights of data subjects
- Chapter IV (Articles 24 to 43): Obligations of controllers and processors
- Chapter V (Articles 44 to 50): Rules on international data transfers
- Chapter VI (Articles 51 to 59): Independent supervisory authorities
- Chapter VII (Articles 60 to 76): Cooperation and consistency mechanisms
- Chapter VIII (Articles 77 to 84): Remedies, liability, and penalties
- Chapter IX (Articles 85 to 91): Provisions for specific processing situations
- Chapter X (Articles 92 to 93): Delegated and implementing acts
- Chapter XI (Articles 94 to 99): Final provisions, including repeal and entry into force
The recitals are not legally binding on their own but provide essential interpretive context. Supervisory authorities and courts frequently reference recitals when clarifying the meaning and intent of specific articles.
Who Must Comply with Regulation 2016/679
Article 3 of Regulation 2016/679 defines the territorial scope. The regulation applies far beyond Europe's borders, and this extraterritorial reach is one of its defining characteristics.
Organizations established in the EU
If your organization has any establishment in the EU, such as an office, subsidiary, branch, or even a single employee, you must comply with Regulation 2016/679 when processing personal data in the context of that establishment's activities. The actual data processing does not need to occur within the EU.
Organizations targeting EU residents
Even without an EU establishment, Regulation 2016/679 applies if your organization:
- Offers goods or services to individuals in the EU, whether paid or free. Indicators include operating a website in an EU language (other than English alone), accepting payments in EUR, or referencing EU customers in marketing materials.
- Monitors behavior of individuals within the EU. This includes website analytics, cookie-based tracking, behavioral advertising, location tracking, and profiling activities.
No size exemption for applicability
Regulation 2016/679 does not exempt organizations based on size or revenue. A sole proprietor running a blog with Google Analytics from outside Europe is technically subject to the same regulation as a multinational corporation. Certain obligations, such as appointing a Data Protection Officer under Article 37, apply only when specific conditions are met, but the regulation itself applies to any organization handling EU personal data.
Core Principles of Regulation 2016/679
Article 5 establishes seven principles that serve as the foundation for every obligation in the regulation. Understanding these principles is essential because supervisory authorities evaluate compliance against them when investigating complaints or conducting audits.
- Lawfulness, fairness, and transparency (Article 5(1)(a)): Processing must have a valid legal basis, must not be deceptive, and must be transparent to data subjects.
- Purpose limitation (Article 5(1)(b)): Personal data must be collected for specified, explicit, and legitimate purposes. You cannot repurpose data for unrelated activities without a compatible legal basis.
- Data minimization (Article 5(1)(c)): Collect only data that is adequate, relevant, and limited to what is necessary for the stated purpose.
- Accuracy (Article 5(1)(d)): Keep personal data accurate and up to date. Take reasonable steps to correct or delete inaccurate records without delay.
- Storage limitation (Article 5(1)(e)): Retain personal data only as long as necessary for the processing purpose. Define and document retention periods.
- Integrity and confidentiality (Article 5(1)(f)): Implement appropriate technical and organizational measures to protect personal data against unauthorized access, loss, or destruction.
- Accountability (Article 5(2)): The data controller must be able to demonstrate compliance with all of the above principles. This shifts the burden of proof onto the organization processing the data.
The accountability principle is particularly significant. It is not enough to be compliant; you must be able to prove it through documentation, policies, impact assessments, and records of processing activities.
Lawful Bases for Processing Under Regulation 2016/679
Article 6 of Regulation 2016/679 lists six lawful bases for processing personal data. Every processing activity must rely on at least one of these bases, and the chosen basis must be identified and documented before processing begins.
The six lawful bases
- Consent (Article 6(1)(a)): The data subject has given clear, affirmative consent to the processing for one or more specific purposes. Consent must be freely given, specific, informed, and unambiguous. Pre-ticked boxes or silence do not qualify.
- Contractual necessity (Article 6(1)(b)): Processing is necessary for performing a contract with the data subject or for taking pre-contractual steps at their request.
- Legal obligation (Article 6(1)(c)): Processing is necessary to comply with a legal obligation to which the controller is subject, such as tax reporting or employment law requirements.
- Vital interests (Article 6(1)(d)): Processing is necessary to protect someone's life. This basis is narrow and rarely applicable to website operations.
- Public interest (Article 6(1)(e)): Processing is necessary for a task carried out in the public interest or in the exercise of official authority.
- Legitimate interests (Article 6(1)(f)): Processing is necessary for the legitimate interests of the controller or a third party, provided those interests are not overridden by the data subject's rights and freedoms. This requires a documented balancing test.
Choosing the right basis
For most websites, the relevant bases are consent (for cookies and marketing), contractual necessity (for processing orders or providing services), legal obligation (for invoicing and tax records), and legitimate interests (for fraud prevention and basic analytics). Using the wrong basis, or failing to document one, is itself a violation of Regulation 2016/679.
A privacy policy generator can help you create the required disclosures about your lawful bases, but you must first determine which basis applies to each processing activity.
Rights of Data Subjects Under Regulation 2016/679
Chapter III of Regulation 2016/679 (Articles 12 through 23) establishes a comprehensive set of rights for individuals whose data is processed. These rights are enforceable, and organizations must respond to requests within one month under Article 12(3).
Right of access (Article 15)
Data subjects can request confirmation of whether their personal data is being processed and, if so, obtain a copy of that data along with information about the purposes, categories, recipients, retention periods, and the existence of automated decision-making.
Right to rectification (Article 16)
Individuals can request correction of inaccurate personal data without undue delay.
Right to erasure (Article 17)
Often called the "right to be forgotten," this allows individuals to request deletion of their personal data under specific circumstances, including when the data is no longer necessary for its original purpose, when consent is withdrawn, or when the data was unlawfully processed. This right is not absolute; organizations may retain data required by legal obligations.
Right to restriction of processing (Article 18)
Data subjects can request that processing be limited rather than fully stopped, for example when accuracy is contested or when the data subject needs the data for legal claims.
Right to data portability (Article 20)
Individuals can receive their personal data in a structured, commonly used, machine-readable format and transmit it to another controller.
Right to object (Article 21)
Data subjects can object to processing based on legitimate interests or public interest grounds. For direct marketing, the right to object is absolute with no balancing test required.
Automated decision-making (Article 22)
Individuals have the right not to be subject to decisions based solely on automated processing, including profiling, that produce legal effects or similarly significant effects. Exceptions exist for contractual necessity, legal authorization, or explicit consent.
Organizations must establish documented procedures for handling these requests. Failure to respond within the required timeframe, or providing an inadequate response, is a violation that data subjects can report to their national supervisory authority.
Penalties and Enforcement of Regulation 2016/679
Article 83 of Regulation 2016/679 establishes a two-tier system of administrative fines that has made the GDPR one of the most consequential privacy regulations in the world.
Fine structure
Lower tier (Article 83(4)): Fines of up to 10 million EUR, or up to 2% of total worldwide annual turnover of the preceding financial year, whichever is higher. This tier applies to violations of obligations relating to controllers and processors (Articles 8, 11, 25 to 39, and 42 to 43), including failures in:
- Data protection by design and by default
- Record-keeping obligations
- Data breach notification
- Data protection impact assessments
- Data Protection Officer requirements
Upper tier (Article 83(5)): Fines of up to 20 million EUR, or up to 4% of total worldwide annual turnover, whichever is higher. This tier applies to violations of:
Privacy Policy Generator
Create a comprehensive privacy policy for your website or app. Create yours in minutes with TermsBox.
Generate Now- Basic processing principles and lawful bases (Articles 5, 6, 7, and 9)
- Data subject rights (Articles 12 to 22)
- International transfer rules (Articles 44 to 49)
- Non-compliance with supervisory authority orders
Enforcement in practice
Each EU member state has a national supervisory authority (Data Protection Authority, or DPA) responsible for enforcement. As of 2025, notable fines under Regulation 2016/679 include:
- Meta (Ireland): 1.2 billion EUR for unlawful data transfers to the United States (May 2023)
- Amazon (Luxembourg): 746 million EUR for behavioral advertising without valid consent (July 2021)
- WhatsApp (Ireland): 225 million EUR for transparency failures in privacy notices (September 2021)
- Google (France): 150 million EUR for non-compliant cookie consent mechanisms (December 2021)
These enforcement actions demonstrate that supervisory authorities focus on consent mechanisms, data transfer practices, and the clarity of privacy disclosures. Small and medium-sized businesses have also faced fines, though typically at lower amounts proportionate to their size and the nature of the violation.
How to Comply with Regulation 2016/679
Compliance with Regulation 2016/679 requires a structured approach. The following steps address the most common obligations for websites and online businesses.
Step 1: Map your data processing activities
Article 30 requires controllers to maintain a record of processing activities. Document every type of personal data you collect, the purpose, the lawful basis, retention periods, and any third parties who receive the data. This record is the foundation of your compliance program.
Step 2: Publish a compliant privacy policy
Articles 13 and 14 require you to provide specific information to data subjects at the time their data is collected. Your privacy policy must include:
- The identity and contact details of the data controller
- The purposes and lawful basis for each processing activity
- Categories of personal data processed
- Recipients or categories of recipients
- Data retention periods
- The data subject rights under Chapter III
- The right to lodge a complaint with a supervisory authority
- Information about automated decision-making, if applicable
- Details of international data transfers and the safeguards in place
A privacy policy generator can help you create a policy that covers these required disclosures, but you must verify that it accurately reflects your actual data practices.
Step 3: Implement cookie consent
Regulation 2016/679, in combination with the ePrivacy Directive (Directive 2002/58/EC as amended by Directive 2009/136/EC), requires that you obtain informed, specific, and freely given consent before placing non-essential cookies on a visitor's device. This means:
- No pre-ticked consent checkboxes
- No cookie walls that force users to accept all cookies to access the site
- Granular options allowing users to accept or reject cookies by category
- A mechanism for withdrawing consent as easily as it was given
Tools like TermsBox provide a cookie consent banner that handles these requirements, collecting verifiable consent records and blocking non-essential cookies until consent is granted.
Step 4: Establish data subject request procedures
Create documented processes for receiving, verifying, and responding to data subject requests under Articles 15 through 22. You must respond within one month and may extend by two additional months for complex or numerous requests, provided you notify the data subject of the extension within the first month.
Step 5: Assess whether you need a Data Protection Officer
Article 37 requires a DPO if your core activities involve regular and systematic monitoring of data subjects on a large scale, or large-scale processing of special categories of data. Even if not legally required, appointing a privacy lead is a practical measure for organizations processing significant amounts of personal data.
Step 6: Review international data transfers
If you transfer personal data outside the EU/EEA (for example, by using cloud services hosted in the United States), Articles 44 through 49 require that you ensure adequate safeguards. Standard Contractual Clauses (SCCs) are the most common mechanism, but you must also conduct a Transfer Impact Assessment following the Schrems II ruling (CJEU Case C-311/18).
Regulation 2016/679 and Website Compliance
For website operators, compliance with Regulation 2016/679 involves specific, measurable actions. The regulation does not require perfection, but it does require demonstrable effort and documentation.
Privacy policy requirements
Your website must display a privacy policy that meets the transparency requirements of Articles 13 and 14. The policy must be written in clear, plain language. Burying critical disclosures in dense legal text does not satisfy the transparency principle.
Cookie compliance
Every cookie or similar tracking technology on your website needs to be identified, categorized, and disclosed. Non-essential cookies require prior consent. Your cookie policy generator output should list each cookie by name, purpose, provider, duration, and type.
Third-party services
If your website uses third-party services that process personal data (analytics, advertising, social media widgets, payment processors, customer support chat), you need a lawful basis for each data transfer. Where those services act as data processors on your behalf, Article 28 requires a written data processing agreement specifying the processor's obligations.
Breach notification
Articles 33 and 34 of Regulation 2016/679 require that you notify the relevant supervisory authority within 72 hours of becoming aware of a personal data breach that poses a risk to individuals' rights and freedoms. If the breach is likely to result in a high risk, you must also notify the affected data subjects without undue delay.
Key Articles of Regulation 2016/679 Every Business Should Know
While the full text of Regulation 2016/679 spans 99 articles, certain provisions are referenced more frequently than others in compliance work and enforcement actions.
| Article | Subject | Why It Matters |
|---|---|---|
| Article 4 | Definitions | Defines "personal data," "processing," "controller," "processor," and "consent" |
| Article 5 | Principles | The seven foundational principles all processing must follow |
| Article 6 | Lawful bases | The six legal grounds for processing personal data |
| Article 7 | Conditions for consent | Requirements for valid consent, including proof and withdrawal |
| Article 13 | Information at collection | What you must tell data subjects when collecting their data directly |
| Article 15 | Right of access | Data subjects' right to obtain a copy of their data |
| Article 17 | Right to erasure | The "right to be forgotten" |
| Article 25 | Data protection by design | Obligation to build privacy into systems from the start |
| Article 28 | Processor obligations | Requirements for contracts with data processors |
| Article 30 | Records of processing | Obligation to maintain documented processing records |
| Article 33 | Breach notification | 72-hour notification requirement for data breaches |
| Article 83 | Fines | The two-tier penalty structure |
Understanding these articles by number will help you navigate data processing agreements, regulatory guidance documents, and supervisory authority decisions, all of which cite Regulation 2016/679 by article number.
Frequently Asked Questions
What is Regulation 2016/679?
Regulation 2016/679 is the official legislative reference for the General Data Protection Regulation (GDPR). It was adopted by the European Parliament and Council on April 27, 2016, and has been enforceable since May 25, 2018. The regulation governs how organizations collect, store, process, and share personal data of individuals in the EU and EEA.
Does Regulation 2016/679 apply outside the European Union?
Yes. Article 3 of Regulation 2016/679 gives the law extraterritorial scope. Any organization worldwide that offers goods or services to individuals in the EU, or monitors their online behavior within the EU, must comply regardless of where the organization is physically based.
What are the penalties under Regulation 2016/679?
Article 83 of Regulation 2016/679 establishes two tiers of administrative fines. Lower-tier violations carry fines of up to 10 million EUR or 2% of annual global turnover, whichever is higher. Upper-tier violations, such as processing data without a lawful basis or violating data subject rights, carry fines of up to 20 million EUR or 4% of annual global turnover.
What is the difference between Regulation 2016/679 and the GDPR?
There is no difference. Regulation 2016/679 is the GDPR. The full official title is Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016. GDPR is the commonly used abbreviation, while 2016/679 is the official legislative citation used in legal and regulatory documents.