A rights-based framework that reshaped how every organisation collects, stores, shares, and explains the use of information about people, and a global benchmark imitated from Brasília to Tokyo.
Every other obligation in the GDPR descends from these principles. They are not aspirations. They are the standard a regulator applies when judging whether processing was, on balance, lawful.
Processing must rest on a lawful basis, be free of deception, and be visible to the people it concerns in clear, plain language.
Data is collected for a specified, explicit purpose stated up-front. Re-using it for an incompatible purpose later requires fresh justification.
Only what is genuinely necessary for the stated purpose. Useful, possible, and convenient are not the test. Necessary is.
Records must be kept current. Inaccurate data must be erased or rectified without delay, with reasonable steps taken to push corrections downstream.
Personal data is kept in identifiable form only as long as is necessary. After that, delete, anonymise, or justify retention against an explicit schedule.
Appropriate technical and organisational measures protect against unauthorised access, accidental loss, alteration, and destruction.
Processing personal data without one of these six bases is unlawful, full stop. There is no seventh option, no "we have a good reason" clause. Pick the right one before you start, and document why.
Processing data revealing race, ethnic origin, political opinions, religious or philosophical beliefs, trade-union membership, genetic data, biometric data for unique identification, health, sex life, or sexual orientation is prohibited unless one of ten narrow Article 9(2) gateways applies. Most commercial cases lean on explicit consent, employment law, or public-interest health.
The scope is wider than most teams assume. Anything that lets you single out, identify, or distinguish a living person, alone or in combination with other information, is personal data. Three categories carry escalating obligations.
Any information relating to an identified or identifiable natural person, directly or indirectly, by any reasonable means.
A higher-protection tier, banned by default. One of ten narrow gateways must apply before processing is allowed.
A separate, even narrower track. Processing is allowed only under official-authority control or specific Member State law with safeguards.
The Regulation reaches further than the Union's borders. If any of three triggers fire, you are inside its scope, and being headquartered in California, Singapore, or São Paulo does not change the answer.
Processing in the context of an EU establishment's activities, regardless of where the processing physically happens. Stable arrangements count, branch or subsidiary form does not.
Offering goods or services to people in the Union, payment or not. Local language, local currency, local marketing, EU-domain delivery: any signal that the offering envisages EU customers.
Tracking, profiling, or analysing the conduct of people while they are in the Union. Web analytics, ad-tech, app telemetry, location pixels, anything that follows them across the internet.
Each right is a concrete, time-bound obligation on the controller. Tap any row to see what triggers it, the response window, the limits, and the article that anchors it.
Roles are not job titles, they are legal positions. Misclassifying yourself as a processor when you decide the purposes and means is one of the most expensive mistakes in GDPR practice.
Determines the purposes and the means of processing. The decision-maker. Bears primary accountability whether or not it does the work itself.
Processes on behalf of the controller, on documented instructions. Cloud hosts, payroll vendors, mailing-list platforms, support tools.
Two or more parties who jointly decide the purposes and means. A transparent, public-facing arrangement allocates responsibilities, but data subjects can enforce against any of them.
Mandatory for public bodies, large-scale systematic monitoring, and large-scale special-category processing. Independent, expert, reports to the highest level.
A designated establishment inside the Union for non-EU controllers and processors caught by Article 3(2). The local point of contact for regulators and data subjects.
An independent national regulator in each Member State. Investigates, audits, fines, orders, and bans. The lead authority handles cross-border cases under the one-stop-shop.
Personal data does not lose its protection at the border. Article 44 sets a hierarchy of mechanisms; each tier requires the previous one to be unavailable or insufficient before you drop down.
The Commission has formally declared the destination country, sector, or organisation adequate. Andorra, Argentina, Canada (commercial), Faroe Islands, Guernsey, Israel, Isle of Man, Japan, Jersey, New Zealand, Republic of Korea, Switzerland, United Kingdom, Uruguay, and the EU-US Data Privacy Framework. Transfer freely, no extra paperwork.
No adequacy, but you make up the gap with a legal instrument that travels with the data. Standard Contractual Clauses adopted by the Commission are the workhorse. Approved codes of conduct and certifications are emerging alternatives.
For multinational groups moving data internally. Approved by the lead supervisory authority via the consistency mechanism, BCRs bind every group entity, confer enforceable rights on data subjects, and embed all GDPR principles. Heavy lift, durable result.
Last resort, narrow, and not for routine flows. Explicit informed consent, contract necessity, important public interest, legal claims, vital interests, or transfers from a public register. The compelling-legitimate-interest derogation is the narrowest of all.
Even when an Article 46 mechanism is in place, the controller must assess whether the destination country's surveillance laws and remedies render the safeguards effective in practice. Where they do not, supplementary measures (encryption with EU-held keys, pseudonymisation, contractual challenges to access requests) must be added or the transfer suspended. Document the assessment in the Article 30 records.
A personal data breach is not just a hack. It is any breach of security leading to accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data. The clock starts when the controller becomes aware.
Article 33(1) requires notification to the supervisory authority without undue delay and, where feasible, no later than 72 hours after becoming aware. Late notifications must be accompanied by reasons for the delay.
The only carve-out: where the breach is unlikely to result in a risk to the rights and freedoms of natural persons. The default is to notify, the burden of proof is on the controller.
Internal detection, processor notification (without undue delay), or third-party report. Document the moment of awareness.
To the lead supervisory authority. Describe nature, categories and approximate numbers, likely consequences, and mitigating measures. Provide in phases if needed.
Article 34: communicate to affected individuals in clear, plain language. Skipped only if data was rendered unintelligible (e.g. strong encryption) or a public communication is more effective.
Whether you notify or not, every breach must be documented. Facts, effects, remedial action. The register is one of the first things a regulator asks for during an investigation, and "we did not have one" is a finding in itself.
A Data Protection Impact Assessment is required whenever processing is likely to result in a high risk to rights and freedoms. Three categories are mandatory by the text of the Regulation; supervisory authorities publish lists of further mandatory cases.
If the DPIA shows residual high risk that the controller cannot mitigate by reasonable means, the supervisory authority must be consulted before the processing begins. The authority responds within eight weeks (extendable by six). Skipping this step exposes the controller to the higher fine tier and to a ban on the processing activity.
Effective, proportionate, and dissuasive. Whichever is higher between a euro cap and a percentage of worldwide turnover. The percentage is what makes the GDPR bite at scale.
Eleven factors. Nature, gravity, and duration of the infringement. Number of data subjects affected. Damage suffered. Intentional or negligent character. Mitigating action taken. Degree of cooperation. Categories of data involved. How the breach came to light. Previous infringements. Adherence to codes of conduct and certifications. Any other aggravating or mitigating factor. The fine is built, not picked off a shelf.
A short walk through the same questions a Data Protection Officer would ask on day one. Not legal advice, but the right shape of inquiry. Restart any time.