Launch Q3 2026
BearGuard®
BearGuard®
Governance & AI Guardrails
DE EN
🔒 EU/EEA Data Protection

GDPR – General Data Protection Regulation

The GDPR (EU 2016/679) is the world's most comprehensive data protection law, applicable since May 2018 to all organizations processing data of EU residents.

LinkedIn X WhatsApp

Summary

The General Data Protection Regulation (GDPR, Regulation EU 2016/679) is the central legal framework for data protection in the European Union. It applies directly in all EU member states and replaces the former Data Protection Directive 95/46/EC.

  • Scope: All companies and authorities processing personal data of individuals in the EU – regardless of the processor's location
  • Principles: Lawfulness, purpose limitation, data minimization, accuracy, storage limitation, integrity, and confidentiality
  • Data subject rights: Access, rectification, erasure ('right to be forgotten'), restriction, data portability, objection
  • Sanctions: Fines up to EUR 20 million or 4% of global annual turnover

History

European data protection law has its roots in the German Bundesdatenschutzgesetz of 1977. The EU Data Protection Directive 95/46/EC created a common framework in 1995, but left national differences and was considered outdated in the digital age.

In January 2012, the European Commission presented its GDPR draft. After four years of intensive negotiations – marked by over 4,000 amendments in the European Parliament – the GDPR was adopted on April 27, 2016 and entered into force on May 24, 2016. After a two-year transition period, it became fully applicable from May 25, 2018.

The GDPR is considered the global gold standard for data protection and has inspired copycat legislation worldwide (CCPA in California, LGPD in Brazil, PDPA in Thailand, and many more).

Scope

The GDPR applies to:

  • All controllers and processors that process data of individuals residing in the EU (market place principle, Art. 3)
  • Processing by establishments with a presence in the EU
  • Processing by establishments without an EU presence if they offer goods/services to EU individuals or monitor their behavior
  • Not: purely private or family data processing; law enforcement authorities (separate Directive 2016/680)

Key Requirements

  • Legal basis (Art. 6): Consent, contract performance, legal obligation, vital interests, public task, or legitimate interests
  • Data protection by design (Art. 25): Privacy by Design and Privacy by Default
  • Records of processing activities (Art. 30): Documentation obligation for all processing activities
  • Data protection impact assessment (Art. 35): DPIA required for high-risk processing
  • Breach notification (Art. 33/34): 72-hour notification to supervisory authority; notification of affected individuals for high-risk breaches
  • Data Protection Officer (Art. 37): Required for certain controllers (public bodies, large-scale sensitive data processing)
  • Third-country transfers (Art. 44 ff.): Adequacy decision, standard contractual clauses, or binding corporate rules required

Corrections & Errata

2026-QA-081 Update 28 February 2026
Quality Audit: GDPR – General Data Protection Regulation

1 update:
- GDPR key_dates: Digital Omnibus Package (Nov 2025) missing

Full details on the errata page →
2026-001 Correction 21 February 2026
GDPR/FADP: Scope applies to natural persons only

The GDPR protects natural persons only (Art. 1(1) GDPR). The GDPR entry used imprecise 'persons' instead of 'natural persons' in DE texts. The FADP entry implied through 'Unlike the GDPR' that the GDPR also protects legal entities. Correctly: the old FADP (1992) uniquely protected legal entities as well; the nFADP (2023) removed this feature. Both entries have been corrected accordingly.

Full details on the errata page →

Content last reviewed: 22 February 2026. Found an error or need an update? [email protected]