General Data Protection Regulation (EU) 2016/679
Direct answer
The GDPR (General Data Protection Regulation, Regulation (EU) 2016/679) is the European Union's data protection law, in force since 25 May 2018. It governs the processing of the personal data of individuals in the EU and European Economic Area, and applies to any organisation that processes that data, including organisations outside the EU that offer goods or services to, or monitor the behaviour of, people in the EU. It sets out principles for lawful processing, rights for individuals, obligations for organisations that act as data controllers and processors, rules for transferring data outside the EU, and penalties of up to 20 million euros or 4 percent of global annual turnover, whichever is higher.
The GDPR applies to the processing of personal data: any information relating to an identified or identifiable living person. It binds two roles: the controller, who determines why and how personal data is processed, and the processor, who processes it on the controller's behalf.
Its territorial reach is broad. The GDPR applies to organisations established in the EU regardless of where the processing happens, and to organisations outside the EU where they offer goods or services to people in the EU or monitor their behaviour. An organisation does not need an EU office to fall within scope.
The regulation covers only natural persons. It does not protect data about legal entities such as companies. Processing of the personal data of deceased persons falls outside the GDPR, though some member states extend equivalent protection under national law.
GDPR compliance is built on seven principles set out in Article 5. Every other obligation in the regulation is a way of giving effect to one or more of them.
The accountability principle is why the GDPR is, in practice, a documentation regime. It is not enough to comply -- you must be able to show it. This is what drives the ROPA, the DPIA, the DPA, and the evidence trail.
Every processing activity needs a lawful basis under Article 6. There are six: consent, performance of a contract, compliance with a legal obligation, protection of vital interests, a task carried out in the public interest or in the exercise of official authority, and legitimate interests. Legitimate interests requires a balancing test (a legitimate interests assessment) weighing the controller's interests against the rights and freedoms of the individual.
Consent must be freely given, specific, informed, and unambiguous. Pre-ticked boxes and bundled consent do not qualify. Where consent is the chosen basis, individuals must be able to withdraw it as easily as they gave it.
Processing special category data -- which includes health, biometric, racial or ethnic origin, political opinions, religious beliefs, genetic, trade union membership, sex life, and sexual orientation data -- is prohibited unless one of the additional conditions in Article 9 is met. Special category data carries a higher bar and is flagged for stricter handling throughout a compliance programme. Pseudonymised data can still be personal data if re-identification is reasonably possible.
| Lawful basis | When it applies | Key requirement |
|---|---|---|
| Consent | Individual has given clear agreement to the specific purpose | Must be freely given, specific, informed, and unambiguous; withdrawable at any time |
| Contract | Processing is necessary to perform a contract with the individual or to take pre-contractual steps at their request | Must be genuinely necessary -- not merely convenient |
| Legal obligation | Processing is required to comply with a legal obligation under EU or member state law | The legal obligation must be sufficiently clear and precise |
| Vital interests | Processing is necessary to protect someone's life, where they cannot consent | Narrow basis; use only where no other basis applies |
| Public task | Processing is necessary for a task in the public interest or exercise of official authority | Primarily for public bodies; must have a clear basis in law |
| Legitimate interests | Processing is necessary for the controller's (or a third party's) legitimate interests, unless overridden by the individual's rights | Requires a legitimate interests assessment (LIA); not available for public authorities in the exercise of their functions |
The GDPR gives individuals enforceable rights over their personal data. When someone exercises a right, the organisation must respond without undue delay and within one month of receipt. That period can be extended by two further months where the request is complex or numerous, provided the individual is told of the extension and the reason within the first month.
The rights are:
Not every right applies in every situation. Some may be restricted where other overriding interests -- law enforcement, public health, freedom of expression -- apply under member state derogations.
The principles and rights above describe what must be true. The following obligations set out what organisations must do and maintain to make that true in practice.
| Obligation | Article | What it requires in practice |
|---|---|---|
| Records of processing activities (ROPA) | Article 30 | Controllers and processors must keep a record of their processing activities covering: the purposes of processing, the categories of data subjects and personal data, the recipients, any transfers to third countries, retention periods, and security measures. The ROPA is usually the first document a supervisory authority requests. The obligation applies to most organisations; those with fewer than 250 employees are exempt unless processing is likely to result in a risk to rights and freedoms, is not occasional, or involves special category or criminal conviction data. |
| Data protection impact assessments (DPIA) | Article 35 | Where processing is likely to result in a high risk to individuals, a DPIA must be carried out before processing begins. EDPB guidelines (WP248, adopted by the EDPB) list nine criteria; meeting two or more generally indicates a DPIA is required. High-risk indicators include systematic and extensive profiling, large-scale processing of special category data, and systematic monitoring of publicly accessible areas. Where a DPIA shows high residual risk that cannot be mitigated, the supervisory authority must be consulted before processing starts (Article 36). |
| Data processing agreements (DPA) | Article 28 | When a controller uses a processor, a written contract must govern the relationship. It must cover: the subject matter and duration of processing, the nature and purpose, the type of personal data and categories of data subjects, the controller's obligations and rights, and specific required terms on confidentiality, security, sub-processors, assistance with rights requests, assistance with the controller's obligations, deletion or return at end of contract, and audit rights. |
| Personal data breach notification | Articles 33 and 34 | A controller must notify the supervisory authority of a personal data breach within 72 hours of becoming aware of it, unless the breach is unlikely to result in a risk to the rights and freedoms of individuals. Where the breach is likely to result in a high risk, the affected individuals must also be notified without undue delay. The 72-hour clock starts on awareness. Processors must notify the controller without undue delay upon becoming aware of a breach. |
| International transfers | Chapter V (Articles 44 to 49) | Personal data may be transferred to a country outside the EU or EEA only where an adequate level of protection is ensured. The primary mechanisms are: adequacy decisions issued by the European Commission for specific countries; appropriate safeguards such as Standard Contractual Clauses (SCCs) or Binding Corporate Rules (BCRs); and specific derogations for limited situations such as explicit consent or the performance of a contract. Following the Schrems II ruling (CJEU, July 2020), transfers under SCCs or BCRs may also require a transfer impact assessment (TIA) to verify that the destination country's laws do not undermine the protection the mechanism provides, with supplementary measures where needed. The EU-US Data Privacy Framework (DPF), adopted in July 2023, provides an adequacy decision for certified US organisations. |
| Data protection officer (DPO) | Articles 37 to 39 | A DPO must be designated where the organisation is a public authority or body (with limited exceptions), carries out large-scale systematic monitoring of individuals as a core activity, or processes special category or criminal conviction data at large scale as a core activity. The DPO advises on and monitors GDPR compliance, cooperates with the supervisory authority, and is the contact point for data subjects and the authority. The DPO must be provided with resources and must not receive instructions regarding the exercise of their tasks. |
The GDPR carries two tiers of administrative fine, applied by supervisory authorities after considering the nature, gravity, and duration of the infringement, the number affected, the damage suffered, and mitigating or aggravating factors.
The lower tier reaches 10 million euros or 2 percent of total worldwide annual turnover, whichever is higher, for infringements of: obligations on controllers and processors (including DPO, data protection by design, ROPA, processor requirements), obligations on certification bodies and monitoring bodies, and breach notification obligations.
The higher tier reaches 20 million euros or 4 percent of total worldwide annual turnover, whichever is higher, for infringements of: the basic principles (Article 5), conditions for consent, data subjects' rights, international transfer rules, and non-compliance with an order or temporary limitation of processing imposed by the supervisory authority.
Administrative fines are not the only available remedy. Supervisory authorities can also issue warnings and reprimands, impose a temporary or permanent ban on processing, and order the rectification or erasure of data. An order to stop processing is frequently the more operationally disruptive outcome.
| Tier | Maximum fine | Applicable infringements |
|---|---|---|
| Lower tier | 10,000,000 EUR or 2% of total worldwide annual turnover, whichever is higher | Obligations on controllers and processors (Articles 8, 11, 25 to 39, 42, 43); breach notification (Articles 33 and 34); certification and monitoring body obligations |
| Higher tier | 20,000,000 EUR or 4% of total worldwide annual turnover, whichever is higher | Basic principles including lawful bases (Articles 5, 6, 7, 9); data subjects' rights (Articles 12 to 22); international transfer rules (Articles 44 to 49); non-compliance with a supervisory authority order |
Many organisations are subject to more than one privacy law at the same time. Running these regimes in parallel without maintaining duplicate records is the practical challenge.
The UK GDPR mirrors the EU GDPR closely following the UK's withdrawal from the EU. It is retained in domestic law through the UK's Data Protection Act 2018, with the Information Commissioner's Office (ICO) as the supervisory authority. The substantive requirements align closely, but the UK is a separate jurisdiction with its own adequacy decisions, transfer mechanisms (including International Data Transfer Agreements), and regulatory posture.
The Swiss Federal Act on Data Protection (FADP), revised in September 2020 and in force since 1 September 2023, aligns substantially with the GDPR but differs in important respects. After the revision, the Swiss FADP protects only natural persons and no longer treats data about legal entities as personal data. It introduces data protection impact assessments and strengthened transparency obligations. Switzerland is not an EU member state, and the Swiss FADP is not identical to the GDPR; legal analysis of each jurisdiction's law is required for organisations operating across both.
The practical challenge is governing the same processing activity under several frameworks with their own legal bases and review cycles, without maintaining duplicate records that drift apart.
The obligations above describe what must be true. In practice, meeting them means keeping a current ROPA, running DPIAs and processor assessments and transfer impact assessments on the right activities, handling data subject requests within the one-month deadline, and being able to scope a breach inside 72 hours, all while staying current as processing changes.
Acuna's Data Privacy module operationalises these as one connected workflow: processing activities recorded with their data subjects, assets, processors, and legal bases together; DPIA, DPA, and transfer assessments drawn from that shared context; data subject requests handled through a dedicated intake with the one-month clock tracked from receipt; and breach impact traced across the connected records. Because Acuna maps to 50+ frameworks on one core, the same processing activity can carry GDPR, Swiss FADP, and UK GDPR obligations with independent legal bases rather than living in duplicate workspaces. For the Article 28 processor obligation, processor risk management adds structured assessment campaigns, the written DPA tracking, and continuous security monitoring for your processor chain, on the same record.
See GDPR for your organisation for how this applies to a specific team and programme.
EXPLORE
What ROPA is, what Article 30 requires it to contain, who must maintain it, and how to structure it for supervisory authority review.
The nine EDPB criteria that indicate a DPIA is required, the prior consultation trigger, and how to run a DPIA in practice.
When the clock starts, what the notification to the supervisory authority must contain, and when affected individuals must also be told.
The one-month response deadline under Article 12(3), the two-month extension, and how to handle complex or manifestly unfounded requests.
The required terms in every processor contract: subject matter, instructions, confidentiality, security, sub-processors, assistance, and audit rights.
Why TIAs are needed for transfers under SCCs, what they must assess, and how the EU-US Data Privacy Framework changes the picture for US transfers.
Related answers
A Data Protection Impact Assessment (DPIA) is required under GDPR Article 35 when processing is likely to result in a high risk to the rights and freedoms of individuals. This includes systematic profiling with legal effects, large-scale processing of special categories of data, and systematic monitoring of public areas. A DPIA must describe the processing, assess necessity and proportionality, identify risks, and define mitigating measures. If residual risk remains high after mitigation, the controller must consult the supervisory authority under Article 36. DPIA workflows are on the Acuna Data Protection module roadmap; currently, processing activities can be documented and linked to controls and assets to support DPIA preparation.
The Data Protection module provides an operational privacy register built around processing activities (Article 30 ROPA). A 7-step wizard guides creation through purpose, legal basis, data subjects, data categories, retention, and transfers, with a four-state workflow (Draft → In Review → Approved → Needs Update). Activities link to assets via a data inventory with personal data grids, to third parties with DPA status and transfer country tracking, and to frameworks (GDPR and Swiss FADP pre-configured). An interactive data flow diagram visualizes how personal data moves across the organisation. A privacy dashboard surfaces PA status distribution, data inventory coverage, DPA completeness, and framework assignments. The module also supports structured migration from OneTrust.
A Record of Processing Activities (ROPA) is the internal register required by GDPR Article 30 that documents how your organisation processes personal data — purpose, data categories, recipients, transfers outside the EU or EEA, retention periods, and security measures. Controllers and processors must keep one in writing and produce it to a supervisory authority on request. It is the source of truth that a DPIA, a DSAR, a breach assessment, and a transfer assessment all read from. Acuna's data privacy management treats each processing activity as a living record tied to your asset and vendor inventory, so the people closest to the data keep the register honest.
A Data Protection Impact Assessment (DPIA) is mandatory under GDPR Article 35 whenever processing is likely to result in a high risk to the rights and freedoms of individuals. Article 35(3) names three cases that always require one: systematic and extensive profiling with legal effects, large-scale special-category data processing, and systematic monitoring of a publicly accessible area at scale. The EDPB adds nine criteria; two or more typically require a DPIA. Acuna's data privacy management carries a built-in screener against the EDPB criteria on every processing activity, so the question is answered as part of recording the activity, not as a separate project.
Under GDPR Article 33, a controller must notify the competent supervisory authority of a personal data breach without undue delay and, where feasible, within 72 hours of becoming aware of it — unless the breach is unlikely to result in a risk to individuals. Where the breach is likely to result in a high risk, the controller must also notify affected data subjects under Article 34. The clock starts at awareness, not at the conclusion of the investigation; Article 33(4) permits phased notification as facts emerge. Every breach must be documented under Article 33(5) whether or not it meets the notification threshold.
Under GDPR Article 12(3), a controller must respond to a data subject access request without undue delay and within one month of receiving it. The period can be extended by two further months for complex or numerous requests, giving a three-month maximum, provided you notify the individual within the first month and explain the reasons. The legal unit is one month, not 30 days; a month is calculated by the calendar. Acuna's data privacy management tracks each DSAR against a response deadline with a colour-coded countdown, records the one permitted extension with its rationale, and links the request to the processing activities that hold the subject's data.
A Data Processing Agreement (DPA) is the written contract GDPR Article 28 requires whenever a controller engages a processor to handle personal data on its behalf. It must bind the processor to obligations covering the subject matter, duration, nature, and purpose of the processing — plus data subject rights assistance, breach notification, DPIA support, sub-processor controls, and audit access. Without a compliant DPA the processing relationship is unlawful. Acuna's data privacy management generates an Article 28 agreement pre-filled from the processing activity it covers and tracks each agreement through its lifecycle on the matching supplier record in third-party risk management.
A Transfer Impact Assessment (TIA) is the analysis required under GDPR Chapter V before transferring personal data to a country outside the EU or EEA without an adequacy decision. Following Schrems II, relying on Standard Contractual Clauses alone is insufficient: you must assess whether the destination country's law and practice provide essentially equivalent protection and, where it falls short, apply supplementary measures or stop the transfer. Acuna's data privacy management builds the TIA from the cross-border recipients already recorded on a processing activity and defaults to a higher-risk outcome so a transfer has to earn a lower rating rather than be assumed safe.
GDPR DATA PRIVACY
Acuna's Data Privacy module connects processing activities, legal bases, DPIAs, DPAs, transfer assessments, data subject requests, and breach handling in a single workflow. GDPR, Swiss FADP, and UK GDPR share the same records rather than living in separate workspaces.