Key Principles
The fundamental principles that govern data processing under GDPR
Lawfulness, Fairness & Transparency
Personal data must be processed lawfully, fairly, and in a transparent manner.
Purpose Limitation
Data must be collected for specified, explicit, and legitimate purposes.
Data Minimization
Only collect data that is adequate, relevant, and limited to what is necessary.
Accuracy
Personal data must be accurate and kept up to date.
Storage Limitation
Data should be kept only as long as necessary for the purposes.
Integrity & Confidentiality
Data must be processed securely with appropriate protection.
Data Subject Rights
Rights granted to individuals under GDPR
Right to Access
Article 15Individuals can request access to their personal data and information about how it's processed.
Right to Rectification
Article 16Individuals can request correction of inaccurate personal data.
Right to Erasure
Article 17Also known as "right to be forgotten" - individuals can request deletion of their data.
Right to Data Portability
Article 20Individuals can receive their data in a machine-readable format.
Right to Object
Article 21Individuals can object to processing of their personal data.
Right to Restrict Processing
Article 18Individuals can request restriction of processing in certain circumstances.
Business Obligations
What businesses must do to comply with GDPR
Consent Requirements
Article 7Obtain clear, affirmative consent before processing personal data. Consent must be freely given, specific, informed, and unambiguous.
Data Protection Officer
Article 37-39Appoint a DPO if you process sensitive data at scale or monitor individuals systematically.
Data Breach Notification
Article 33-34Report data breaches to supervisory authorities within 72 hours and notify affected individuals if high risk.
Privacy by Design
Article 25Implement data protection measures from the start of any project involving personal data.
Records of Processing
Article 30Maintain records of processing activities including purposes, categories, and security measures.
Impact Assessments
Article 35Conduct Data Protection Impact Assessments (DPIA) for high-risk processing.
Penalties & Fines
Consequences for GDPR non-compliance
Lower Tier
Up to €10 million or 2% of annual global turnover
For violations related to technical measures, record-keeping, or processor obligations.
Upper Tier
Up to €20 million or 4% of annual global turnover
For violations of basic principles, data subject rights, or international transfers.
Recent Notable Fines
Examples of significant GDPR enforcement actions
Indicative dataset, last internal review: March 2026.
Legal Watch
Internal legal watch: regulatory topics monitored and reviewed regularly.
EU-US Data Privacy Framework
The DPF remains a practical transfer mechanism, but US vendor certification should be verified regularly.
Reviewed on: 2026-03-06
European Commission adequacy decisionDark patterns in consent interfaces
Deceptive consent interfaces remain a top enforcement area. Accept/reject equivalence is essential.
Reviewed on: 2026-03-06
EDPB Guidelines 03/2022CNIL cookie guidance
CNIL cookie requirements (easy refusal, clear information, limited duration) remain core for France-focused audits.
Reviewed on: 2026-03-06
CNIL Cookies and other trackersEU AI Act and high-risk profiling
The AI Act introduces obligations for high-risk systems and strengthens governance for automated processing involving personal data.
Reviewed on: 2026-03-06
Regulation (EU) 2024/1689 (AI Act)EU Data Act and data portability operations
The Data Act adds new access, portability and data-sharing obligations, with direct impact on GDPR processes and contractual safeguards.
Reviewed on: 2026-03-06
Regulation (EU) 2023/2854 (Data Act)NIS2 cybersecurity obligations for data protection resilience
NIS2 strengthens security, incident handling and governance duties, complementing GDPR security obligations (Art. 32).
Reviewed on: 2026-03-06
Directive (EU) 2022/2555 (NIS2)Official Resources
Links to official GDPR documentation