GDPR — General Data Protection Regulation

Effective overview last updated: January 2026

What Is GDPR

The General Data Protection Regulation (GDPR) is the European Union's data protection law, in effect since May 25, 2018. It replaced the 1995 Data Protection Directive and established a single, directly applicable regulation across all EU member states (plus the EEA — Norway, Iceland, and Liechtenstein).

GDPR is widely considered the most comprehensive data protection framework in the world. It has influenced privacy legislation globally, including Brazil's LGPD, California's CCPA/CPRA, and laws in Japan, South Korea, India, and others.

Scope and Applicability

GDPR applies to:

  • Organizations established in the EU that process personal data, regardless of where the processing occurs
  • Organizations outside the EU that offer goods or services to people in the EU, or that monitor the behavior of people in the EU

This extraterritorial reach means a US-based SaaS company with EU customers must comply with GDPR, even without any physical presence in Europe.

What Counts as Personal Data

GDPR defines personal data broadly: any information relating to an identified or identifiable natural person. This includes:

  • Names, email addresses, phone numbers
  • IP addresses and cookie identifiers
  • Location data and device identifiers
  • Pseudonymized data (if it can be re-identified)
  • Health data, biometric data, and genetic data (classified as "special categories" with stricter rules)

Core Principles

Article 5 establishes seven principles that govern all processing of personal data:

  1. Lawfulness, fairness, and transparency: Processing must have a legal basis, must not be deceptive, and must be communicated clearly to data subjects.

  2. Purpose limitation: Data must be collected for specified, explicit, and legitimate purposes. You can't collect data for one purpose and then use it for something unrelated.

  3. Data minimization: Only collect personal data that is adequate, relevant, and limited to what is necessary for the stated purpose.

  4. Accuracy: Personal data must be kept accurate and up to date. Inaccurate data must be corrected or deleted without delay.

  5. Storage limitation: Data must not be kept longer than necessary for its purpose. You need defined retention periods for each category of data.

  6. Integrity and confidentiality: Data must be processed securely, with appropriate technical and organizational measures to prevent unauthorized access, loss, or destruction.

  7. Accountability: The data controller must be able to demonstrate compliance with all of the above principles. This is not just about being compliant — it's about proving it.

Legal Bases for Processing

Unlike some privacy laws that rely primarily on consent, GDPR provides six legal bases for processing personal data (Article 6). You must identify and document which basis applies to each processing activity:

  • Consent: The data subject has given clear, affirmative consent for a specific purpose. Must be freely given, specific, informed, and unambiguous. Can be withdrawn at any time.
  • Contractual necessity: Processing is necessary to perform a contract with the data subject or to take pre-contractual steps at their request.
  • Legal obligation: Processing is necessary to comply with a legal requirement (e.g., tax reporting, anti-money laundering).
  • Vital interests: Processing is necessary to protect someone's life. Rarely applicable in a business context.
  • Public task: Processing is necessary for a task carried out in the public interest or in the exercise of official authority.
  • Legitimate interests: Processing is necessary for your legitimate interests (or a third party's), provided those interests don't override the data subject's rights. Requires a balancing test.

Data Subject Rights

GDPR grants individuals extensive rights over their personal data:

  • Right of access (Article 15): Individuals can request a copy of all personal data you hold about them, along with information about how it's processed.
  • Right to rectification (Article 16): Individuals can request correction of inaccurate personal data.
  • Right to erasure / "right to be forgotten" (Article 17): Individuals can request deletion of their data in certain circumstances (consent withdrawn, data no longer necessary, unlawful processing).
  • Right to restriction (Article 18): Individuals can request that processing be limited while disputes are resolved.
  • Right to data portability (Article 20): Individuals can receive their data in a structured, machine-readable format and transfer it to another controller.
  • Right to object (Article 21): Individuals can object to processing based on legitimate interests or public task, including profiling. For direct marketing, the right to object is absolute.
  • Rights related to automated decision-making (Article 22): Individuals have the right not to be subject to decisions based solely on automated processing that produce legal or significant effects, with exceptions.

The Role of the Privacy Notice

The privacy notice (what most organizations call their "privacy policy") is GDPR's primary transparency mechanism. Articles 13 and 14 are unusually specific about what must be included. This is one of the areas where GDPR is most prescriptive.

Article 13 — Data Collected Directly From the Individual

When you collect data directly, you must provide at the time of collection:

  • Identity and contact details of the controller (and DPO, if applicable)
  • Purposes and legal basis for each processing activity
  • Legitimate interests pursued, if relying on that basis
  • Recipients or categories of recipients
  • Whether data will be transferred outside the EEA, and the transfer mechanism
  • Retention periods or criteria for determining them
  • All data subject rights
  • The right to withdraw consent (if applicable)
  • The right to lodge a complaint with a supervisory authority
  • Whether providing data is a statutory/contractual requirement, and consequences of not providing it
  • Information about automated decision-making, including the logic involved

Article 14 — Data Not Obtained From the Individual

When you obtain data from other sources (third parties, public records, data brokers), you must additionally disclose:

  • The categories of personal data obtained
  • The source of the data

This information must be provided within a reasonable period (at most one month) or at the point of first communication with the individual.

Why This Matters

The privacy notice is not a formality under GDPR. Supervisory authorities have issued fines specifically for inadequate transparency. The transparency requirements are treated as substantive obligations, not technicalities.

Common enforcement actions related to privacy notices include:

  • Fines for privacy policies that don't specify the legal basis for each processing activity
  • Fines for layered or hidden information that makes it difficult for users to understand their rights
  • Fines for privacy policies that claim consent as the legal basis when a different basis actually applies
  • Fines for failing to inform users about international data transfers

International Data Transfers

Transferring personal data outside the EEA requires a valid transfer mechanism:

  • Adequacy decisions: The European Commission has recognized certain countries as providing adequate protection (e.g., UK, Japan, South Korea, Canada for commercial activities, and as of 2023, the US under the EU-US Data Privacy Framework).
  • Standard Contractual Clauses (SCCs): Pre-approved contractual terms adopted by the European Commission. The most common mechanism for transfers to non-adequate countries.
  • Binding Corporate Rules (BCRs): Internal policies approved by supervisory authorities for transfers within a corporate group. Complex and time-consuming to implement.
  • Derogations: Limited exceptions for specific situations (explicit consent, contractual necessity, etc.).

Since most SaaS products use US-based infrastructure (AWS, Google Cloud, Azure) and US-based sub-processors (Stripe, Twilio, etc.), international transfers are a concern for nearly every organization subject to GDPR.

Enforcement

GDPR is enforced by Data Protection Authorities (DPAs) in each EU/EEA member state. The maximum fines are:

  • Up to €20 million or 4% of annual global turnover (whichever is higher) for the most serious violations
  • Up to €10 million or 2% of annual global turnover for less serious violations

Notable enforcement trends include fines related to:

  • Insufficient legal basis for processing (especially for advertising and tracking)
  • Inadequate transparency in privacy notices
  • Failure to honor data subject access requests
  • Insufficient technical security measures
  • Non-compliant international data transfers

Key Roles Under GDPR

  • Data Controller: The entity that determines the purposes and means of processing. Typically the organization that has the direct relationship with the individual.
  • Data Processor: The entity that processes data on behalf of the controller. Cloud providers, email services, and analytics platforms are usually processors.
  • Data Protection Officer (DPO): Required for public authorities, organizations engaged in large-scale systematic monitoring, or those processing special categories of data at scale. The DPO must be independent and report to the highest level of management.

How Privacy Policy Review Helps

Your privacy notice is one of the most scrutinized artifacts under GDPR. Our service reviews it against every Article 13 and 14 requirement — checking for missing disclosures, unclear legal bases, incomplete rights information, and gaps in transfer mechanism descriptions. An attorney verifies the findings in a signed Record of Review.

This is particularly relevant because privacy notice compliance is one of the most common areas of GDPR enforcement action.

Ready to review your privacy policy?

Get AI-powered compliance analysis verified by an attorney — flat $199 per review.

Start Your Review