GDPR (General Data Protection Regulation)
A European Union regulation that governs the processing of personal data of individuals in the EU and EEA, imposing strict obligations on controllers and processors worldwide.
What Is the GDPR?
The General Data Protection Regulation (Regulation (EU) 2016/679) is the European Union's comprehensive data protection law. Effective May 25, 2018, the GDPR applies to any organization that processes personal data of individuals in the EU or European Economic Area, regardless of where the organization is located. Penalties for non-compliance can reach 4 percent of annual global revenue or €20 million, whichever is greater.
Core Principles (Article 5)
- **Lawfulness, fairness, and transparency** in processing - **Purpose limitation**: data collected for specified, explicit, legitimate purposes - **Data minimization**: only data necessary for the purpose - **Accuracy**: data must be kept accurate and up to date - **Storage limitation**: retention only as long as necessary - **Integrity and confidentiality**: appropriate security safeguards - **Accountability**: the controller must demonstrate compliance
Key Rights for Data Subjects
Individuals have enforceable rights including access to their personal data, rectification of inaccurate data, erasure (the right to be forgotten), restriction of processing, data portability, objection to processing, and freedom from automated decision-making with legal effects. Controllers must respond to most requests within one month. Cross-border data transfers from the EU require approved mechanisms such as Standard Contractual Clauses (SCCs), Binding Corporate Rules, or transfers to adequacy-decision countries. The U.S.–EU Data Privacy Framework, adopted in 2023, provides a transfer mechanism for participating U.S. organizations.