top of page

EU GDPR

The General Data Protection Regulation (GDPR) is the primary data-protection law governing how personal data is collected, used, stored, and shared. It applies across the European Union and affects organizations worldwide that handle EU residents’ data.

1️⃣ Who the GDPR Applies To

GDPR applies to:

  • Organizations established in the EU

  • Organizations outside the EU that:

    • Offer goods or services to people in the EU

    • Monitor behavior of individuals in the EU (e.g., tracking, analytics, profiling)

Key roles

  • Controller – decides why/how personal data is processed

  • Processor – processes data on behalf of a controller

2️⃣ What Data Is Protected

GDPR protects personal data, including:

  • Names, emails, IDs

  • IP addresses, location data

  • Online identifiers and cookies

  • Employee and customer records

Special category data (extra protection):

  • Health data

  • Biometric and genetic data

  • Racial or ethnic origin

  • Political opinions, religion

  • Sexual orientation

3️⃣ Core GDPR Principles

All processing must follow these principles:

  1. Lawfulness, fairness & transparency

  2. Purpose limitation

  3. Data minimization

  4. Accuracy

  5. Storage limitation

  6. Integrity & confidentiality (security)

  7. Accountability (you must prove compliance)

4️⃣ Lawful Bases for Processing

Organizations must document at least one lawful basis:

  • Consent

  • Contract

  • Legal obligation

  • Vital interests

  • Public task

  • Legitimate interests

5️⃣ Rights of Individuals (Data Subjects)

People have enforceable rights, including:

  • Right to be informed

  • Right of access

  • Right to rectification

  • Right to erasure (“right to be forgotten”)

  • Right to restrict processing

  • Right to data portability

  • Right to object

  • Rights related to automated decision-making & profiling

Deadlines: Most requests must be handled within 30 days.

6️⃣ Key Organizational Obligations

Organizations must:

  • Maintain Records of Processing Activities (RoPA)

  • Implement privacy by design & by default

  • Apply appropriate technical and organizational security measures

  • Conduct Data Protection Impact Assessments (DPIAs) for high-risk processing

  • Appoint a Data Protection Officer (DPO) when required

  • Use GDPR-compliant contracts with processors

7️⃣ Data Breaches

  • Must be reported to the regulator within 72 hours if there is risk to individuals

  • Affected individuals must be notified if risk is high

  • Breaches must be documented, even if not reported

8️⃣ International Data Transfers

Transfers outside the EU require safeguards such as:

  • Adequacy decisions

  • Standard Contractual Clauses (SCCs)

  • Transfer Risk Assessments (post-Schrems II)

9️⃣ Penalties for Non-Compliance

GDPR fines can reach:

  • €10 million or 2% of global annual turnover (lower tier)

  • €20 million or 4% of global annual turnover (higher tier)

Regulators can also:

  • Order processing to stop

  • Require remediation

  • Publicly reprimand organizations

🔟 Why GDPR Matters

GDPR:

  • Sets the global benchmark for privacy laws

  • Forces organizations to treat data protection as a governance issue

  • Impacts product design, security, contracts, and operations

  • Is often required by customers, regulators, and investors

bottom of page