European General Data Protection Regulation: Full Guide
A complete guide to the European General Data Protection Regulation (GDPR), covering principles, rights, compliance steps, and penalties.
The European General Data Protection Regulation is the most influential data protection law in the world. Formally known as Regulation (EU) 2016/679, the GDPR establishes strict rules for how organisations collect, process, and protect the personal data of individuals within the European Economic Area (EEA).
This guide covers the scope, principles, individual rights, compliance obligations, and enforcement mechanisms of the European General Data Protection Regulation. This content is educational and should not be treated as legal advice. Consult a qualified attorney for guidance specific to your situation.
What Is the European General Data Protection Regulation?
The European General Data Protection Regulation is a binding legal framework adopted by the European Parliament and Council on 27 April 2016. It replaced the earlier Data Protection Directive (95/46/EC) and took full effect on 25 May 2018.
Unlike a directive, which requires each EU member state to pass its own implementing legislation, the GDPR is a regulation. It applies directly and uniformly across all 27 EU member states plus Iceland, Liechtenstein, and Norway (the EEA countries). This eliminates the patchwork of national data protection laws that existed under the previous directive.
The GDPR defines personal data broadly under Article 4(1) as "any information relating to an identified or identifiable natural person." This includes:
- Direct identifiers such as names, email addresses, and identification numbers
- Indirect identifiers such as IP addresses, cookie identifiers, and device fingerprints
- Sensitive data (special categories under Article 9) including racial or ethnic origin, health data, biometric data, political opinions, and sexual orientation
The regulation applies to two types of entities: controllers (who determine the purposes and means of processing) and processors (who process data on behalf of controllers). Both carry compliance obligations, though controllers bear the primary responsibility for lawful processing.
Territorial Scope of the European General Data Protection Regulation
One of the GDPR's most significant features is its extraterritorial reach. Article 3 establishes three scenarios in which the regulation applies.
Establishment in the EEA
The GDPR applies to any organisation with an establishment in the EEA, regardless of whether the data processing itself occurs within the EEA. An "establishment" includes a subsidiary, branch, or any stable arrangement through which activities are carried out.
Offering goods or services to EEA residents
Even without an EEA establishment, the GDPR applies if an organisation offers goods or services to individuals in the EEA. Indicators include using an EU language (other than English), accepting payment in euros, mentioning EU customers, or offering delivery to EEA countries.
Monitoring behaviour of EEA residents
The GDPR applies to organisations that monitor the behaviour of individuals in the EEA. This includes website tracking through cookies, behavioural advertising, geo-location tracking, and online profiling. If your website uses analytics tools or advertising pixels that track visitors from EEA countries, this provision likely applies to you.
This extraterritorial scope means that businesses in the United States, Asia, South America, or anywhere else must comply if they process data of EEA individuals in the ways described above.
Core Principles of the European General Data Protection Regulation
Article 5 of the GDPR establishes seven principles that form the foundation of all data processing activities. Every compliance decision should trace back to these principles.
Lawfulness, fairness, and transparency
Personal data must be processed lawfully under one of six legal bases defined in Article 6, fairly (without using data in ways that would be unexpected or detrimental), and transparently (with clear information provided to data subjects about how their data is used).
Purpose limitation
Data must be collected for specified, explicit, and legitimate purposes and not further processed in a manner incompatible with those purposes. Article 5(1)(b) allows further processing for archiving in the public interest, scientific or historical research, and statistical purposes under certain safeguards.
Data minimisation
Only personal data that is adequate, relevant, and limited to what is necessary for the stated purpose should be collected. Collecting data "just in case" violates this principle.
Accuracy
Personal data must be accurate and, where necessary, kept up to date. Organisations must take reasonable steps to erase or rectify inaccurate data without delay (Article 5(1)(d)).
Storage limitation
Data must be kept in a form that permits identification of data subjects for no longer than is necessary for the purposes of processing. This requires establishing and enforcing data retention schedules.
Integrity and confidentiality
Appropriate technical and organisational measures must protect personal data against unauthorised or unlawful processing, accidental loss, destruction, or damage. This is the security principle of the GDPR.
Accountability
Under Article 5(2), the controller must be able to demonstrate compliance with all of the above principles. This means maintaining documentation, conducting audits, and being able to prove compliance to supervisory authorities.
Lawful Bases for Processing Under the GDPR
Article 6 of the European General Data Protection Regulation defines six lawful bases for processing personal data. Every processing activity must rely on at least one.
- Consent (Article 6(1)(a)). The data subject has given clear, affirmative consent to processing for one or more specific purposes. Consent must be freely given, specific, informed, and unambiguous. Pre-ticked boxes do not constitute valid consent (Recital 32).
- Contract (Article 6(1)(b)). Processing is necessary for the performance of a contract with the data subject, or to take steps at the data subject's request prior to entering a contract.
- Legal obligation (Article 6(1)(c)). Processing is necessary for compliance with a legal obligation to which the controller is subject, such as tax reporting or employment law requirements.
- Vital interests (Article 6(1)(d)). Processing is necessary to protect the vital interests of the data subject or another natural person. This basis is narrow and typically applies only in life-or-death situations.
- Public task (Article 6(1)(e)). Processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller.
- Legitimate interests (Article 6(1)(f)). Processing is necessary for the legitimate interests of the controller or a third party, provided those interests do not override the fundamental rights and freedoms of the data subject. This basis requires a Legitimate Interest Assessment (LIA) and is not available to public authorities.
Choosing the correct basis matters because it affects data subject rights. For example, the right to data portability only applies when the basis is consent or contract, and the right to object specifically applies to processing based on legitimate interests or public task.
Data Subject Rights Under the GDPR
Chapter III of the GDPR grants individuals eight core rights. Organisations must respond to rights requests within one month, extendable by two additional months for complex or numerous requests (Article 12(3)).
Right to be informed (Articles 13 and 14)
Individuals must receive clear, concise information about how their data is processed at the point of collection. This information is typically provided through a privacy notice or privacy policy. Your privacy policy must include the identity of the controller, purposes of processing, legal basis, retention periods, and details of any international transfers.
Right of access (Article 15)
Individuals can request confirmation of whether their data is being processed and, if so, access to the data along with supplementary information about the processing.
Right to rectification (Article 16)
Individuals can request correction of inaccurate personal data and completion of incomplete data.
Right to erasure (Article 17)
Also known as the "right to be forgotten," this allows individuals to request deletion of their personal data in certain circumstances, including when data is no longer necessary for its original purpose, when consent is withdrawn, or when data has been unlawfully processed.
Right to restrict processing (Article 18)
Individuals can request that processing be restricted (data stored but not used) while accuracy is contested, while an objection is being verified, or when processing is unlawful but the individual prefers restriction over erasure.
Right to data portability (Article 20)
Individuals can receive their personal data in a structured, commonly used, machine-readable format and transmit it to another controller. This right applies only when processing is based on consent or contract and is carried out by automated means.
Right to object (Article 21)
Individuals can object to processing based on legitimate interests or public task. For direct marketing, the right to object is absolute and must be honoured without exception.
Rights related to automated decision-making (Article 22)
Individuals have the right not to be subject to a decision based solely on automated processing, including profiling, that produces legal effects or similarly significant effects. Exceptions exist for contractual necessity, legal authorisation, and explicit consent, but safeguards must be in place.
Compliance Requirements for the European General Data Protection Regulation
Meeting GDPR requirements goes beyond updating a privacy policy. Organisations need processes, documentation, and technical measures across multiple areas.
Privacy Policy Generator
Create a comprehensive privacy policy for your website or app. Create yours in minutes with TermsBox.
Generate NowPrivacy notices and policies
Articles 13 and 14 require detailed privacy information to be provided to data subjects. This includes the controller's identity and contact details, purposes and legal bases for processing, categories of recipients, details of international transfers, retention periods, and information about data subject rights. A privacy policy generator can help create a compliant privacy notice, but you should review the output with legal counsel to ensure it reflects your actual processing activities.
Data Protection Impact Assessments (DPIAs)
Article 35 requires a DPIA before processing that is likely to result in a high risk to individuals' rights and freedoms. This includes large-scale processing of special categories of data, systematic monitoring of public areas, and automated decision-making with legal or significant effects. The DPIA must describe the processing, assess necessity and proportionality, identify risks, and define mitigation measures.
Records of processing activities (ROPA)
Article 30 requires controllers and processors to maintain written records of their processing activities. Controllers must document purposes, categories of data subjects and data, recipients, international transfers, retention periods, and security measures. Organisations with fewer than 250 employees are exempt only if their processing is occasional, does not include special categories of data, and is unlikely to result in a risk to individuals.
Data Protection Officers (DPOs)
Article 37 requires appointment of a DPO when the organisation is a public authority, when core activities involve regular and systematic monitoring of individuals at scale, or when core activities involve large-scale processing of special categories of data. The DPO must be independent, report to the highest level of management, and have adequate resources.
International data transfers
Chapter V of the GDPR restricts transfers of personal data outside the EEA to countries that do not provide an adequate level of data protection. Valid transfer mechanisms include:
- Adequacy decisions (Article 45) where the European Commission has determined a country provides adequate protection
- Standard Contractual Clauses (SCCs) (Article 46(2)(c)) adopted by the Commission
- Binding Corporate Rules (BCRs) (Article 47) for intra-group transfers
- Derogations (Article 49) for specific situations such as explicit consent or contractual necessity
The EU-US Data Privacy Framework, adopted in July 2023, provides an adequacy mechanism for US companies that self-certify under the framework.
Breach notification
Article 33 requires controllers to notify the relevant supervisory authority of a personal data breach within 72 hours of becoming aware of it, unless the breach is unlikely to result in a risk to individuals. Article 34 requires notification to affected individuals when the breach is likely to result in a high risk to their rights and freedoms.
Cookie consent
While cookie consent is technically governed by the ePrivacy Directive (2002/58/EC) rather than the GDPR directly, the two laws work together. Consent for non-essential cookies must meet the GDPR's standard of freely given, specific, informed, and unambiguous consent. A compliant cookie banner must allow users to accept, reject, or customise cookie preferences before non-essential cookies are placed. Tools like TermsBox provide a cookie consent banner that helps meet these requirements alongside a compliant cookie policy.
Enforcement and Penalties Under the GDPR
The European General Data Protection Regulation is enforced by independent supervisory authorities in each EEA country, coordinated through the European Data Protection Board (EDPB).
Administrative fines
The GDPR imposes two tiers of fines under Article 83:
- Lower tier (Article 83(4)). Up to 10 million EUR or 2% of worldwide annual turnover, whichever is greater. Applies to violations related to obligations of controllers and processors, certification bodies, and monitoring bodies.
- Higher tier (Article 83(5)). Up to 20 million EUR or 4% of worldwide annual turnover, whichever is greater. Applies to violations of the basic principles of processing, conditions for consent, data subject rights, and rules on international transfers.
Notable enforcement actions
Supervisory authorities have imposed substantial fines since 2018:
- Meta (Facebook). The Irish Data Protection Commission (DPC) fined Meta 1.2 billion EUR in May 2023 for unlawful transfers of EU personal data to the United States.
- Amazon. Luxembourg's CNPD fined Amazon 746 million EUR in July 2021 for processing personal data in violation of the GDPR's transparency and consent requirements.
- Google. France's CNIL fined Google 150 million EUR in December 2021 for making it difficult for users to refuse cookies compared to accepting them.
- H&M. Hamburg's supervisory authority fined H&M 35.3 million EUR in October 2020 for extensive surveillance of employees, including recording details about their personal lives.
These enforcement actions demonstrate that supervisory authorities are willing to impose fines at the upper end of the statutory range for serious violations.
Factors affecting fines
Article 83(2) lists criteria that supervisory authorities consider when determining fines:
- Nature, gravity, and duration of the infringement
- Intentional or negligent character
- Actions taken to mitigate damage
- Degree of responsibility and previous infringements
- Degree of cooperation with the supervisory authority
- Categories of personal data affected
- How the supervisory authority became aware of the infringement
Practical Steps to Achieve GDPR Compliance
Compliance with the European General Data Protection Regulation is an ongoing process, not a one-time project. Here is a structured approach.
Step 1: Map your data
Identify what personal data you collect, where it comes from, how it flows through your systems, who has access, and where it is stored. This data map forms the basis of your ROPA and informs every other compliance decision.
Step 2: Establish lawful bases
For each processing activity identified in your data map, determine which of the six lawful bases applies. Document your reasoning, especially for legitimate interests (which requires a formal LIA).
Step 3: Update your privacy notices
Ensure your privacy policy meets the requirements of Articles 13 and 14. Use a privacy policy generator as a starting point, then customise it to reflect your specific processing activities.
Step 4: Implement consent mechanisms
Where consent is your lawful basis, ensure it meets the GDPR's requirements. This includes cookie consent banners, marketing opt-ins, and any other consent collection points. Consent must be as easy to withdraw as it is to give (Article 7(3)).
Step 5: Build rights request workflows
Create processes to handle data subject requests within the one-month deadline. This includes identity verification procedures, data retrieval and export capabilities, deletion workflows, and response templates.
Step 6: Secure personal data
Implement appropriate technical and organisational measures as required by Article 32. These may include encryption of data at rest and in transit, access controls and authentication, regular security testing, and staff training.
Step 7: Document everything
The accountability principle requires evidence of compliance. Maintain your ROPA, DPIAs, breach logs, consent records, and policy version histories. Supervisory authorities expect documentation, not just verbal assurances.
Frequently Asked Questions
What is the European General Data Protection Regulation?
The European General Data Protection Regulation (GDPR) is Regulation (EU) 2016/679, a comprehensive data protection law that governs how organisations collect, process, store, and share personal data of individuals in the European Economic Area. It took effect on 25 May 2018 and applies to any organisation worldwide that processes EU residents' data.
Does the GDPR apply to businesses outside the EU?
Yes. Under Article 3, the GDPR applies to any organisation that offers goods or services to individuals in the EEA, or that monitors the behaviour of individuals in the EEA, regardless of where the organisation is established. A company in the United States or Asia that serves EU customers must comply.
What are the penalties for GDPR non-compliance?
The GDPR imposes two tiers of administrative fines. The higher tier is up to 20 million EUR or 4% of global annual turnover, whichever is greater, for violations of core processing principles and data subject rights. The lower tier is up to 10 million EUR or 2% of global annual turnover for violations related to controllers, processors, and certification bodies.
What rights do individuals have under the GDPR?
Individuals have eight core rights: the right to be informed, the right of access, the right to rectification, the right to erasure (right to be forgotten), the right to restrict processing, the right to data portability, the right to object, and rights related to automated decision-making and profiling.