TermsBox
PricingBlog
LoginGet Started
PricingBlogLogin
Get Started
  1. Home
  2. Blog
  3. EU Regulation 2016 679: What It Is and How to Comply
Legal Compliance

EU Regulation 2016 679: What It Is and How to Comply

Learn what EU Regulation 2016 679 (the GDPR) requires, who it applies to, and how to achieve compliance. Covers key articles, rights, and penalties.

TermsBox Team|April 3, 202617 min read

EU Regulation 2016 679 is the formal legislative citation for what most people know as the GDPR, the General Data Protection Regulation. If you have encountered the reference "EU Regulation 2016 679" in a contract, privacy policy, or data processing agreement, it refers to the single most consequential data protection law affecting businesses that operate online.

This guide explains what EU Regulation 2016 679 contains, who it applies to, what obligations it creates, and how to bring your website and business into compliance. The content here is educational and does not constitute legal advice. For guidance specific to your situation, consult a qualified data protection attorney.

What Is EU Regulation 2016 679?

EU Regulation 2016 679 is the full official number of the General Data Protection Regulation. Its complete title is Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data. The regulation was published in the Official Journal of the European Union on May 4, 2016, and became enforceable on May 25, 2018, following a two-year transition period.

The numbering follows the standard EU legislative system. "2016" refers to the year the regulation was adopted, and "679" is the sequential number assigned to it within that year. You may see it cited as "Regulation (EU) 2016/679," "EU Reg. 2016/679," or simply "GDPR" in everyday usage.

Unlike the earlier Data Protection Directive 95/46/EC, which required each member state to pass its own implementing legislation, EU Regulation 2016 679 is a regulation, meaning it applies directly and uniformly across all 27 EU member states. It also extends to Iceland, Liechtenstein, and Norway through the EEA Agreement. This direct applicability eliminated the patchwork of national data protection laws that previously made cross-border compliance difficult for businesses.

Structure of EU Regulation 2016 679

The regulation contains 173 recitals and 99 articles organized into 11 chapters:

  1. Chapter I (Articles 1 to 4): General provisions, including scope, territorial application, and definitions
  2. Chapter II (Articles 5 to 11): Principles relating to the processing of personal data
  3. Chapter III (Articles 12 to 23): Rights of data subjects
  4. Chapter IV (Articles 24 to 43): Obligations of data controllers and processors
  5. Chapter V (Articles 44 to 50): Transfers of personal data to third countries
  6. Chapter VI (Articles 51 to 59): Independent supervisory authorities
  7. Chapter VII (Articles 60 to 76): Cooperation and consistency mechanisms
  8. Chapter VIII (Articles 77 to 84): Remedies, liability, and penalties
  9. Chapter IX (Articles 85 to 91): Specific processing situations (journalism, employment, etc.)
  10. Chapter X (Articles 92 to 93): Delegated and implementing acts
  11. Chapter XI (Articles 94 to 99): Final provisions

The recitals, while not legally binding on their own, provide interpretive context that supervisory authorities and courts regularly reference when clarifying the meaning of specific articles.

Who Must Comply with EU Regulation 2016 679

One of the defining features of EU Regulation 2016 679 is its broad territorial scope, established in Article 3. The regulation reaches well beyond Europe's borders.

Organizations with an EU establishment

If your organization maintains any establishment in the EU, whether an office, subsidiary, branch, or even a single employee, EU Regulation 2016 679 applies to any processing of personal data carried out in the context of that establishment's activities. The data processing itself does not need to take place within the EU.

Organizations targeting EU individuals

Even without any physical presence in the EU, the regulation applies if your organization:

  • Offers goods or services to individuals in the EU, whether paid or free. Indicators include operating a website in an EU language, accepting EUR as a payment currency, or running marketing campaigns directed at EU audiences.
  • Monitors the behavior of individuals within the EU. This covers website analytics, cookie-based tracking, behavioral advertising, location tracking, and any form of online profiling.

No size exemption

EU Regulation 2016 679 does not exempt organizations based on headcount or revenue. A sole proprietor with a blog that uses Google Analytics is technically subject to the same regulation as a Fortune 500 company. Certain specific obligations, such as appointing a Data Protection Officer under Article 37, only apply when particular conditions are met, but the regulation's core requirements apply universally to anyone processing EU personal data.

Core Principles of EU Regulation 2016 679

Article 5 of EU Regulation 2016 679 establishes seven foundational principles that underpin every obligation in the regulation. Supervisory authorities evaluate compliance against these principles when investigating complaints, conducting audits, or assessing whether a fine is warranted.

The seven principles

  • Lawfulness, fairness, and transparency: Personal data must be processed lawfully, fairly, and in a transparent manner. Individuals must understand what is happening with their data.
  • Purpose limitation: Data must be collected for specified, explicit, and legitimate purposes and not further processed in a way incompatible with those purposes.
  • Data minimization: Only personal data that is adequate, relevant, and limited to what is necessary for the stated purpose may be collected.
  • Accuracy: Personal data must be accurate and, where necessary, kept up to date. Inaccurate data must be erased or rectified without delay.
  • Storage limitation: Data must be kept in a form that permits identification of individuals for no longer than is necessary for the processing purpose.
  • Integrity and confidentiality: Data must be processed in a manner that ensures appropriate security, including protection against unauthorized or unlawful processing, accidental loss, destruction, or damage.
  • Accountability: The data controller must be able to demonstrate compliance with all of the above principles. This is not a passive obligation; it requires documentation, policies, and processes.

The accountability principle, introduced by EU Regulation 2016 679 as a significant departure from the previous directive, means it is not enough to simply comply. You must be able to prove that you comply. This has practical implications: maintaining records of processing activities, conducting data protection impact assessments, and documenting your lawful basis for each category of data processing.

Lawful Bases for Processing Under EU Regulation 2016 679

Article 6 of EU Regulation 2016 679 specifies six lawful bases for processing personal data. You must identify and document at least one lawful basis before any processing begins. Processing without a valid lawful basis is an upper-tier violation carrying fines of up to 20 million EUR or 4% of global annual turnover.

The six lawful bases are:

  1. Consent (Article 6(1)(a)): The individual has given clear, affirmative consent for a specific purpose. Consent must be freely given, specific, informed, and unambiguous. Pre-ticked boxes do not qualify.
  2. Contractual necessity (Article 6(1)(b)): Processing is necessary to perform a contract with the individual or to take steps at their request before entering a contract.
  3. Legal obligation (Article 6(1)(c)): Processing is necessary to comply with a legal obligation to which the controller is subject.
  4. Vital interests (Article 6(1)(d)): Processing is necessary to protect the vital interests of the individual or another person. This basis is generally limited to life-or-death situations.
  5. Public task (Article 6(1)(e)): Processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority.
  6. Legitimate interests (Article 6(1)(f)): Processing is necessary for the legitimate interests of the controller or a third party, provided those interests are not overridden by the individual's rights and freedoms. This requires a balancing test.

For most websites and online businesses, the relevant lawful bases are consent (for cookies and marketing), contractual necessity (for providing services), and legitimate interests (for analytics and fraud prevention). Choosing the correct lawful basis matters because it affects which rights are available to data subjects and what information must be included in your privacy policy generator.

Rights of Data Subjects Under EU Regulation 2016 679

Chapter III (Articles 12 through 23) of EU Regulation 2016 679 grants individuals a comprehensive set of rights over their personal data. These rights are not theoretical; data subjects can exercise them through formal requests, and your organization must respond within one month under Article 12(3).

The eight data subject rights

  • Right to be informed (Articles 13 and 14): Individuals must be told who is collecting their data, why, on what lawful basis, how long it will be retained, and who it will be shared with. This information is typically provided through a privacy policy.
  • Right of access (Article 15): Individuals can request confirmation of whether their personal data is being processed and, if so, obtain a copy of that data along with supplementary information about how it is used.
  • Right to rectification (Article 16): Individuals can request correction of inaccurate personal data or completion of incomplete data.
  • Right to erasure (Article 17): Also known as the "right to be forgotten," individuals can request deletion of their personal data under specific circumstances, such as when the data is no longer necessary for the original purpose or when they withdraw consent.
  • Right to restrict processing (Article 18): Individuals can request that processing be limited, rather than data being deleted, in certain situations, including while the accuracy of data is being contested.
  • Right to data portability (Article 20): Individuals can receive their personal data in a structured, commonly used, and machine-readable format and can transmit it to another controller.
  • Right to object (Article 21): Individuals can object to processing based on legitimate interests or public task grounds. For direct marketing purposes, the right to object is absolute.
  • Rights related to automated decision-making (Article 22): Individuals have the right not to be subject to decisions based solely on automated processing, including profiling, that produce legal effects or similarly significant effects on them.

Organizations must have processes in place to receive, verify, and respond to these requests. Failure to honor data subject rights is an upper-tier violation under Article 83(5).

Obligations for Websites Under EU Regulation 2016 679

For website operators, EU Regulation 2016 679 creates several concrete obligations that go beyond having a privacy policy. Compliance requires technical measures, organizational processes, and ongoing attention.

Privacy policy requirements

Articles 13 and 14 require that you provide specific information to individuals at the point of data collection. This information is typically presented in a privacy policy that must include:

  • The identity and contact details of the data controller
  • Contact details for the Data Protection Officer, if one has been appointed
  • The purposes of processing and the lawful basis for each purpose
  • The categories of personal data collected
  • Any recipients or categories of recipients of the data
  • Details of any international transfers, including safeguards
  • Retention periods for each category of data
  • A full description of all data subject rights
  • The right to lodge a complaint with a supervisory authority
  • Whether providing personal data is a statutory or contractual requirement

A privacy policy generator can help you create a document that covers these required disclosures, but you should review the output with a legal professional to ensure it accurately reflects your actual data processing activities.

Cookie consent

EU Regulation 2016 679 works alongside the ePrivacy Directive (Directive 2002/58/EC) to require consent before placing non-essential cookies on a user's device. Under the GDPR standard of consent established in Article 4(11) and elaborated in Recital 32, valid cookie consent must be:

  • Freely given, without coercion or dark patterns
  • Specific to each purpose
  • Informed, with clear descriptions of what each cookie does
  • An unambiguous, affirmative action (no pre-ticked checkboxes, no "browsing equals consent")

A cookie consent management platform (CMP) is the standard tool for collecting and documenting this consent. The CMP must allow users to accept, reject, and granularly choose between cookie categories, and it must record proof of consent.

Records of processing activities

Article 30 of EU Regulation 2016 679 requires organizations with 250 or more employees, or any organization that processes data that poses risks to individuals' rights, to maintain written records of processing activities. In practice, most supervisory authorities expect all organizations to maintain such records. The record must include the purposes of processing, categories of data subjects and personal data, categories of recipients, international transfers, retention periods, and a general description of technical and organizational security measures.

Data protection impact assessments

Article 35 requires a Data Protection Impact Assessment (DPIA) before any processing that is likely to result in a high risk to the rights and freedoms of individuals. Common triggers include large-scale processing of sensitive data, systematic monitoring of publicly accessible areas, and automated decision-making that produces legal effects.

Privacy Policy Generator

Create a comprehensive privacy policy for your website or app. Create yours in minutes with TermsBox.

Generate Now

Penalties and Enforcement Under EU Regulation 2016 679

Article 83 of EU Regulation 2016 679 establishes the penalty framework that gives the regulation its enforcement teeth. Supervisory authorities in each EU member state have the power to investigate, issue warnings, order corrective measures, and impose administrative fines.

Two-tier fine structure

EU Regulation 2016 679 uses a two-tier system for administrative fines:

  • Lower tier (Article 83(4)): Fines of up to 10 million EUR or 2% of the total worldwide annual turnover of the preceding financial year, whichever is higher. This tier covers violations related to controllers and processors, certification bodies, and monitoring bodies.
  • Upper tier (Article 83(5)): Fines of up to 20 million EUR or 4% of the total worldwide annual turnover, whichever is higher. This tier covers violations of the core processing principles (Article 5), lawful basis requirements (Article 6), consent conditions (Article 7), data subject rights (Articles 12 through 22), and international transfer rules (Articles 44 through 49).

Factors supervisory authorities consider

When determining the amount of a fine, Article 83(2) directs supervisory authorities to consider:

  • The nature, gravity, and duration of the infringement
  • Whether the infringement was intentional or negligent
  • Actions taken to mitigate the damage
  • The degree of responsibility, considering technical and organizational measures implemented
  • Any relevant previous infringements
  • The degree of cooperation with the supervisory authority
  • The categories of personal data affected
  • How the infringement came to the attention of the supervisory authority

Notable enforcement actions

Since EU Regulation 2016 679 became enforceable, supervisory authorities have issued billions of euros in fines collectively. Major enforcement actions have targeted technology companies, social media platforms, and telecommunications providers, but smaller businesses have also been fined for basic violations like operating without a valid privacy policy or failing to respond to data subject access requests.

How to Comply with EU Regulation 2016 679

Achieving compliance with EU Regulation 2016 679 is not a one-time project but an ongoing process. The following steps provide a practical starting point for website operators and online businesses.

Step 1: Audit your data processing

Map every instance where your website or business collects, stores, processes, or shares personal data. Document the categories of data, the purposes, the lawful basis, any third parties involved, and the retention periods. This audit forms the foundation of your Article 30 records of processing activities.

Step 2: Publish a compliant privacy policy

Draft a privacy policy that includes all of the disclosures required by Articles 13 and 14. Make it accessible from every page of your website, use clear and plain language, and keep it up to date whenever your processing activities change.

Step 3: Implement cookie consent

Deploy a cookie consent mechanism that meets GDPR standards. Non-essential cookies must not fire until the user provides affirmative consent. The mechanism should support granular category selection and record proof of consent. Tools like TermsBox provide a compliance scanner and cookie consent banner that can automate this process.

Step 4: Establish data subject request procedures

Create an internal process for receiving, verifying, and responding to data subject requests within the one-month deadline set by Article 12(3). Designate a responsible person or team, document the workflow, and ensure you can handle requests for access, rectification, erasure, and portability.

Step 5: Review third-party processors

If you use third-party services that process personal data on your behalf (analytics providers, email marketing platforms, payment processors, hosting companies), Article 28 requires that you have a data processing agreement in place with each one. Review your vendor relationships and ensure appropriate contracts exist.

Step 6: Implement security measures

Article 32 requires appropriate technical and organizational measures to ensure a level of security appropriate to the risk. At minimum, this means HTTPS encryption for your website, secure storage of any personal data, access controls, and a process for detecting and reporting breaches within 72 hours as required by Article 33.

Step 7: Monitor and maintain compliance

EU Regulation 2016 679 compliance is not static. Regularly review your data processing activities, update your privacy policy and cookie policy generator output when processing changes occur, retrain staff, and stay informed about enforcement trends and regulatory guidance from supervisory authorities.

EU Regulation 2016 679 and International Data Transfers

Chapter V (Articles 44 through 50) of EU Regulation 2016 679 restricts the transfer of personal data to countries outside the EU and EEA unless adequate protections are in place. This is relevant for any website that uses services hosted in non-EU countries.

Adequacy decisions

The European Commission can determine that a third country provides an adequate level of data protection. As of 2026, countries with full adequacy decisions include Andorra, Argentina, Canada (commercial organizations), Faroe Islands, Guernsey, Israel, Isle of Man, Japan, Jersey, New Zealand, Republic of Korea, Switzerland, the United Kingdom, and Uruguay. The EU-U.S. Data Privacy Framework, adopted in July 2023, provides a mechanism for transfers to certified U.S. organizations.

Standard contractual clauses

In the absence of an adequacy decision, the most common transfer mechanism is the use of Standard Contractual Clauses (SCCs) adopted by the European Commission. Following the Schrems II ruling (Case C-311/18), organizations using SCCs must also conduct a transfer impact assessment to evaluate whether the laws of the receiving country provide equivalent protection.

Binding corporate rules

Multinational organizations can use Binding Corporate Rules (BCRs), approved by a supervisory authority, to authorize intra-group data transfers. BCRs are a more complex mechanism typically used by large enterprises.

Frequently Asked Questions

What is EU Regulation 2016 679?

EU Regulation 2016 679 is the official legislative reference for the General Data Protection Regulation (GDPR). Adopted on April 27, 2016, and enforceable since May 25, 2018, it is the primary data protection law governing how organizations collect, process, store, and share personal data of individuals in the European Union and European Economic Area.

Does EU Regulation 2016 679 apply to businesses outside Europe?

Yes. Article 3 of EU Regulation 2016 679 establishes extraterritorial scope. Any business worldwide that offers goods or services to individuals in the EU, or monitors their behavior within the EU, must comply regardless of where the business is physically located. This means a company in the United States or Asia can be subject to the regulation if it serves EU customers.

What are the fines for violating EU Regulation 2016 679?

Article 83 sets out two tiers of administrative fines. Lower-tier violations can result in fines of up to 10 million EUR or 2% of global annual turnover, whichever is higher. Upper-tier violations, including unlawful processing or violating data subject rights, carry fines of up to 20 million EUR or 4% of global annual turnover.

What rights does EU Regulation 2016 679 give to individuals?

EU Regulation 2016 679 grants eight core rights to data subjects: the right of access, the right to rectification, the right to erasure, the right to restrict processing, the right to data portability, the right to object, the right not to be subject to automated decision-making, and the right to be informed about how personal data is collected and used.

Related Tools

Privacy Policy Generator

Create a comprehensive privacy policy for your website or app

Related Articles

Legal Compliance

AI and Data Privacy: A Practical Guide for Businesses

Learn how AI and data privacy intersect, including legal obligations, compliance strategies, and steps to protect personal data in AI systems.

April 4, 202613 min read
Legal Compliance

AI GDPR Compliance: A Practical Guide for Businesses

Learn how AI GDPR rules affect your business, including legal obligations, compliance steps, and penalties for AI systems processing personal data.

April 4, 202614 min read
Legal Compliance

Apple's Data & Privacy Website: Complete Guide to privacy.apple.com

Learn how to use Apple's data & privacy website to download, manage, and delete your personal data. Step-by-step guide to privacy.apple.com.

April 4, 202613 min read

Ready to Create Your Legal Documents?

Generate professional privacy policies, terms of service, and more in minutes. Free to start, no credit card required.

View All Generators

On This Page

  • What Is EU Regulation 2016 679?
  • Structure of EU Regulation 2016 679
  • Who Must Comply with EU Regulation 2016 679
  • Organizations with an EU establishment
  • Organizations targeting EU individuals
  • No size exemption
  • Core Principles of EU Regulation 2016 679
  • The seven principles
  • Lawful Bases for Processing Under EU Regulation 2016 679
  • Rights of Data Subjects Under EU Regulation 2016 679
  • The eight data subject rights
  • Obligations for Websites Under EU Regulation 2016 679
  • Privacy policy requirements
  • Cookie consent
  • Records of processing activities
  • Data protection impact assessments
  • Penalties and Enforcement Under EU Regulation 2016 679
  • Two-tier fine structure
  • Factors supervisory authorities consider
  • Notable enforcement actions
  • How to Comply with EU Regulation 2016 679
  • Step 1: Audit your data processing
  • Step 2: Publish a compliant privacy policy
  • Step 3: Implement cookie consent
  • Step 4: Establish data subject request procedures
  • Step 5: Review third-party processors
  • Step 6: Implement security measures
  • Step 7: Monitor and maintain compliance
  • EU Regulation 2016 679 and International Data Transfers
  • Adequacy decisions
  • Standard contractual clauses
  • Binding corporate rules
  • Frequently Asked Questions
TermsBox

Scan your website, auto-generate legal documents, add a consent banner, and stay compliant. One platform for everything.

Product

  • Cookie Scanner
  • Consent Banner
  • Cookie Policy Generator
  • Pricing

Generators

  • Privacy Policy Generator
  • Terms and Conditions Generator
  • EULA Generator
  • Disclaimer Generator
  • Return and Refund Policy Generator

Company

  • About
  • Contact
  • Privacy Policy
  • Terms of Service
  • Cookie Policy
GDPR
ePrivacy
CCPA
LGPD
Google Consent Mode v2
IAB TCF 2.2
© 2026 TermsBox. All rights reserved.