The General Data Protection Regulation (Regulation 2016/679)

The General Data Protection Regulation (GDPR), formally Regulation (EU) 2016/679, is the European Union’s comprehensive framework for the protection of natural persons with regard to the processing of personal data. Adopted on 27 April 2016 and applicable from 25 May 2018, it replaced the 1995 Data Protection Directive (Directive 95/46/EC). The GDPR represents the most ambitious and influential data protection regime globally, establishing a harmonised legal framework across the EU while giving individuals greater control over their personal data. Its territorial reach, enforcement powers, and substantial fines have made it the benchmark for privacy regulation worldwide.

Territorial Scope

The GDPR’s territorial scope under Article 3 is exceptionally broad. It applies to the processing of personal data by a controller or processor established in the EU, regardless of whether the processing takes place in the EU. Crucially, Article 3(2) extends the Regulation to controllers and processors not established in the EU where the processing activities relate to: the offering of goods or services to data subjects in the EU, regardless of whether payment is required; or the monitoring of the behaviour of data subjects in the EU, insofar as their behaviour takes place within the EU.

This extraterritorial effect captures the global operations of technology companies, social media platforms, and online services that target EU data subjects. The CJEU confirmed the broad interpretation of territorial scope in Google Spain (Case C-131/12), decided under the Directive, holding that a search engine’s processing of personal data in connection with its advertising activities constituted an establishment in EU territory. The GDPR codifies and extends this approach, capturing any entity that processes personal data of EU data subjects in connection with targeted activities.

Key Principles

Article 5 establishes the core principles governing the processing of personal data. Lawfulness, fairness, and transparency require that processing have a legal basis — consent, contract necessity, legal obligation, vital interests, public interest, or legitimate interests — and that data subjects be informed of the processing in a clear and accessible manner. Purpose limitation restricts processing to specified, explicit, and legitimate purposes. Data minimisation mandates that personal data be adequate, relevant, and limited to what is necessary for the purposes of processing. Accuracy requires that personal data be accurate and kept up to date. Storage limitation restricts retention to the period necessary for the purposes of processing. Integrity and confidentiality require appropriate security measures. The accountability principle under Article 5(2) requires the controller to demonstrate compliance with all principles.

Data Subject Rights

The GDPR significantly strengthens data subject rights. The right to information (Articles 13–14) requires controllers to provide detailed information about processing activities. The right of access (Article 15) enables data subjects to obtain confirmation of whether their data is being processed and access to that data. The right to rectification (Article 16) allows correction of inaccurate data. The right to erasure (Article 17), commonly known as the right to be forgotten, requires controllers to delete personal data where it is no longer necessary, consent is withdrawn, or processing is unlawful, subject to limitations including freedom of expression and legal obligations.

The right to restriction of processing (Article 18) limits processing pending verification of accuracy or lawfulness. The right to data portability (Article 20) enables data subjects to receive their data in a structured, commonly used, machine-readable format and transmit it to another controller. The right to object (Article 21) allows data subjects to object to processing for direct marketing or on grounds relating to their particular situation. Automated individual decision-making (Article 22) prohibits decisions based solely on automated processing, including profiling, that produce legal effects or similarly significant effects, subject to exceptions for contractual necessity, legal authorisation, or explicit consent.

Controller and Processor Obligations

Controllers bear primary responsibility for compliance. They must implement appropriate technical and organisational measures to ensure and demonstrate compliance, including data protection by design and default (Article 25). Data protection impact assessments (Article 35) are required where processing is likely to result in high risk to natural persons. Controllers must notify personal data breaches to the supervisory authority within 72 hours (Article 33) and communicate the breach to data subjects where it poses a high risk to their rights and freedoms (Article 34).

Data protection officers (Articles 37–39) must be appointed by public authorities, by controllers whose core activities involve large-scale systematic monitoring of data subjects, and by controllers whose core activities involve large-scale processing of special categories of data. Processors have direct statutory obligations under the GDPR, whereas under the Directive their obligations arose only through contract. Codes of conduct (Article 40) and certification mechanisms (Article 42) are encouraged to facilitate compliance.

Enforcement and Fines

Enforcement is decentralised, with each Member State establishing an independent supervisory authority (Article 51). The GDPR establishes a one-stop-shop mechanism (Article 56): for cross-border processing, the lead supervisory authority — in the Member State of the controller’s main establishment — acts as the primary interlocutor, cooperating with other concerned supervisory authorities through the consistency mechanism and the European Data Protection Board (Article 68).

Administrative fines under Article 83 are tiered. The lower tier, up to EUR 10 million or 2 per cent of annual worldwide turnover, applies to infringements of obligations relating to children’s consent, data protection by design, records of processing, security measures, breach notification, and data protection officers. The upper tier, up to EUR 20 million or 4 per cent of annual worldwide turnover, applies to infringements of the basic principles, data subject rights, international data transfers, and supervisory authority orders. The largest fines to date have reached hundreds of millions of euros, including fines against Meta, Amazon, and Google, reflecting the GDPR’s enforcement power.

International Transfers

Chapter V restricts transfers of personal data to third countries or international organisations. Transfers are permitted where the Commission has adopted an adequacy decision (Article 45) recognising that the third country ensures an adequate level of protection. In the absence of an adequacy decision, transfers require appropriate safeguards (Article 46), including standard contractual clauses, binding corporate rules, or approved codes of conduct. Transfers may also be based on derogations (Article 49) for specific situations such as explicit consent, contract necessity, or vital interests. The CJEU’s Schrems II judgment (Case C-311/18) invalidated the Privacy Shield framework and required that standard contractual clauses be supplemented with additional measures where necessary to ensure an essentially equivalent level of protection.

The GDPR’s Broader Impact

The GDPR has become the global standard for data protection, influencing legislation in over 100 countries including Brazil, Japan, South Korea, India, and several US states. Its principles-based approach, strong enforcement, and extraterritorial reach have reshaped the global data economy, compelling businesses worldwide to implement data protection compliance programmes and respect individual privacy rights.