GDPR – General Data Protection Regulation
The GDPR (EU 2016/679) is the world's most comprehensive data protection law, applicable since May 2018 to all organizations processing data of EU residents.
Summary
The General Data Protection Regulation (GDPR, Regulation EU 2016/679) is the central legal framework for data protection in the European Union. It applies directly in all EU member states and replaces the former Data Protection Directive 95/46/EC.
- Scope: All companies and authorities processing personal data of individuals in the EU – regardless of the processor's location
- Principles: Lawfulness, purpose limitation, data minimization, accuracy, storage limitation, integrity, and confidentiality
- Data subject rights: Access, rectification, erasure ('right to be forgotten'), restriction, data portability, objection
- Sanctions: Fines up to EUR 20 million or 4% of global annual turnover
History
European data protection law has its roots in the German Bundesdatenschutzgesetz of 1977. The EU Data Protection Directive 95/46/EC created a common framework in 1995, but left national differences and was considered outdated in the digital age.
In January 2012, the European Commission presented its GDPR draft. After four years of intensive negotiations – marked by over 4,000 amendments in the European Parliament – the GDPR was adopted on April 27, 2016 and entered into force on May 24, 2016. After a two-year transition period, it became fully applicable from May 25, 2018.
The GDPR is considered the global gold standard for data protection and has inspired copycat legislation worldwide (CCPA in California, LGPD in Brazil, PDPA in Thailand, and many more).
Scope
The GDPR applies to:
- All controllers and processors that process data of individuals residing in the EU (market place principle, Art. 3)
- Processing by establishments with a presence in the EU
- Processing by establishments without an EU presence if they offer goods/services to EU individuals or monitor their behavior
- Not: purely private or family data processing; law enforcement authorities (separate Directive 2016/680)
Key Requirements
- Legal basis (Art. 6): Consent, contract performance, legal obligation, vital interests, public task, or legitimate interests
- Data protection by design (Art. 25): Privacy by Design and Privacy by Default
- Records of processing activities (Art. 30): Documentation obligation for all processing activities
- Data protection impact assessment (Art. 35): DPIA required for high-risk processing
- Breach notification (Art. 33/34): 72-hour notification to supervisory authority; notification of affected individuals for high-risk breaches
- Data Protection Officer (Art. 37): Required for certain controllers (public bodies, large-scale sensitive data processing)
- Third-country transfers (Art. 44 ff.): Adequacy decision, standard contractual clauses, or binding corporate rules required
Related Frameworks
Corrections & Errata
1 update:
- GDPR key_dates: Digital Omnibus Package (Nov 2025) missing
The GDPR protects natural persons only (Art. 1(1) GDPR). The GDPR entry used imprecise 'persons' instead of 'natural persons' in DE texts. The FADP entry implied through 'Unlike the GDPR' that the GDPR also protects legal entities. Correctly: the old FADP (1992) uniquely protected legal entities as well; the nFADP (2023) removed this feature. Both entries have been corrected accordingly.
Full details on the errata page →