TermsBox
PricingBlog
LoginGet Started
PricingBlogLogin
Get Started
  1. Home
  2. Blog
  3. GDPR Requirements: What the Regulation Actually Demands
GDPR

GDPR Requirements: What the Regulation Actually Demands

A complete guide to general data protection regulation GDPR requirements, covering the key obligations every website owner must meet to stay compliant.

TermsBox Team|April 3, 202615 min read

The general data protection regulation, commonly known as the GDPR, is the European Union's comprehensive framework for personal data protection. Since taking effect on May 25, 2018, it has become the global benchmark for privacy legislation. Understanding GDPR requirements is not optional for any website that serves users in the EU or EEA, and the regulation's extraterritorial scope means businesses worldwide must comply.

This guide breaks down what the GDPR actually requires, who it applies to, and how to meet each obligation in practice. This content is educational and does not constitute legal advice. Consult a qualified attorney for guidance specific to your situation.

What the General Data Protection Regulation GDPR Requirements Cover

The GDPR is built on a set of principles defined in Article 5 that underpin every specific requirement in the regulation. Before examining individual obligations, understanding these principles provides the framework for everything that follows.

  • Lawfulness, fairness, and transparency: Personal data must be processed lawfully, fairly, and in a transparent manner.
  • Purpose limitation: Data must be collected for specified, explicit, and legitimate purposes and not further processed in a manner incompatible with those purposes.
  • Data minimization: Only data that is adequate, relevant, and limited to what is necessary may be collected.
  • Accuracy: Personal data must be accurate and, where necessary, kept up to date.
  • Storage limitation: Data must be kept in a form that permits identification of individuals for no longer than necessary.
  • Integrity and confidentiality: Data must be processed with appropriate security, including protection against unauthorized access, accidental loss, and destruction.
  • Accountability: The controller must be able to demonstrate compliance with all of the above principles.

These are not aspirational guidelines. They are enforceable requirements. Failing to demonstrate compliance with any of these principles can result in fines of up to 20 million EUR or 4% of annual global turnover under Article 83(5).

Who Must Meet GDPR Requirements

The GDPR's territorial scope, defined in Article 3, is deliberately broad. The regulation applies to:

  1. Organizations established in the EU that process personal data in the context of their activities, regardless of whether the processing takes place in the EU.
  2. Organizations outside the EU that offer goods or services to individuals in the EU (Article 3(2)(a)) or monitor the behavior of individuals in the EU (Article 3(2)(b)).

In practical terms, if your website is accessible to EU residents and you collect any personal data from them, whether through forms, cookies, analytics, or advertising pixels, the GDPR likely applies to you. The regulation does not include a small business exemption. A sole trader with a WordPress blog that uses Google Analytics and serves EU visitors has GDPR obligations.

The GDPR distinguishes between two roles:

  • Data controller: The entity that determines the purposes and means of processing. If you own the website, you are typically the controller.
  • Data processor: An entity that processes data on behalf of the controller. Your hosting provider, email service, and analytics platform are processors.

Controllers bear the primary compliance burden, but processors have their own direct obligations under Articles 28 through 36.

Lawful Basis for Processing: The Foundation of GDPR Requirements

Article 6 of the GDPR requires that every processing activity has a valid lawful basis. There are six possible bases, and you must identify the appropriate one before you begin processing. Retroactively assigning a lawful basis is not permitted.

Consent (Article 6(1)(a))

The individual has given clear, affirmative consent to the processing for one or more specific purposes. Under the GDPR, consent must be:

  • Freely given: The person must have a genuine choice. Bundling consent with acceptance of terms or using cookie walls that block access undermines this.
  • Specific: Consent must relate to defined processing purposes, not a blanket authorization.
  • Informed: The person must understand what they are consenting to before giving consent.
  • Unambiguous: Requires a clear affirmative act. Pre-ticked boxes, silence, and inactivity do not constitute consent.

Consent can be withdrawn at any time (Article 7(3)), and withdrawal must be as easy as giving consent.

Contract (Article 6(1)(b))

Processing is necessary for the performance of a contract with the individual or to take steps at their request before entering a contract. For example, processing a shipping address to deliver a product the customer ordered is covered by this basis.

Legal obligation (Article 6(1)(c))

Processing is necessary to comply with a legal obligation to which the controller is subject. Tax record retention is a common example.

Vital interests (Article 6(1)(d))

Processing is necessary to protect someone's life. This applies in genuine emergencies and is rarely relevant for websites.

Public interest (Article 6(1)(e))

Processing is necessary for a task carried out in the public interest or in the exercise of official authority. This applies primarily to public bodies.

Legitimate interests (Article 6(1)(f))

Processing is necessary for the legitimate interests of the controller or a third party, provided those interests are not overridden by the individual's fundamental rights and freedoms. This requires a balancing test documented in a Legitimate Interest Assessment (LIA). Website analytics, fraud prevention, and network security are commonly cited legitimate interests.

For most websites, the relevant bases are consent (for marketing and non-essential cookies), contract (for order fulfillment), legal obligation (for record keeping), and legitimate interests (for analytics and security).

GDPR Requirements for Transparency and Privacy Notices

Articles 13 and 14 impose detailed transparency requirements. When you collect personal data, you must provide individuals with specific information in a concise, transparent, intelligible, and easily accessible form, using clear and plain language.

What your privacy policy must include

Under Article 13, when data is collected directly from the individual, you must disclose:

  • The identity and contact details of the controller
  • Contact details of the Data Protection Officer, if applicable
  • The purposes and lawful basis for each type of processing
  • The categories of personal data concerned
  • Recipients or categories of recipients of the personal data
  • Any transfers to third countries and the safeguards in place
  • Retention periods or criteria for determining retention
  • The existence of each data subject right (access, rectification, erasure, restriction, portability, objection)
  • The right to withdraw consent at any time, if consent is the lawful basis
  • The right to lodge a complaint with a supervisory authority
  • Whether providing the data is a statutory or contractual requirement
  • The existence of automated decision-making, including profiling, and meaningful information about the logic involved

This is not a suggestion list. Omitting any of these elements means your privacy notice is non-compliant. A privacy policy generator provides a structured framework that addresses each of these requirements, though you must customize it to reflect your actual processing activities.

Cookie-specific transparency

If your website uses cookies or similar technologies, the ePrivacy Directive (implemented through national laws across the EU) requires additional disclosure. You must identify each cookie, explain its purpose, state its retention period, and indicate whether it is first-party or third-party. A separate cookie policy is the standard approach for meeting this obligation.

GDPR Requirements for Consent Management

For processing activities that rely on consent as the lawful basis, the GDPR imposes specific requirements on how consent is obtained, recorded, and managed.

Cookie consent

The combination of the GDPR and the ePrivacy Directive means that most cookies (other than strictly necessary ones) require prior consent. This means:

  • Non-essential cookies and tracking scripts must be blocked until the user gives consent.
  • The consent mechanism must allow granular choices (e.g., accepting analytics cookies but rejecting advertising cookies).
  • Refusing consent must not result in a degraded experience beyond what is inherently tied to the refused functionality.
  • Consent must be recorded and verifiable. If a regulator asks for proof that a specific user consented, you need to produce it.

A cookie consent management platform (CMP) handles these technical requirements by intercepting scripts, presenting consent options, recording choices, and respecting those choices on subsequent visits.

Marketing consent

If you send marketing emails, you need separate consent that is specific to email marketing. A checkbox at checkout that says "I agree to the terms and conditions and to receive marketing emails" bundles two unrelated purposes and does not satisfy the GDPR's requirement for specific consent.

Data Subject Rights Under the GDPR

Articles 15 through 22 grant individuals a set of rights over their personal data. Meeting these requirements means having documented processes that can handle requests within the legal timeframe of one month (extendable by two additional months for complex requests under Article 12(3)).

Right of access (Article 15)

Individuals can request confirmation of whether their data is being processed and, if so, a copy of the data along with information about the processing. You must provide this information free of charge for the first request.

Right to rectification (Article 16)

Individuals can request correction of inaccurate personal data or completion of incomplete data.

Right to erasure (Article 17)

Also known as the "right to be forgotten," this allows individuals to request deletion of their personal data when it is no longer necessary for the original purpose, when they withdraw consent, when they object to processing, or when the data was unlawfully processed. This right is not absolute: legal obligations to retain data (such as tax records) override it.

Right to restriction (Article 18)

Individuals can request that processing be restricted while accuracy is contested, while an objection is being evaluated, or when the data would otherwise be erased but the individual needs it for legal claims.

Privacy Policy Generator

Create a comprehensive privacy policy for your website or app. Create yours in minutes with TermsBox.

Generate Now

Right to data portability (Article 20)

Individuals can request their data in a structured, commonly used, machine-readable format and have it transmitted to another controller. This applies to data processed by automated means on the basis of consent or contract.

Right to object (Article 21)

Individuals can object to processing based on legitimate interests or public interest, including profiling. For direct marketing, the right to object is absolute: you must stop processing immediately upon receiving the objection.

GDPR Security Requirements

Article 32 requires controllers and processors to implement "appropriate technical and organisational measures" to ensure a level of security appropriate to the risk. The regulation explicitly mentions:

  • Pseudonymization and encryption of personal data
  • Confidentiality, integrity, availability, and resilience of processing systems
  • Ability to restore access to personal data in a timely manner after an incident
  • Regular testing and evaluation of the effectiveness of security measures

What constitutes "appropriate" depends on the state of the art, the cost of implementation, the nature and scope of processing, and the risks to individuals. A website that processes payment card data faces higher security expectations than one that only collects email addresses for a newsletter.

At minimum, every website should implement:

  • HTTPS with current TLS configuration
  • Strong password policies and, where applicable, multi-factor authentication
  • Access controls that limit data access to authorized personnel
  • Regular software updates and vulnerability patching
  • Encrypted backups with tested restoration procedures
  • An incident response plan that enables breach notification within the 72-hour window required by Article 33

Breach Notification Requirements

Articles 33 and 34 establish mandatory breach notification procedures:

  • To the supervisory authority (Article 33): Within 72 hours of becoming aware of a personal data breach that is likely to result in a risk to individuals' rights and freedoms. The notification must include the nature of the breach, categories and approximate number of individuals affected, the likely consequences, and the measures taken to address it.
  • To affected individuals (Article 34): Without undue delay when the breach is likely to result in a high risk to their rights and freedoms. The communication must use clear and plain language.

The 72-hour clock starts when you become "aware" of the breach, which means when you have a reasonable degree of certainty that a security incident has compromised personal data. Having detection capabilities in place is therefore part of the compliance obligation, because you cannot report what you do not detect.

Documentation and Accountability Requirements

The GDPR's accountability principle means compliance is not just about what you do but about what you can prove. Key documentation requirements include:

Records of processing activities (Article 30)

Controllers with 250 or more employees must maintain written records of all processing activities. Smaller organizations must maintain records if processing is not occasional, involves special categories of data, or is likely to result in a risk to individuals' rights. In practice, maintaining these records is advisable for any organization, as they form the basis of demonstrating compliance.

Records must include the controller's identity, processing purposes, categories of data subjects and personal data, categories of recipients, transfers to third countries, retention periods, and a general description of security measures.

Data Protection Impact Assessments (Article 35)

A DPIA is required before processing that is likely to result in a high risk to individuals, including systematic and extensive profiling, large-scale processing of special categories, and large-scale systematic monitoring of publicly accessible areas. The assessment must describe the processing, evaluate its necessity and proportionality, assess the risks, and identify measures to mitigate those risks.

Data processing agreements (Article 28)

Whenever you use a processor (hosting provider, email service, analytics tool, CRM), you must have a written contract that includes specific provisions mandated by Article 28(3). These include the processor's obligation to process data only on documented instructions, implement appropriate security measures, assist with data subject requests, and delete or return data at the end of the relationship.

How to Assess Your GDPR Compliance

Determining whether your website meets GDPR requirements requires a systematic review across all obligation areas. Here is a practical assessment approach.

Step 1: Data mapping

Identify every type of personal data your website collects, the source of collection, the lawful basis, the retention period, and all recipients. This forms your Article 30 record and the foundation for everything else.

Step 2: Privacy notice review

Compare your current privacy policy against the Article 13 checklist above. Every required element must be present and accurate. If your practices have changed since your policy was last updated, the policy is non-compliant.

Step 3: Consent audit

Review your cookie consent implementation. Are non-essential cookies actually blocked before consent? Can users reject cookies without penalty? Is consent recorded? Are consent choices respected on return visits? Tools like TermsBox scan your website to identify all cookies and trackers, making it straightforward to verify that your consent mechanism covers everything it should.

Step 4: Rights fulfillment testing

Submit test data subject requests through your own processes. Can you locate all personal data for a specific individual? Can you export it in a portable format? Can you delete it across all systems? Time the process and verify it can be completed within one month.

Step 5: Security baseline

Review your technical measures against Article 32's requirements. Verify HTTPS configuration, access controls, encryption practices, patching cadence, and backup procedures. Test your incident response plan with a tabletop exercise.

Step 6: Processor review

Ensure you have compliant data processing agreements with every third party that processes personal data on your behalf. Check that each agreement includes the mandatory provisions from Article 28(3).

Frequently Asked Questions

What are the main GDPR requirements for websites?

The GDPR requires websites to have a lawful basis for processing personal data (Article 6), provide transparent privacy notices (Articles 13 and 14), obtain valid consent for non-essential cookies and tracking (Article 7), honor data subject rights such as access and deletion (Articles 15 through 22), implement appropriate security measures (Article 32), and maintain records of processing activities (Article 30). Websites must also report data breaches to supervisory authorities within 72 hours.

Who does the GDPR apply to?

The GDPR applies to any organization that processes personal data of individuals located in the EU or EEA, regardless of where the organization itself is based. This means a website operated from the United States, Australia, or any other country must comply if it offers goods or services to EU residents or monitors their behavior. The regulation also applies to data processors acting on behalf of controllers.

What are the penalties for not meeting GDPR requirements?

The GDPR has a two-tier penalty structure. Less severe infringements carry fines of up to 10 million EUR or 2% of annual global turnover. More serious violations, such as failing to have a lawful basis for processing or violating data subject rights, carry fines of up to 20 million EUR or 4% of annual global turnover, whichever is higher. Supervisory authorities can also issue warnings, reprimands, and orders to cease processing.

Do I need a Data Protection Officer to comply with the GDPR?

A Data Protection Officer is required under Article 37 if your organization is a public authority, if your core activities require regular and systematic monitoring of individuals on a large scale, or if you process special categories of data (such as health or biometric data) on a large scale. Most small and medium-sized websites do not meet these thresholds, but appointing a privacy lead is still considered best practice.

How do I know if my website meets GDPR requirements?

Start by auditing your website for all personal data collection points, including forms, cookies, analytics tools, and third-party scripts. Verify that you have a lawful basis for each processing activity, that your privacy policy accurately describes your practices, that cookie consent is properly implemented, and that you have processes for handling data subject requests. A compliance scanner can automate much of this assessment by detecting trackers and cookies you may not be aware of.

Related Tools

Privacy Policy Generator

Create a comprehensive privacy policy for your website or app

Related Articles

GDPR

AWS and GDPR: Compliance, DPAs & Data Transfers (2026)

How AWS and GDPR fit together: the shared responsibility model, the AWS Data Processing Addendum, transfer rules, and the config steps to stay compliant.

April 4, 202612 min read
GDPR

Cookie Compliance: A Complete Guide for Website Owners

Learn what cookie compliance requires, which laws apply, and how to implement consent banners and cookie policies to keep your website legally compliant.

April 4, 202612 min read
GDPR

Data Protection Compliance: A Complete Guide for Businesses

Master data protection compliance with this practical guide covering GDPR, CCPA, key requirements, enforcement, and steps to build a compliance programme.

April 4, 202615 min read

Ready to Create Your Legal Documents?

Generate professional privacy policies, terms of service, and more in minutes. Free to start, no credit card required.

View All Generators

On This Page

  • What the General Data Protection Regulation GDPR Requirements Cover
  • Who Must Meet GDPR Requirements
  • Lawful Basis for Processing: The Foundation of GDPR Requirements
  • Consent (Article 6(1)(a))
  • Contract (Article 6(1)(b))
  • Legal obligation (Article 6(1)(c))
  • Vital interests (Article 6(1)(d))
  • Public interest (Article 6(1)(e))
  • Legitimate interests (Article 6(1)(f))
  • GDPR Requirements for Transparency and Privacy Notices
  • What your privacy policy must include
  • Cookie-specific transparency
  • GDPR Requirements for Consent Management
  • Cookie consent
  • Marketing consent
  • Data Subject Rights Under the GDPR
  • Right of access (Article 15)
  • Right to rectification (Article 16)
  • Right to erasure (Article 17)
  • Right to restriction (Article 18)
  • Right to data portability (Article 20)
  • Right to object (Article 21)
  • GDPR Security Requirements
  • Breach Notification Requirements
  • Documentation and Accountability Requirements
  • Records of processing activities (Article 30)
  • Data Protection Impact Assessments (Article 35)
  • Data processing agreements (Article 28)
  • How to Assess Your GDPR Compliance
  • Step 1: Data mapping
  • Step 2: Privacy notice review
  • Step 3: Consent audit
  • Step 4: Rights fulfillment testing
  • Step 5: Security baseline
  • Step 6: Processor review
  • Frequently Asked Questions
TermsBox

Scan your website, auto-generate legal documents, add a consent banner, and stay compliant. One platform for everything.

Product

  • Cookie Scanner
  • Consent Banner
  • Cookie Policy Generator
  • Pricing

Generators

  • Privacy Policy Generator
  • Terms and Conditions Generator
  • EULA Generator
  • Disclaimer Generator
  • Return and Refund Policy Generator

Company

  • About
  • Contact
  • Privacy Policy
  • Terms of Service
  • Cookie Policy
GDPR
ePrivacy
CCPA
LGPD
Google Consent Mode v2
IAB TCF 2.2
© 2026 TermsBox. All rights reserved.