Back to home

GDPR Regulations

Key articles and requirements of the General Data Protection Regulation

Key Principles

The fundamental principles that govern data processing under GDPR

Lawfulness, Fairness & Transparency

Personal data must be processed lawfully, fairly, and in a transparent manner.

Purpose Limitation

Data must be collected for specified, explicit, and legitimate purposes.

Data Minimization

Only collect data that is adequate, relevant, and limited to what is necessary.

Accuracy

Personal data must be accurate and kept up to date.

Storage Limitation

Data should be kept only as long as necessary for the purposes.

Integrity & Confidentiality

Data must be processed securely with appropriate protection.

Data Subject Rights

Rights granted to individuals under GDPR

Right to Access

Article 15

Individuals can request access to their personal data and information about how it's processed.

Right to Rectification

Article 16

Individuals can request correction of inaccurate personal data.

Right to Erasure

Article 17

Also known as "right to be forgotten" - individuals can request deletion of their data.

Right to Data Portability

Article 20

Individuals can receive their data in a machine-readable format.

Right to Object

Article 21

Individuals can object to processing of their personal data.

Right to Restrict Processing

Article 18

Individuals can request restriction of processing in certain circumstances.

Business Obligations

What businesses must do to comply with GDPR

Consent Requirements

Article 7

Obtain clear, affirmative consent before processing personal data. Consent must be freely given, specific, informed, and unambiguous.

Data Protection Officer

Article 37-39

Appoint a DPO if you process sensitive data at scale or monitor individuals systematically.

Data Breach Notification

Article 33-34

Report data breaches to supervisory authorities within 72 hours and notify affected individuals if high risk.

Privacy by Design

Article 25

Implement data protection measures from the start of any project involving personal data.

Records of Processing

Article 30

Maintain records of processing activities including purposes, categories, and security measures.

Impact Assessments

Article 35

Conduct Data Protection Impact Assessments (DPIA) for high-risk processing.

Penalties & Fines

Consequences for GDPR non-compliance

Lower Tier

Up to €10 million or 2% of annual global turnover

For violations related to technical measures, record-keeping, or processor obligations.

Upper Tier

Up to €20 million or 4% of annual global turnover

For violations of basic principles, data subject rights, or international transfers.

Recent Notable Fines

Examples of significant GDPR enforcement actions

Indicative dataset, last internal review: March 2026.

Meta (Facebook)1.2B
Data transfers to US2023
TikTok345M
Children's privacy violations2023
Amazon746M
Cookie consent violations2021
Google Ireland90M
Cookie consent mechanisms2022
Criteo40M
Consent & tracking violations2023
Microsoft Ireland20M
Children's data processing2023

Legal Watch

Internal legal watch: regulatory topics monitored and reviewed regularly.

EUhigh

EU-US Data Privacy Framework

The DPF remains a practical transfer mechanism, but US vendor certification should be verified regularly.

Reviewed on: 2026-03-06

European Commission adequacy decision
EUhigh

Dark patterns in consent interfaces

Deceptive consent interfaces remain a top enforcement area. Accept/reject equivalence is essential.

Reviewed on: 2026-03-06

EDPB Guidelines 03/2022
FRhigh

CNIL cookie guidance

CNIL cookie requirements (easy refusal, clear information, limited duration) remain core for France-focused audits.

Reviewed on: 2026-03-06

CNIL Cookies and other trackers
EUmedium

EU AI Act and high-risk profiling

The AI Act introduces obligations for high-risk systems and strengthens governance for automated processing involving personal data.

Reviewed on: 2026-03-06

Regulation (EU) 2024/1689 (AI Act)
EUmedium

EU Data Act and data portability operations

The Data Act adds new access, portability and data-sharing obligations, with direct impact on GDPR processes and contractual safeguards.

Reviewed on: 2026-03-06

Regulation (EU) 2023/2854 (Data Act)
EUmedium

NIS2 cybersecurity obligations for data protection resilience

NIS2 strengthens security, incident handling and governance duties, complementing GDPR security obligations (Art. 32).

Reviewed on: 2026-03-06

Directive (EU) 2022/2555 (NIS2)

Ready to check your site's compliance?

Start free and get your first report in less than a minute.