General Data Protection Regulation 2016/679: Full Guide
Understand the General Data Protection Regulation 2016/679 (GDPR). Covers key articles, rights, obligations, penalties, and practical compliance steps.
The General Data Protection Regulation 2016/679, commonly known as the GDPR, is the European Union's comprehensive data protection law. Formally cited as Regulation (EU) 2016/679, it governs how organisations collect, store, process, and share the personal data of individuals within the European Economic Area. Since becoming enforceable on 25 May 2018, it has reshaped data protection practices worldwide and become the standard against which other privacy laws are measured.
This guide breaks down the regulation's structure, core principles, individual rights, organisational obligations, and enforcement mechanisms. The content here is educational and should not be treated as legal advice. Consult a qualified data protection attorney for guidance specific to your organisation.
What Is Regulation (EU) 2016/679?
Regulation (EU) 2016/679 of the European Parliament and of the Council, dated 27 April 2016, is the full legal name of the GDPR. It was published in the Official Journal of the European Union on 4 May 2016, entered into force on 24 May 2016, and became enforceable after a two-year transition period on 25 May 2018.
The regulation replaced the Data Protection Directive 95/46/EC, which had governed data protection in the EU since 1995. The key structural difference is that the GDPR is a regulation, not a directive. This means it applies directly in all EU member states without requiring each country to pass separate national legislation. The result is a more uniform set of rules across the 27 EU member states and the three additional EEA countries (Iceland, Liechtenstein, and Norway).
The GDPR consists of 99 articles organised across 11 chapters, accompanied by 173 recitals that provide interpretive guidance. It covers:
- The principles governing lawful data processing
- The rights of data subjects
- Obligations of data controllers and processors
- Rules for international data transfers
- The role and powers of supervisory authorities
- The enforcement and penalty framework
Scope and Territorial Reach of the GDPR 2016/679
One of the most significant features of the 2016/679 GDPR is its extraterritorial scope, defined in Article 3. The regulation applies in three scenarios:
- Establishment in the EU: Any organisation that processes personal data "in the context of the activities of an establishment" in the EU, regardless of whether the processing itself takes place within the EU (Article 3(1))
- Offering goods or services: Any organisation outside the EU that offers goods or services to data subjects in the EU, whether paid or free (Article 3(2)(a))
- Monitoring behaviour: Any organisation outside the EU that monitors the behaviour of data subjects within the EU, such as through website tracking, profiling, or analytics (Article 3(2)(b))
This extraterritorial reach means the GDPR affects businesses worldwide. A company in the United States or Japan that operates a website tracking EU visitors is subject to the regulation.
Material Scope
Article 2 defines the material scope. The GDPR applies to the processing of personal data wholly or partly by automated means, and to non-automated processing that forms part of a filing system. It does not apply to purely personal or household activities, national security processing, or processing by EU institutions covered by a separate regulation.
Key Definitions
Article 4 provides 26 definitions that underpin the regulation:
- Personal data: Any information relating to an identified or identifiable natural person (the "data subject")
- Processing: Any operation performed on personal data, including collection, recording, storage, alteration, retrieval, use, disclosure, erasure, or destruction
- Controller: The natural or legal person that determines the purposes and means of processing
- Processor: A natural or legal person that processes personal data on behalf of the controller
- Consent: Freely given, specific, informed, and unambiguous indication of the data subject's wishes
Core Principles of the General Data Protection Regulation 2016/679
Article 5 establishes seven principles that govern all processing of personal data. These principles are not abstract guidelines. They are legally binding requirements, and violations can trigger the highest tier of administrative fines.
Lawfulness, Fairness, and Transparency (Article 5(1)(a))
Personal data must be processed lawfully, fairly, and in a transparent manner. Lawfulness requires a valid legal basis under Article 6. Fairness means processing must not be detrimental, unexpected, or misleading. Transparency requires that data subjects receive clear information about how their data is used.
Purpose Limitation (Article 5(1)(b))
Data must be collected for specified, explicit, and legitimate purposes and not further processed in a manner incompatible with those purposes. If you collect email addresses for order confirmations, you cannot later use them for marketing without a separate legal basis.
Data Minimisation (Article 5(1)(c))
Organisations must collect only the personal data that is adequate, relevant, and limited to what is necessary for the stated purposes. Collecting data "just in case" or requiring unnecessary fields on forms violates this principle.
Accuracy (Article 5(1)(d))
Personal data must be accurate and, where necessary, kept up to date. Reasonable steps must be taken to ensure that inaccurate data is erased or rectified without delay.
Storage Limitation (Article 5(1)(e))
Data must be kept in a form that permits identification of data subjects for no longer than is necessary for the purposes of processing. This requires defined retention periods and deletion procedures.
Integrity and Confidentiality (Article 5(1)(f))
Data must be processed in a manner that ensures appropriate security, including protection against unauthorised or unlawful processing and against accidental loss, destruction, or damage. This principle links directly to the security requirements in Article 32.
Accountability (Article 5(2))
The controller must be able to demonstrate compliance with all of the above principles. This is not a passive obligation. It requires documentation, policies, records, and evidence that the organisation actively implements and enforces these principles.
Lawful Bases for Processing Under Article 6
The GDPR requires a lawful basis for every processing activity. Article 6(1) provides six options:
- Consent: The data subject has given clear, affirmative consent for a specific purpose
- Contract: Processing is necessary for the performance of a contract with the data subject or to take pre-contractual steps at their request
- Legal obligation: Processing is necessary to comply with an EU or member state legal requirement
- Vital interests: Processing is necessary to protect the life of the data subject or another person
- Public task: Processing is necessary for a task carried out in the public interest or in the exercise of official authority
- Legitimate interests: Processing is necessary for the legitimate interests of the controller or a third party, balanced against the rights of the data subject
For most commercial websites, consent and legitimate interests are the most frequently relied-upon bases. Consent must meet the strict requirements of Article 7: it must be freely given, specific, informed, unambiguous, and as easy to withdraw as to give.
When collecting personal data through your website, your privacy policy must clearly state the lawful basis for each processing activity. A privacy policy generator can help structure this information, but you must determine the correct lawful basis for each specific type of processing your organisation performs.
Data Subject Rights Under the GDPR 2016/679
Chapter III of the regulation (Articles 12 through 23) establishes a comprehensive set of rights for data subjects. These rights give individuals control over their personal data and create corresponding obligations for controllers.
Right of Access (Article 15)
Data subjects have the right to obtain confirmation of whether their personal data is being processed and, if so, access to that data along with information about the purposes, categories, recipients, retention periods, and the source of the data.
Right to Rectification (Article 16)
Individuals can request correction of inaccurate personal data and completion of incomplete data.
Right to Erasure (Article 17)
Also known as the "right to be forgotten," this allows data subjects to request deletion of their personal data in several circumstances, including when the data is no longer necessary, consent is withdrawn, or processing is unlawful. This right is not absolute. Controllers may refuse erasure where processing is necessary for legal obligations, public interest, or the establishment or defence of legal claims.
Right to Restriction of Processing (Article 18)
Data subjects can request that processing be restricted while accuracy is contested, while objection requests are evaluated, or when processing is unlawful but the individual prefers restriction over erasure.
Right to Data Portability (Article 20)
Where processing is based on consent or a contract and carried out by automated means, data subjects can receive their personal data in a structured, commonly used, machine-readable format and transmit it to another controller.
Privacy Policy Generator
Create a comprehensive privacy policy for your website or app. Create yours in minutes with TermsBox.
Generate NowRight to Object (Article 21)
Data subjects can object to processing based on legitimate interests or public interest grounds. For direct marketing, the right to object is absolute: once exercised, the controller must stop processing for that purpose immediately.
Rights Related to Automated Decision-Making (Article 22)
Data subjects have the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects or similarly significant effects. Exceptions exist for contractual necessity, legal authorisation, or explicit consent, but safeguards must be in place.
Controller and Processor Obligations
The GDPR places extensive obligations on both controllers and processors. These go beyond general caution into documented, auditable compliance programmes.
Data Protection by Design and Default (Article 25)
Controllers must implement appropriate technical and organisational measures both when determining the means of processing and during the processing itself. By default, only personal data necessary for each specific purpose should be processed.
Records of Processing Activities (Article 30)
Organisations with 250 or more employees, or those processing sensitive data or data likely to result in a risk to individuals' rights, must maintain written records of their processing activities. In practice, supervisory authorities expect all organisations to maintain such records.
Data Protection Impact Assessments (Article 35)
Processing likely to result in a high risk to individual rights requires a DPIA before processing begins. This includes systematic profiling, large-scale processing of special category data, and systematic monitoring of publicly accessible areas.
Data Protection Officers (Articles 37 to 39)
A DPO must be designated when the controller is a public authority, when core activities require regular and systematic monitoring of data subjects on a large scale, or when core activities involve large-scale processing of special category data.
Processor Requirements (Article 28)
Processors may only act on documented instructions from the controller. A binding contract must specify the subject matter, duration, nature, and purpose of processing, along with the obligations and rights of each party.
International Data Transfers (Chapter V)
Transfers of personal data outside the EEA are restricted unless adequate protection exists. Lawful transfer mechanisms include adequacy decisions (Article 45), standard contractual clauses (Article 46(2)(c)), binding corporate rules (Article 47), and derogations for specific situations (Article 49).
Enforcement and Penalties Under the GDPR
The GDPR's enforcement framework gives supervisory authorities substantial investigative, corrective, and advisory powers under Article 58. Each EU member state has at least one independent supervisory authority.
Two-Tier Penalty Structure
Article 83 establishes two tiers of administrative fines:
- Tier 1 (Article 83(4)): Up to 10 million EUR or 2% of total worldwide annual turnover, whichever is greater. Applies to controller/processor obligations, record-keeping, DPIAs, and DPO requirements.
- Tier 2 (Article 83(5)): Up to 20 million EUR or 4% of total worldwide annual turnover, whichever is greater. Applies to violations of core principles (Article 5), lawful basis (Article 6), consent (Article 7), data subject rights (Articles 12-22), and international transfer rules (Articles 44-49).
Factors in Determining Fines
Article 83(2) lists 11 factors supervisory authorities must consider, including the nature and gravity of the infringement, whether it was intentional or negligent, actions taken to mitigate damage, the degree of cooperation with the authority, and the categories of personal data affected. Since enforcement began in 2018, supervisory authorities have collectively issued billions of euros in fines, with the largest penalties targeting technology companies for consent, transparency, and lawful basis violations.
Practical Compliance Steps for the General Data Protection Regulation 2016/679
Compliance with Regulation (EU) 2016/679 is an ongoing process, not a one-time project. The following steps provide a structured approach.
Data Mapping and Legal Basis Assessment
Start by documenting what personal data you collect, where it is stored, who can access it, and how long you retain it. For each processing activity, determine and document the lawful basis under Article 6. Where you rely on consent, verify your mechanisms meet Article 7: freely given, specific, informed, unambiguous, and obtained through a clear affirmative action.
Privacy Documentation
Your organisation needs several key documents:
- A privacy policy generator can help create a privacy notice covering the information requirements of Articles 13 and 14
- Internal data protection policies for staff
- Data processing agreements with all processors under Article 28
- A terms of service generator can address the contractual aspects of your relationship with users
Website Compliance
The intersection of the GDPR with the ePrivacy Directive creates specific website requirements:
- Cookie consent management that blocks non-essential trackers until consent is given
- Transparent disclosure of all cookies, analytics tools, and third-party scripts
- Mechanisms for users to withdraw consent as easily as they gave it
- Regular scanning to detect new trackers introduced by third-party scripts
Breach Response and Training
Establish an incident response plan that enables notification within Article 33's 72-hour window. Designate responsibility, create notification templates, and conduct regular tabletop exercises. Even organisations without a DPO obligation should ensure everyone who handles personal data understands the principles and knows how to escalate concerns.
Frequently Asked Questions
What is Regulation (EU) 2016/679?
Regulation (EU) 2016/679 is the official legal citation for the General Data Protection Regulation (GDPR). It was adopted by the European Parliament and the Council of the European Union on 27 April 2016, published in the Official Journal of the European Union on 4 May 2016, and became enforceable on 25 May 2018. It replaced the earlier Data Protection Directive 95/46/EC and established a unified framework for data protection across all EU and EEA member states.
Who does the GDPR 2016/679 apply to?
The GDPR applies to any organisation, regardless of location, that processes personal data of individuals in the European Economic Area. This includes EU-based businesses, non-EU companies offering goods or services to people in the EEA, and organisations monitoring the behaviour of individuals within the EEA. It applies to both data controllers, who determine the purposes of processing, and data processors, who process data on behalf of controllers.
What are the maximum fines under the GDPR?
The GDPR establishes a two-tier penalty structure. Under Article 83(4), violations of obligations such as data protection by design, record-keeping, or processor requirements carry fines of up to 10 million EUR or 2% of total worldwide annual turnover, whichever is greater. Under Article 83(5), violations of core principles, lawful basis requirements, data subject rights, or international transfer rules carry fines of up to 20 million EUR or 4% of total worldwide annual turnover, whichever is greater.
How is the GDPR different from the Data Protection Directive 95/46/EC?
The GDPR replaced Directive 95/46/EC with several structural changes. As a regulation rather than a directive, it applies directly in all member states without requiring national transposition, creating more uniform rules across the EU. It introduced stronger data subject rights (portability, erasure, restriction), mandatory breach notification within 72 hours, the requirement for Data Protection Officers in certain cases, significantly higher penalties, and explicit extraterritorial scope covering non-EU organisations that process EU residents' data.