What is GDPR? The General Data Protection Regulation

Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 — the General Data Protection Regulation (GDPR) — is the cornerstone of EU data protection law. It was adopted on 14 April 2016 after four years of intense legislative negotiation, published in the Official Journal on 4 May 2016, and became directly applicable across all EU member states on 25 May 2018, following a two-year transitional period.

The GDPR replaced Directive 95/46/EC (the Data Protection Directive), which had served as the EU's primary data protection instrument since 1995. Unlike its predecessor, which was a directive requiring national transposition and resulting in 28 divergent implementations, the GDPR is a regulation — directly applicable in all member states without the need for transposition into national law. This was a deliberate legislative choice to eliminate the regulatory fragmentation that had undermined the effectiveness of the 1995 Directive.

The GDPR has become the world's most influential data protection law. Its extraterritorial reach, robust enforcement mechanisms, and comprehensive rights framework have inspired data protection legislation globally — from Brazil's LGPD to California's CCPA/CPRA, Japan's APPI amendments, and South Korea's PIPA revisions. As of 2026, over 160 jurisdictions worldwide have enacted data protection laws influenced by the GDPR model.

The Regulation comprises 99 articles organized into 11 chapters, supplemented by 173 recitals that provide interpretive guidance. It is further developed through delegated acts, implementing acts, guidelines from the European Data Protection Board (EDPB), and national supplementary legislation permitted under its opening clauses.

The GDPR's material scope, defined in Article 2, covers the processing of personal data wholly or partly by automated means, and the processing other than by automated means of personal data which form part of a filing system or are intended to form part of a filing system. The Regulation does not apply to processing by natural persons in the course of purely personal or household activities, processing for national security purposes (which falls outside EU law), or processing by competent authorities for law enforcement purposes (covered separately by Directive (EU) 2016/680, the Law Enforcement Directive).

Article 3 establishes the GDPR's territorial scope through three alternative grounds that collectively give it extraterritorial reach unparalleled in data protection law. First, the GDPR applies to the processing of personal data in the context of the activities of an establishment of a controller or processor in the Union, regardless of whether the processing itself takes place in the Union (Article 3(1)). The CJEU's broad interpretation of 'establishment' — requiring only a stable arrangement through which activity is exercised, not necessarily a subsidiary or branch — means that even a single employee or agent in the EU can trigger applicability.

Second, the GDPR applies to the processing of personal data of data subjects who are in the Union by a controller or processor not established in the Union, where the processing relates to the offering of goods or services (irrespective of whether payment is required) to such data subjects, or the monitoring of their behaviour as far as their behaviour takes place within the Union (Article 3(2)). This provision captures non-EU tech companies, e-commerce platforms, app developers, and any organisation that deliberately targets EU residents.

Third, the GDPR applies to the processing by a controller not established in the Union but in a place where member state law applies by virtue of public international law, such as EU member state embassies or consulates (Article 3(3)). These three grounds make the GDPR effectively global in its practical application.

Article 4 of the GDPR provides 26 definitions that underpin the entire regulatory framework. Precise understanding of these terms is essential for correct application of the Regulation.

'Personal data' (Article 4(1)) means any information relating to an identified or identifiable natural person (the 'data subject'). An identifiable natural person is one who can be identified, directly or indirectly, by reference to an identifier such as a name, identification number, location data, online identifier, or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural, or social identity of that natural person. This definition is deliberately broad — it encompasses IP addresses, cookie identifiers, device fingerprints, employee IDs, pseudonymised data (which remains personal data), and any combination of data points that could lead to identification.

'Processing' (Article 4(2)) means any operation or set of operations performed on personal data, whether or not by automated means, including collection, recording, organisation, structuring, storage, adaptation, alteration, retrieval, consultation, use, disclosure by transmission, dissemination, alignment, combination, restriction, erasure, or destruction. The definition is exhaustive in intent — virtually anything done with personal data constitutes processing.

'Controller' (Article 4(7)) means the natural or legal person, public authority, agency, or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data. 'Processor' (Article 4(8)) means a natural or legal person, public authority, agency, or other body which processes personal data on behalf of the controller. The controller-processor distinction is fundamental because it determines the allocation of obligations, liabilities, and responsibilities under the GDPR.

'Consent' (Article 4(11)) means any freely given, specific, informed, and unambiguous indication of the data subject's wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her. 'Personal data breach' (Article 4(12)) means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored, or otherwise processed. 'Supervisory authority' (Article 4(21)) means an independent public authority established by a member state pursuant to Article 51.

The GDPR imposes distinct but overlapping obligations on data controllers and data processors. This dual-obligation model was a significant departure from Directive 95/46/EC, which placed obligations almost exclusively on controllers. Under the GDPR, processors have direct statutory obligations including maintaining records of processing activities (Article 30(2)), implementing appropriate security measures (Article 32), appointing a DPO where required (Article 37), and notifying the controller without undue delay after becoming aware of a personal data breach (Article 33(2)).

The controller determines the purposes and means of processing — in other words, the 'why' and the 'how'. This determination may be established by EU or member state law (Article 4(7)). The controller bears primary responsibility for compliance with the GDPR's principles (Article 5), must implement appropriate technical and organisational measures to ensure processing is performed in accordance with the Regulation (Article 24), and must be able to demonstrate compliance (the accountability principle).

The processor acts only on the controller's documented instructions (Article 28(3)(a)). Where two or more controllers jointly determine the purposes and means of processing, they are joint controllers under Article 26. Joint controllers must determine their respective responsibilities by means of a transparent arrangement, the essence of which must be made available to data subjects. Regardless of the arrangement, data subjects may exercise their rights against each joint controller.

Article 28 mandates a written contract between controller and processor, setting out the subject-matter and duration of processing, the nature and purpose, the type of personal data and categories of data subjects, and the controller's obligations and rights. The contract must include specific mandatory clauses: processing only on documented instructions, confidentiality obligations, security measures, sub-processor controls, assistance with data subject rights, deletion or return of data at end of service, audit rights, and cooperation with supervisory authorities.

The GDPR introduced a two-tier administrative fine regime that gave data protection enforcement genuine deterrent power for the first time. Article 83 establishes the framework: supervisory authorities must ensure that fines are effective, proportionate, and dissuasive in each individual case.

The lower tier (Article 83(4)) provides for fines of up to EUR 10,000,000 or 2% of total worldwide annual turnover of the preceding financial year, whichever is higher. This tier applies to infringements of obligations relating to controllers and processors (Articles 8, 11, 25-39, 42, 43), certification bodies (Articles 42-43), and monitoring bodies (Article 41). In practice, this covers failures in data protection by design and default, processor contract requirements, records of processing, security of processing, breach notification, DPIAs, and DPO obligations.

The upper tier (Article 83(5)) provides for fines of up to EUR 20,000,000 or 4% of total worldwide annual turnover, whichever is higher. This tier applies to infringements of the basic principles for processing (Article 5), conditions for consent (Article 7), lawful bases for processing (Article 6), conditions for processing special categories of data (Article 9), data subject rights (Articles 12-22), international transfer provisions (Articles 44-49), member state law provisions, and non-compliance with supervisory authority orders.

National data protection authorities (DPAs) serve as the primary enforcement mechanism, with the EDPB providing coordination through the consistency mechanism (Articles 63-67) and the one-stop-shop principle (Article 56) for cross-border processing. Since the GDPR's application in May 2018, cumulative fines have exceeded EUR 4.3 billion. Notable enforcement actions include Meta Platforms Ireland (EUR 1.2 billion for Schrems II transfer violations, 2023), Amazon Europe (EUR 746 million for targeted advertising practices, 2021), TikTok (multiple fines across jurisdictions for children's data processing), and Google (EUR 150 million by CNIL for cookie consent practices, 2022).

Beyond administrative fines, Article 83(6) allows member states to lay down rules for other penalties, including criminal sanctions. Several member states have introduced criminal liability for certain GDPR violations. Data subjects also have the right to an effective judicial remedy against controllers and processors (Article 79) and the right to compensation for material or non-material damage (Article 82).