TermsBox
PricingBlog
LoginGet Started
PricingBlogLogin
Get Started
  1. Home
  2. Blog
  3. GDPR Data Protection Requirements: A Complete Guide
GDPR

GDPR Data Protection Requirements: A Complete Guide

Learn the key GDPR data protection requirements for businesses, including lawful bases, data subject rights, and penalties up to 20M EUR.

TermsBox Team|April 4, 202614 min read

GDPR data protection requirements define how organisations must handle personal data of individuals in the European Union and European Economic Area. Since the General Data Protection Regulation took effect on 25 May 2018, it has reshaped how businesses worldwide collect, store, process, and share personal information.

This guide breaks down the core GDPR data protection requirements that apply to businesses of all sizes. It is educational content, not legal advice. Consult a qualified attorney for guidance specific to your organisation and circumstances.

What the GDPR Data Protection Requirements Cover

The General Data Protection Regulation (Regulation (EU) 2016/679) is a comprehensive data protection law that applies to any organisation processing personal data of people located in the EU or EEA. It replaced the earlier Data Protection Directive 95/46/EC and introduced significantly stronger obligations and enforcement powers.

Personal data under the GDPR means any information relating to an identified or identifiable natural person. This covers the obvious categories such as names, email addresses, and phone numbers. It also includes IP addresses, cookie identifiers, location data, device fingerprints, genetic data, biometric data, and any combination of information that could be used to single out an individual.

The GDPR applies regardless of where the processing organisation is located. A company based in the United States, Canada, or Singapore must comply if it offers goods or services to EU residents or monitors their behaviour. Article 3 establishes this extraterritorial reach, and enforcement actions have confirmed that regulators take it seriously.

The Seven Principles of GDPR Data Protection

Article 5 of the GDPR sets out seven principles that form the foundation of every other requirement in the regulation. Every data processing activity must satisfy all seven.

  1. Lawfulness, fairness, and transparency: Processing must have a valid legal basis, must not be deceptive or harmful, and must be clearly communicated to data subjects.
  2. Purpose limitation: Data must be collected for specified, explicit, and legitimate purposes and not further processed in ways incompatible with those purposes.
  3. Data minimisation: Only data that is adequate, relevant, and limited to what is necessary for the stated purpose may be collected.
  4. Accuracy: Personal data must be accurate and kept up to date. Reasonable steps must be taken to erase or rectify inaccurate data without delay.
  5. Storage limitation: Data must be kept in identifiable form only for as long as necessary for the processing purpose. After that, it must be deleted or anonymised.
  6. Integrity and confidentiality: Appropriate technical and organisational measures must protect personal data against unauthorised access, accidental loss, destruction, or damage.
  7. Accountability: The controller must be able to demonstrate compliance with all six principles above. This is not passive compliance but active documentation and proof.

The accountability principle under Article 5(2) deserves emphasis. It shifts the burden of proof to the organisation. Regulators do not need to prove you violated the GDPR. You need to prove that you complied.

Lawful Bases for Processing Personal Data

One of the most critical GDPR data protection requirements is establishing a lawful basis before processing any personal data. Article 6(1) provides six possible grounds.

Consent (Article 6(1)(a))

The data subject has given clear, affirmative agreement to processing for one or more specific purposes. GDPR consent must be freely given, specific, informed, and unambiguous. Pre-ticked boxes do not qualify. Silence or inactivity does not qualify. The controller must be able to prove consent was given and must allow it to be withdrawn as easily as it was given.

Contract (Article 6(1)(b))

Processing is necessary to perform a contract with the data subject or to take steps at their request before entering a contract. An online retailer processing a shipping address to deliver an order falls under this basis. However, the processing must be genuinely necessary for the contract, not merely convenient.

Legal obligation (Article 6(1)(c))

Processing is required to comply with a legal obligation to which the controller is subject. Tax record retention and anti-money laundering reporting are typical examples.

Vital interests (Article 6(1)(d))

Processing is necessary to protect someone's life. This basis applies in emergencies and is rarely relevant to routine business operations.

Public task (Article 6(1)(e))

Processing is necessary for performing a task in the public interest or in the exercise of official authority. This basis mainly applies to government bodies and organisations carrying out public functions.

Legitimate interests (Article 6(1)(f))

Processing is necessary for the legitimate interests of the controller or a third party, provided those interests are not overridden by the rights and freedoms of the data subject. This is the most flexible basis but requires a documented balancing test (Legitimate Interests Assessment) comparing your interests against the impact on individuals.

Organisations must select and document their lawful basis before processing begins. Switching the lawful basis after the fact is generally not permitted. A well-drafted privacy policy should clearly state which lawful basis applies to each processing activity.

Data Subject Rights Under the GDPR

The GDPR grants individuals eight specific rights regarding their personal data. Organisations must have processes in place to respond to these requests within one month, as required by Article 12(3).

  • Right of access (Article 15): Individuals can request a copy of all personal data held about them, along with information about how it is being processed, the purposes, the categories of data, and the recipients.
  • Right to rectification (Article 16): Individuals can require correction of inaccurate personal data and completion of incomplete data.
  • Right to erasure (Article 17): Also known as the right to be forgotten, this allows individuals to request deletion of their personal data in specific circumstances, such as when the data is no longer necessary or consent is withdrawn.
  • Right to restriction (Article 18): Individuals can request that processing be limited in certain situations, such as while the accuracy of data is contested.
  • Right to data portability (Article 20): Individuals can receive their personal data in a structured, commonly used, machine-readable format and transmit it to another controller.
  • Right to object (Article 21): Individuals can object to processing based on legitimate interests or public interest grounds. For direct marketing, the right to object is absolute.
  • Rights related to automated decision-making (Article 22): Individuals have the right not to be subject to decisions based solely on automated processing that produce legal or similarly significant effects, unless specific exceptions apply.
  • Right to be informed (Articles 13 and 14): Individuals must receive clear information about data processing at the point of collection or within a reasonable period if data is obtained indirectly.

These rights are not absolute. Each has specific conditions and exemptions detailed in the regulation. However, organisations must respond to every request, even if the response is a justified refusal.

GDPR Data Protection Requirements for Organisations

Beyond the principles and data subject rights, the GDPR imposes structural and operational obligations on organisations that process personal data.

Data Protection Officer

Article 37 requires certain organisations to appoint a Data Protection Officer (DPO). This applies to public authorities, organisations whose core activities involve regular and systematic monitoring of individuals on a large scale, and organisations whose core activities involve large-scale processing of special category data. Even when not required, appointing a DPO is considered best practice.

Records of processing activities

Article 30 requires controllers with 250 or more employees (and smaller organisations in certain circumstances) to maintain written records of all processing activities. These records must include the purposes of processing, categories of data subjects and personal data, categories of recipients, international transfers, retention periods, and a description of security measures.

Data Protection Impact Assessments

Article 35 mandates a Data Protection Impact Assessment (DPIA) before any processing that is likely to result in a high risk to individuals. This includes systematic profiling with significant effects, large-scale processing of special category data, and systematic monitoring of publicly accessible areas. The DPIA must describe the processing, assess necessity and proportionality, evaluate risks, and identify mitigation measures.

Data breach notification

Articles 33 and 34 establish strict breach notification obligations. Controllers must report breaches to the relevant supervisory authority within 72 hours of becoming aware, unless the breach is unlikely to result in a risk to individuals. If the breach is likely to result in a high risk, affected individuals must also be notified without undue delay.

Data processing agreements

Article 28 requires a written contract between controllers and processors. This agreement must set out the subject matter, duration, nature, and purpose of processing, the type of personal data and categories of data subjects, and the obligations and rights of the controller. It must also impose specific obligations on the processor regarding security, sub-processors, breach notification, and data deletion.

International Data Transfers Under the GDPR

Transferring personal data outside the EU or EEA is one of the more complex GDPR data protection requirements. Chapter V of the regulation permits transfers only when adequate safeguards are in place.

The available mechanisms include:

  • Adequacy decisions (Article 45): The European Commission has determined that certain countries provide adequate data protection. Transfers to these countries require no additional safeguards. The current list includes the United Kingdom, Japan, South Korea, Canada (commercial organisations), and several others.
  • Standard Contractual Clauses (Article 46(2)(c)): Pre-approved contract terms adopted by the Commission that impose GDPR-equivalent obligations on the data importer. Following the Schrems II ruling, organisations must also conduct a Transfer Impact Assessment to verify that the clauses are effective in practice.
  • Binding Corporate Rules (Article 47): Internally binding data protection policies approved by a supervisory authority, used for transfers within a corporate group.
  • Derogations (Article 49): Limited exceptions including explicit consent, contractual necessity, and important reasons of public interest. These are intended for occasional, non-systematic transfers.

The EU-US Data Privacy Framework, adopted in July 2023, provides an adequacy mechanism for certified US organisations. However, given the history of invalidated frameworks (Safe Harbor and Privacy Shield), organisations should monitor developments and maintain fallback mechanisms.

Privacy Policy Generator

Create a comprehensive privacy policy for your website or app. Create yours in minutes with TermsBox.

Generate Now

Penalties and Enforcement of GDPR Data Protection Requirements

The GDPR grants supervisory authorities significant enforcement powers under Articles 58 and 83. Penalties are designed to be effective, proportionate, and dissuasive.

The regulation establishes two tiers of administrative fines:

  • Higher tier (Article 83(5)): Up to 20 million EUR or 4% of annual global turnover, whichever is greater. This applies to violations of the data processing principles, lawful basis conditions, data subject rights, and international transfer rules.
  • Lower tier (Article 83(4)): Up to 10 million EUR or 2% of annual global turnover. This covers violations of organisational obligations including record-keeping requirements, breach notification duties, DPO designation, and certification rules.

Notable enforcement actions illustrate the scale:

  • Amazon received a 746 million EUR fine from the Luxembourg authority in 2021 for targeted advertising practices
  • Meta was fined 1.2 billion EUR by the Irish Data Protection Commission in 2023 for unlawful international data transfers
  • Google received a 50 million EUR fine from CNIL in 2019 for transparency and consent failures

Penalties are not limited to large corporations. Small and medium businesses have received fines ranging from several thousand to several million euros depending on the severity and nature of the violation.

Beyond financial penalties, supervisory authorities can issue warnings, reprimands, orders to comply, temporary or permanent bans on processing, and orders to communicate data breaches to affected individuals.

How to Meet GDPR Data Protection Requirements

Complying with the GDPR is not a one-time project. It requires ongoing processes and governance. The following steps provide a practical starting point.

Conduct a data mapping exercise

Identify every category of personal data your organisation collects, where it comes from, why you process it, who receives it, where it is stored, and how long you keep it. This mapping forms the basis for your Article 30 records and helps identify compliance gaps.

Establish lawful bases

For each processing activity identified in your data map, determine and document the lawful basis under Article 6. Where you rely on consent, implement mechanisms that meet GDPR standards. Where you rely on legitimate interests, document your balancing test.

Update your privacy policy

Your privacy policy must contain all information required by Articles 13 and 14, presented in clear, plain language. This includes your identity and contact details, the purposes and lawful bases for processing, categories of recipients, international transfers, retention periods, data subject rights, and the right to lodge a complaint. A privacy policy generator can help you create a compliant document that covers all required disclosures.

Implement technical and organisational measures

Article 32 requires appropriate security measures considering the state of the art, costs of implementation, and the nature and scope of processing. Practical measures include encryption of data at rest and in transit, access controls based on the principle of least privilege, regular security testing, employee training, and incident response procedures.

Build data subject rights processes

Create documented procedures for receiving, verifying, and responding to data subject requests. Automate where possible, given the one-month response deadline. Ensure your team knows how to handle access requests, erasure requests, portability requests, and objections.

Plan for data breaches

Prepare a breach response plan before an incident occurs. Define roles, escalation paths, assessment criteria, notification templates, and remediation procedures. The 72-hour notification deadline under Article 33 leaves little time for improvisation.

Compliance platforms like TermsBox can simplify the documentation side of GDPR compliance by generating and hosting required policies, scanning your website for compliance issues, and keeping documents updated as your data practices change.

GDPR Data Protection Requirements for Websites

Websites face specific GDPR obligations related to cookies, tracking technologies, and online data collection.

Every website that collects personal data from EU visitors must display a compliant privacy policy explaining what data is collected, why, and on what legal basis. The cookie policy generator can help create the cookie-specific disclosures required by the ePrivacy Directive alongside GDPR obligations.

Cookie consent requirements demand particular attention. Under Article 5(3) of the ePrivacy Directive, read alongside the GDPR's consent definition, websites must obtain prior, informed, specific consent before setting non-essential cookies. This means analytics tools like Google Analytics, advertising pixels, and social media widgets cannot load until a visitor actively opts in.

Additional website obligations include:

  • Providing a lawful basis for contact form submissions and email signups
  • Offering clear opt-out mechanisms for marketing communications
  • Ensuring third-party scripts and integrations comply with your data processing agreements
  • Implementing appropriate security measures for any personal data transmitted through the site
  • Maintaining records of consent where consent is the lawful basis

Frequently Asked Questions

Who must comply with GDPR data protection requirements?

Any organisation that processes personal data of individuals located in the EU or EEA must comply, regardless of where the organisation itself is based. This includes businesses with no physical EU presence if they offer goods or services to EU residents or monitor their behaviour. Article 3 of the GDPR establishes this extraterritorial scope, meaning a company in the United States or Australia can fall under GDPR jurisdiction.

What are the penalties for failing to meet GDPR data protection requirements?

The GDPR establishes a two-tier penalty structure. The higher tier carries fines up to 20 million EUR or 4% of annual global turnover, whichever is greater, for violations of core principles, lawful basis rules, data subject rights, and international transfer provisions. The lower tier allows fines up to 10 million EUR or 2% of global turnover for violations related to organisational obligations such as record-keeping and data breach notification.

What counts as personal data under the GDPR?

Personal data is any information relating to an identified or identifiable natural person. This includes obvious identifiers like names, email addresses, and phone numbers, but also extends to IP addresses, cookie identifiers, location data, device fingerprints, and any combination of data points that could be used to single out an individual. Pseudonymised data remains personal data under the GDPR because it can be re-identified.

How long can organisations retain personal data under the GDPR?

The GDPR does not prescribe specific retention periods. Instead, Article 5(1)(e) requires that personal data be kept only for as long as necessary for the purposes for which it was collected. Organisations must define and document retention periods for each category of data, justify those periods, and delete or anonymise data when the purpose is fulfilled. National laws may impose minimum retention periods for certain records such as tax or employment data.

Related Tools

Privacy Policy Generator

Create a comprehensive privacy policy for your website or app

Related Articles

GDPR

AWS and GDPR: Compliance, DPAs & Data Transfers (2026)

How AWS and GDPR fit together: the shared responsibility model, the AWS Data Processing Addendum, transfer rules, and the config steps to stay compliant.

April 4, 202612 min read
GDPR

Cookie Compliance: A Complete Guide for Website Owners

Learn what cookie compliance requires, which laws apply, and how to implement consent banners and cookie policies to keep your website legally compliant.

April 4, 202612 min read
GDPR

Data Protection Compliance: A Complete Guide for Businesses

Master data protection compliance with this practical guide covering GDPR, CCPA, key requirements, enforcement, and steps to build a compliance programme.

April 4, 202615 min read

Ready to Create Your Legal Documents?

Generate professional privacy policies, terms of service, and more in minutes. Free to start, no credit card required.

View All Generators

On This Page

  • What the GDPR Data Protection Requirements Cover
  • The Seven Principles of GDPR Data Protection
  • Lawful Bases for Processing Personal Data
  • Consent (Article 6(1)(a))
  • Contract (Article 6(1)(b))
  • Legal obligation (Article 6(1)(c))
  • Vital interests (Article 6(1)(d))
  • Public task (Article 6(1)(e))
  • Legitimate interests (Article 6(1)(f))
  • Data Subject Rights Under the GDPR
  • GDPR Data Protection Requirements for Organisations
  • Data Protection Officer
  • Records of processing activities
  • Data Protection Impact Assessments
  • Data breach notification
  • Data processing agreements
  • International Data Transfers Under the GDPR
  • Penalties and Enforcement of GDPR Data Protection Requirements
  • How to Meet GDPR Data Protection Requirements
  • Conduct a data mapping exercise
  • Establish lawful bases
  • Update your privacy policy
  • Implement technical and organisational measures
  • Build data subject rights processes
  • Plan for data breaches
  • GDPR Data Protection Requirements for Websites
  • Frequently Asked Questions
TermsBox

Scan your website, auto-generate legal documents, add a consent banner, and stay compliant. One platform for everything.

Product

  • Cookie Scanner
  • Consent Banner
  • Cookie Policy Generator
  • Pricing

Generators

  • Privacy Policy Generator
  • Terms and Conditions Generator
  • EULA Generator
  • Disclaimer Generator
  • Return and Refund Policy Generator

Company

  • About
  • Contact
  • Privacy Policy
  • Terms of Service
  • Cookie Policy
GDPR
ePrivacy
CCPA
LGPD
Google Consent Mode v2
IAB TCF 2.2
© 2026 TermsBox. All rights reserved.