Regulation (EU) 2016/679 — General Data Protection Regulati

Can we defend our current data processing if a supervisory authority knocks tomorrow — and what does the next breach actually cost?

Every organisation processing EU personal data faces a permanently enforceable 72-hour breach-notification duty, and a single violation of core principles can trigger fines up to EUR 20 million or 4 % of global annual turnover — your DPO or legal counsel must act first.

Short Answer

The GDPR applies to any controller or processor handling personal data of individuals in the EU, regardless of where the organisation is established [Art. 3]. Six binding principles — including lawfulness, purpose limitation, and data minimisation — must be met and demonstrably documented at all times [Art. 5]. The controller bears the burden of proving compliance ('accountability'), not merely achieving it [Art. 5(2), Art. 24]. Violations of these core principles, of data-subject rights, or of international-transfer rules expose the organisation to the highest fine tier [Art. 83(5)].

Who is affected

The Regulation captures controllers and processors established in the Union, irrespective of whether processing takes place inside or outside the EU [Art. 3(1)]. Organisations outside the EU fall within scope if they offer goods or services to data subjects in the Union, or monitor their behaviour within the Union [Art. 3(2)]. A limited record-keeping exemption exists for organisations with fewer than 250 employees, but it does not apply where processing is likely to result in a risk to data subjects, is not occasional, or involves special categories of data or criminal-conviction data [Art. 30(5)].

Deadline

The GDPR has been directly applicable since 25 May 2018 [Art. 99(2)]. The most critical ongoing deadline is the 72-hour breach notification to the supervisory authority [Art. 33(1)]. Data-subject access and other rights requests must be answered without undue delay and at the latest within one month, extendable by two further months for complex requests [Art. 12(3)]. Data Protection Impact Assessments must be completed prior to any high-risk processing [Art. 35(1)].

Risk

Ceiling: EUR 20,000,000 or 4 % of total worldwide annual turnover of the preceding financial year, whichever is higher, for infringements of basic principles, data-subject rights, or international transfer rules [Art. 83(5)]. Lesser infringements — such as failures in record-keeping, breach notification, or DPO designation — are subject to fines up to EUR 10,000,000 or 2 % of turnover [Art. 83(4)]. In addition, any natural or legal person who has suffered material or non-material damage has the right to compensation from the controller or processor [Art. 82(1)].

Proof

Legal status

• In force
• as of 15.04.2026
• Original version as published in OJ L 119, 4.5.2016. No consolidated version with substantive amendments exists.

Primary sources

• EUR-Lex — Full text of the GDPR
• European Data Protection Board (EDPB) — Binding guidelines and opinions on GDPR
• European Data Protection Supervisor (EDPS) — Supervisory practice and guidance

What to do now

Legal / DPO

•Maintain a complete Record of Processing Activities (ROPA) covering all mandatory fields — purposes, data categories, recipients, retention periods, transfers to third countries, and a general description of security measures [Art. 30].
•Ensure every processor relationship is governed by a written contract specifying subject-matter, duration, nature and purpose of processing, data categories, and obligations including audit rights [Art. 28(3)].
•Determine whether your organisation must designate a Data Protection Officer — mandatory for public authorities, for core activities involving large-scale regular and systematic monitoring, or for large-scale processing of special-category data [Art. 37(1)].

Compliance

•Implement an auditable workflow for receiving and responding to data-subject rights requests (access, rectification, erasure, portability, objection) within the one-month statutory deadline [Art. 12(3), Art. 15–22].
•Conduct Data Protection Impact Assessments before launching any processing that is likely to result in a high risk to individuals, especially automated profiling with legal effects, large-scale special-category processing, or systematic public-area monitoring [Art. 35(1), Art. 35(3)].
•Establish a documented personal-data breach register and ensure the notification chain — from processor to controller to supervisory authority — can be completed within 72 hours [Art. 33(1), Art. 33(5)].

IT / Security

•Implement and regularly test technical and organisational measures appropriate to the risk, including pseudonymisation, encryption, and the ability to restore availability and access in a timely manner after an incident [Art. 32(1)].
•Build detection capabilities so that personal data breaches are identified and escalated fast enough to meet the 72-hour notification window to the supervisory authority [Art. 33(1)].
•Apply data protection by design at architecture level — default settings must limit processing to what is necessary for each specific purpose, covering data volume, processing extent, storage period, and accessibility [Art. 25(2)].

Product / Engineering

•Integrate data protection by design and by default into the product development lifecycle, ensuring data minimisation, purpose limitation, and pseudonymisation are built in from the earliest design stage [Art. 25(1)].
•Design consent flows that are granular, freely given, and make withdrawing consent as easy as giving it — pre-ticked boxes and bundled consent do not meet the standard [Art. 7, Recital 32].
•Provide machine-readable data export functionality so that data portability requests can be fulfilled in a structured, commonly used format when processing is based on consent or contract and carried out by automated means [Art. 20].

Key Terms

personal data: Any information relating to an identified or identifiable natural person ('data subject'), including identifiers such as a name, identification number, location data, online identifier, or factors specific to the physical, genetic, or social identity of that person [Art. 4(1)].
processing: Any operation or set of operations performed on personal data, whether by automated means or not, such as collection, recording, organisation, structuring, storage, adaptation, retrieval, consultation, use, disclosure, erasure, or destruction [Art. 4(2)].
controller: The natural or legal person, public authority, agency, or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data [Art. 4(7)].
processor: A natural or legal person, public authority, agency, or other body which processes personal data on behalf of the controller, bound by documented instructions [Art. 4(8)].
personal data breach: A breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to personal data transmitted, stored, or otherwise processed [Art. 4(12)].
pseudonymisation: Processing of personal data so that it can no longer be attributed to a specific data subject without using additional information, which must be kept separately under technical and organisational measures [Art. 4(5)].
supervisory authority: An independent public authority established by a Member State to monitor the application of the GDPR, in order to protect the fundamental rights and freedoms of natural persons in relation to processing [Art. 4(21), Art. 51].

Frequently Asked Questions

What is the difference between a controller and a processor?

A controller determines the purposes and means of processing personal data, alone or jointly with others [Art. 4(7)]. A processor processes personal data on behalf of the controller [Art. 4(8)]. The controller bears primary accountability for compliance; the processor must act only on documented instructions from the controller [Art. 28(3)(a)].

When must a Data Protection Officer be appointed?

A DPO is mandatory for public authorities (except courts acting in their judicial capacity), for organisations whose core activities require regular and systematic monitoring of data subjects on a large scale, and for organisations that process special categories of data or criminal-conviction data on a large scale [Art. 37(1)]. A group of undertakings may appoint a single DPO if that person is easily accessible from each establishment [Art. 37(2)].

What qualifies as a personal data breach?

A breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data that is transmitted, stored, or otherwise processed [Art. 4(12)]. Not every security incident is a personal data breach — it must involve personal data specifically.

Does the GDPR apply to companies outside the EU?

Yes. The GDPR applies to controllers or processors not established in the Union if they offer goods or services to data subjects in the EU (whether or not payment is required), or if they monitor behaviour that takes place within the Union [Art. 3(2)]. Such organisations must also designate an EU representative in writing [Art. 27(1)].

What are the requirements for valid consent under the GDPR?

Consent must be freely given, specific, informed, and unambiguous, demonstrated by a clear affirmative action [Art. 4(11)]. The controller must be able to demonstrate that consent was obtained [Art. 7(1)]. Consent must be as easy to withdraw as to give [Art. 7(3)]. For children below 16 years (or a lower age set by Member States, but not below 13), parental consent is required for information society services [Art. 8(1)].

What are special categories of personal data?

Data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, genetic data, biometric data for uniquely identifying a person, data concerning health, or data concerning sex life or sexual orientation [Art. 9(1)]. Processing is generally prohibited unless one of the specific exceptions in Art. 9(2) applies.

When is a Data Protection Impact Assessment required?

A DPIA is required before any type of processing that is likely to result in a high risk to the rights and freedoms of natural persons [Art. 35(1)]. It is specifically required for systematic and extensive automated evaluation including profiling with legal effects, large-scale processing of special-category data, and systematic monitoring of a publicly accessible area on a large scale [Art. 35(3)].