The General Data Protection Regulation (GDPR) is the EU's comprehensive data protection framework, in force since May 2018. It applies to any organization processing personal data of EU/EEA residents, regardless of where the organization is based.

Core Principles

The GDPR is built on seven key principles: lawfulness, fairness, and transparency; purpose limitation; data minimization; accuracy; storage limitation; integrity and confidentiality; and accountability. These principles form the foundation for all data processing obligations under the regulation.

What Counts as Personal Data

Personal data is any information that can directly or indirectly identify an individual. This includes obvious identifiers like names and email addresses, but also IP addresses, cookie identifiers, device fingerprints, and location data. The definition is deliberately broad.

Legal Bases for Processing

Organizations must have a valid legal basis before processing personal data. The GDPR provides six options: consent, contractual necessity, legal obligation, vital interests, public interest, and legitimate interest. Each basis comes with specific requirements and limitations.

Individual Rights

Data subjects have extensive rights including the right to access their data, request correction or deletion, restrict processing, object to processing, and receive their data in a portable format. Organizations must respond to these requests within one month.

Enforcement and Penalties

National data protection authorities enforce the GDPR within their jurisdictions, coordinated by the European Data Protection Board. Maximum fines reach EUR 20 million or 4% of global annual turnover, whichever is greater. Enforcement has intensified significantly since the regulation took effect.

International Data Transfers

Transferring personal data outside the EU/EEA requires specific safeguards, such as adequacy decisions, standard contractual clauses, or binding corporate rules. This area has been one of the most actively enforced aspects of the GDPR.