GDPR (General Data Protection Regulation)

The GDPR, effective since May 25, 2018, is the world's most influential data protection regulation. It applies to any organization that processes personal data of individuals in the European Economic Area (EEA) — regardless of where the organization is headquartered. A company in New York serving European customers must comply just as a company in Berlin does.

GDPR has set the global standard for privacy regulation. Laws like Brazil's LGPD, California's CPRA, and Saudi Arabia's PDPL were modeled on its framework.

Every data processing activity must comply with these principles (Article 5):

1. Lawfulness, fairness, and transparency — Process data legally and tell people what you're doing with their data.
2. Purpose limitation — Collect data for specified, explicit purposes only.
3. Data minimization — Only collect what you actually need.
4. Accuracy — Keep personal data accurate and up to date.
5. Storage limitation — Don't keep data longer than necessary.
6. Integrity and confidentiality — Protect data with appropriate security measures.
7. Accountability — Demonstrate compliance through documentation and processes.

GDPR applies to organizations that:

• Are established in the EU/EEA, regardless of where processing takes place
• Offer goods or services to individuals in the EU/EEA
• Monitor the behavior of individuals in the EU/EEA (e.g., tracking, profiling)

This includes businesses of all sizes — from solo freelancers to multinational corporations.

GDPR grants data subjects (individuals) specific rights:

• Right of access — Know what data is held about them
• Right to rectification — Correct inaccurate data
• Right to erasure — Request deletion of their data
• Right to data portability — Receive their data in a usable format
• Right to object — Object to processing based on legitimate interest
• Right to restrict processing — Limit how data is used

GDPR penalties are among the strictest in the world:

• Up to €20 million or 4% of global annual turnover for the most serious violations (whichever is higher)
• Up to €10 million or 2% of turnover for less severe infringements
• Supervisory authorities across the EU have issued over €4 billion in fines since 2018

Major fines have been issued to companies like Meta (€1.2B), Amazon (€746M), and WhatsApp (€225M).

• Full name: Regulation (EU) 2016/679
• Effective: May 25, 2018
• Enforced by: National Data Protection Authorities (e.g., AZOP in Croatia, CNIL in France, ICO in the UK)
• Scope: All EU/EEA member states, plus organizations worldwide that process EU data