TermsBox
PricingBlog
LoginGet Started
PricingBlogLogin
Get Started
  1. Home
  2. Blog
  3. GDPR Summary: Key Requirements Explained Simply
Legal Compliance

GDPR Summary: Key Requirements Explained Simply

A clear GDPR summary covering key principles, rights, obligations, and penalties. Understand the regulation without reading all 99 articles.

TermsBox Team|April 4, 202612 min read

The GDPR summary that follows breaks down the General Data Protection Regulation into its core components so you can understand what it requires without reading all 99 articles and 173 recitals. The GDPR is the most significant data protection law affecting businesses that collect, store, or process personal data of individuals in the European Union.

This article provides educational content about data protection law and is not legal advice. Consult a qualified attorney for guidance specific to your situation.

What Is the GDPR?

The General Data Protection Regulation (GDPR) is EU Regulation 2016/679. It was adopted on 27 April 2016 and became enforceable on 25 May 2018. It replaced the Data Protection Directive 95/46/EC, which had governed data protection across Europe since 1995.

Unlike a directive, which requires each EU member state to pass its own implementing law, the GDPR is a regulation that applies directly and uniformly across all 27 EU member states. This means a business operating in Germany, France, and Italy faces one set of rules rather than three different national laws.

The regulation also has extraterritorial reach. Under Article 3, the GDPR applies to organisations outside the EU if they offer goods or services to individuals in the EU or monitor their behaviour within the EU. This means a website based in the United States that targets European customers must comply.

The Seven Data Processing Principles

Article 5 of the GDPR establishes seven principles that govern all personal data processing. These principles are the foundation of the entire regulation, and every other requirement flows from them.

  1. Lawfulness, fairness, and transparency: Processing must have a legal basis, must not be deceptive, and must be clearly communicated to data subjects
  2. Purpose limitation: Data must be collected for specified, explicit, and legitimate purposes and not processed further in ways incompatible with those purposes
  3. Data minimisation: Only collect personal data that is adequate, relevant, and limited to what is necessary for the stated purpose
  4. Accuracy: Personal data must be accurate and kept up to date, with reasonable steps taken to erase or rectify inaccurate data
  5. Storage limitation: Data must be kept in identifiable form only as long as necessary for the processing purpose
  6. Integrity and confidentiality: Processing must ensure appropriate security, including protection against unauthorised access, accidental loss, and destruction
  7. Accountability: The controller must be able to demonstrate compliance with all of the above principles

The accountability principle is particularly important. It is not enough to be compliant; you must be able to prove it through documentation, policies, and records.

Lawful Bases for Processing Personal Data

Article 6 of the GDPR requires that every processing activity has a valid lawful basis. There are six options, and you must identify and document which one applies before you begin processing.

  • Consent: The data subject has given clear, affirmative consent for a specific purpose. Must be freely given, specific, informed, and unambiguous. Can be withdrawn at any time.
  • Contract: Processing is necessary to perform a contract with the data subject or to take pre-contractual steps at their request. For example, processing a shipping address to fulfil an order.
  • Legal obligation: Processing is necessary to comply with a legal requirement. For example, retaining financial records for tax purposes.
  • Vital interests: Processing is necessary to protect someone's life. This basis is narrow and rarely applicable in a business context.
  • Public task: Processing is necessary for a task carried out in the public interest or in the exercise of official authority. Primarily relevant to government bodies.
  • Legitimate interests: Processing is necessary for a legitimate interest of the controller or a third party, provided it does not override the data subject's rights. Requires a balancing test documented in a Legitimate Interests Assessment (LIA).

For most websites and online businesses, the relevant bases are consent (for marketing and non-essential cookies), contract (for service delivery), legal obligation (for record-keeping), and legitimate interests (for security and fraud prevention).

GDPR Summary of Data Subject Rights

Articles 12 through 22 establish rights that individuals can exercise over their personal data. Organisations must respond to valid requests within one month, extendable by two additional months for complex cases.

Right of access (Article 15)

Individuals can request confirmation of whether their data is being processed and, if so, obtain a copy of that data along with information about the purposes, categories, recipients, and retention periods.

Right to rectification (Article 16)

Data subjects can request correction of inaccurate personal data or completion of incomplete data.

Right to erasure (Article 17)

Often called the "right to be forgotten," this allows individuals to request deletion of their personal data when it is no longer necessary, when consent is withdrawn, or when processing is unlawful. Exceptions exist for legal obligations, public interest, and legal claims.

Right to restriction (Article 18)

Data subjects can request that processing be restricted (data stored but not actively used) while accuracy is contested, while an objection is being verified, or when processing is unlawful but the subject opposes erasure.

Right to data portability (Article 20)

Individuals can receive their personal data in a structured, commonly used, machine-readable format and transmit it to another controller. Applies to data provided by the subject and processed by automated means based on consent or contract.

Right to object (Article 21)

Data subjects can object to processing based on legitimate interests or public task. For direct marketing, the right to object is absolute and must be honoured immediately.

Rights related to automated decision-making (Article 22)

Individuals have the right not to be subject to decisions based solely on automated processing, including profiling, that produce legal or similarly significant effects. Exceptions apply when the decision is necessary for a contract, authorised by law, or based on explicit consent.

Who Must Comply: Controllers and Processors

The GDPR assigns distinct obligations to two types of organisations.

Controllers determine the purposes and means of processing personal data. If you decide what data to collect, why to collect it, and how to use it, you are a controller. Controllers bear primary responsibility for compliance, including responding to data subject requests, conducting impact assessments, and notifying authorities of breaches.

Processors process personal data on behalf of a controller. Your email service provider, cloud hosting company, and analytics platform are typically processors. Processors must follow the controller's instructions, maintain security measures, and assist with compliance obligations.

Article 28 requires a written Data Processing Agreement (DPA) between controllers and processors. This agreement must specify the subject matter, duration, nature, and purpose of processing, as well as the obligations of each party.

For a practical example: if you run an e-commerce website, you are the controller of your customers' data. Stripe (payment processing), AWS (hosting), and Mailchimp (email marketing) are your processors. You need DPAs with each of them.

GDPR Requirements for Websites

Most website operators need to address several specific GDPR requirements. Here is a practical summary of the key obligations.

Privacy policy

Articles 13 and 14 require you to inform data subjects about your data practices at the time of collection. Your privacy policy must include:

Privacy Policy Generator

Create a comprehensive privacy policy for your website or app. Create yours in minutes with TermsBox.

Generate Now
  • Identity and contact details of the controller
  • Purposes and lawful bases for each processing activity
  • Categories of personal data collected
  • Recipients or categories of recipients
  • Data retention periods or criteria
  • Data subject rights and how to exercise them
  • Right to lodge a complaint with a supervisory authority
  • Whether data is transferred outside the EEA and the safeguards used

A privacy policy generator can help you create a comprehensive policy that covers these requirements based on your actual data practices.

Cookie consent

The GDPR, combined with the ePrivacy Directive (Directive 2002/58/EC), requires consent before placing non-essential cookies on a user's device. This means:

  • Strictly necessary cookies (session management, security, load balancing) do not require consent
  • Analytics, marketing, and personalisation cookies require prior opt-in consent
  • Pre-checked boxes do not constitute valid consent
  • Users must be able to withdraw consent as easily as they gave it
  • Cookie walls that block access unless all cookies are accepted are generally not valid consent

A cookie consent banner (CMP) that blocks non-essential scripts until the user opts in is the standard implementation. Your cookie policy should list the specific cookies used, their purposes, and their retention periods.

Record of Processing Activities

Article 30 requires controllers to maintain a written record of processing activities. This record must include the purposes of processing, categories of data subjects and personal data, categories of recipients, transfers to third countries, and retention periods. Organisations with fewer than 250 employees are exempt only if their processing is occasional, does not include special categories of data, and is unlikely to result in a risk to individuals. In practice, most businesses that operate a website fall outside this exemption.

Data Breach Notification Requirements

Articles 33 and 34 establish strict timelines for responding to personal data breaches.

Notification to the supervisory authority (Article 33)

Controllers must notify the relevant supervisory authority within 72 hours of becoming aware of a breach, unless the breach is unlikely to result in a risk to individuals' rights and freedoms. The notification must include:

  • The nature of the breach and approximate number of individuals affected
  • The name and contact details of the Data Protection Officer or other contact point
  • The likely consequences of the breach
  • The measures taken or proposed to address the breach

Notification to data subjects (Article 34)

When a breach is likely to result in a high risk to individuals' rights and freedoms, the controller must also notify the affected individuals without undue delay. This notification must describe the breach in clear, plain language and include the same information provided to the authority.

Documentation requirement

All breaches must be documented regardless of severity, including the facts, effects, and remedial actions taken. This documentation enables the supervisory authority to verify compliance.

GDPR Penalties and Enforcement

The GDPR introduced penalty amounts that made data protection a board-level concern worldwide.

Two tiers of fines under Article 83

Lower tier (Article 83(4)): Up to 10 million EUR or 2% of annual global turnover, whichever is higher. Applies to violations of obligations for controllers and processors, certification bodies, and monitoring bodies.

Upper tier (Article 83(5)): Up to 20 million EUR or 4% of annual global turnover, whichever is higher. Applies to violations of the basic principles of processing, data subject rights, transfer rules, and national law provisions.

Factors that influence fine amounts

Supervisory authorities consider several factors when determining penalties under Article 83(2):

  • The nature, gravity, and duration of the infringement
  • Whether the infringement was intentional or negligent
  • Actions taken to mitigate damage
  • Degree of cooperation with the authority
  • Categories of personal data affected
  • How the authority learned of the infringement (self-reported vs. complaint)
  • Previous infringements

Notable enforcement examples

Enforcement is active and growing. Major fines have been issued across sectors and company sizes. Smaller businesses are not immune; supervisory authorities in countries like Spain, Italy, and Romania have issued fines ranging from a few thousand to several hundred thousand EUR against SMEs for violations such as unlawful CCTV surveillance, missing privacy policies, and inadequate consent mechanisms.

Practical Steps to Achieve GDPR Compliance

For businesses looking to act on this GDPR summary, here is a prioritised checklist.

Immediate priorities

  1. Publish a compliant privacy policy: Cover all Article 13/14 requirements. Use a privacy policy generator to ensure nothing is missed, then review with legal counsel if your processing is complex.
  2. Implement cookie consent: Deploy a consent management platform that blocks non-essential cookies by default and records consent preferences.
  3. Audit your processors: List every third party that processes personal data on your behalf. Verify that DPAs are in place for each one.
  4. Create a data subject request process: Establish a workflow for receiving, verifying, and responding to access, deletion, and other requests within the one-month deadline.

Ongoing obligations

  • Maintain processing records: Keep your Article 30 ROPA current as you add new tools, features, or data collection points
  • Monitor for changes: New cookies appear when you update plugins or add analytics tools. Regular scanning catches these changes. TermsBox provides automated website scanning that detects new trackers and cookies, keeping your compliance documentation accurate.
  • Train your team: Ensure employees who handle personal data understand the basics of GDPR compliance, particularly for breach identification and data subject requests
  • Review annually: Data practices evolve. Schedule at least an annual review of your privacy policy, processing records, and terms of service

Frequently Asked Questions

What does GDPR stand for?

GDPR stands for the General Data Protection Regulation. It is EU Regulation 2016/679, adopted on 27 April 2016 and enforceable from 25 May 2018. It replaced the earlier Data Protection Directive 95/46/EC and applies directly in all EU member states without requiring national implementing legislation.

Does GDPR apply to businesses outside the EU?

Yes. Under Article 3, the GDPR applies to any organisation that offers goods or services to individuals in the EU or monitors their behaviour within the EU, regardless of where the organisation is established. A company based in the United States, Australia, or any other country must comply if it processes personal data of EU residents in these contexts.

What are the penalties for GDPR non-compliance?

The GDPR establishes two tiers of administrative fines under Article 83. Lower-tier violations can result in fines up to 10 million EUR or 2% of annual global turnover. Upper-tier violations, including breaches of data processing principles or data subject rights, carry fines up to 20 million EUR or 4% of annual global turnover, whichever is higher.

What qualifies as personal data under GDPR?

Personal data means any information relating to an identified or identifiable natural person, as defined in Article 4. This includes obvious identifiers like names and email addresses, but also IP addresses, cookie identifiers, location data, device IDs, and any data that could be combined with other information to identify someone.

Related Tools

Privacy Policy Generator

Create a comprehensive privacy policy for your website or app

Related Articles

Legal Compliance

AI and Data Privacy: A Practical Guide for Businesses

Learn how AI and data privacy intersect, including legal obligations, compliance strategies, and steps to protect personal data in AI systems.

April 4, 202613 min read
Legal Compliance

AI GDPR Compliance: A Practical Guide for Businesses

Learn how AI GDPR rules affect your business, including legal obligations, compliance steps, and penalties for AI systems processing personal data.

April 4, 202614 min read
Legal Compliance

Apple's Data & Privacy Website: How to Use privacy.apple.com

Apple's data & privacy website at privacy.apple.com lets you download, correct, or delete your data. A step-by-step guide, plus how long a request takes.

April 4, 202613 min read

Ready to Create Your Legal Documents?

Generate professional privacy policies, terms of service, and more in minutes. Free to start, no credit card required.

View All Generators

On This Page

  • What Is the GDPR?
  • The Seven Data Processing Principles
  • Lawful Bases for Processing Personal Data
  • GDPR Summary of Data Subject Rights
  • Right of access (Article 15)
  • Right to rectification (Article 16)
  • Right to erasure (Article 17)
  • Right to restriction (Article 18)
  • Right to data portability (Article 20)
  • Right to object (Article 21)
  • Rights related to automated decision-making (Article 22)
  • Who Must Comply: Controllers and Processors
  • GDPR Requirements for Websites
  • Privacy policy
  • Cookie consent
  • Record of Processing Activities
  • Data Breach Notification Requirements
  • Notification to the supervisory authority (Article 33)
  • Notification to data subjects (Article 34)
  • Documentation requirement
  • GDPR Penalties and Enforcement
  • Two tiers of fines under Article 83
  • Factors that influence fine amounts
  • Notable enforcement examples
  • Practical Steps to Achieve GDPR Compliance
  • Immediate priorities
  • Ongoing obligations
  • Frequently Asked Questions
TermsBox

Scan your website, auto-generate legal documents, add a consent banner, and stay compliant. One platform for everything.

Product

  • Cookie Scanner
  • Consent Banner
  • Cookie Policy Generator
  • Pricing

Generators

  • Privacy Policy Generator
  • Terms and Conditions Generator
  • EULA Generator
  • Disclaimer Generator
  • Return and Refund Policy Generator

Company

  • About
  • Contact
  • Privacy Policy
  • Terms of Service
  • Cookie Policy
GDPR
ePrivacy
CCPA
LGPD
Google Consent Mode v2
IAB TCF 2.2
© 2026 TermsBox. All rights reserved.