Skip to content
Last reviewed: 2026-05-04 Reviewer: M.K., CIPP/E Methodology Report inaccuracy
European Union emblem — editorial referenceReproduced for editorial reference under generally permitted educational use. Not affiliated with the European Union, the European Commission, or any EU institution.
GDPR National DPAs · coordinated by EDPB

REGULATION · EU REGULATION · IN FORCE SINCE 2018

General Data Protection Regulation

The EU's baseline privacy law since May 2018. Defines six lawful bases, eight data-subject rights, and fines up to 4% of global annual turnover.

EUR-Lex official text Reviewed 2026-05-06 Free reference · sources cited

Scope and territorial reach

The General Data Protection Regulation harmonized EU privacy law and replaced Directive 95/46/EC. Direct effect — no national transposition required, though most member states layered additional national acts on top (TDDDG in Germany, Loi Informatique et Libertés in France, DPA 2018 in UK).

Applies extraterritorially under Art 3(2) — any controller offering goods/services to or monitoring behaviour of EU/EEA data subjects, regardless of where the controller is established.

Where it applies — 20 jurisdictions

🇦🇹Austria
AT
🇧🇪Belgium
BE
🇨🇿Czech Republic
CZ
🇩🇰Denmark
DK
🇪🇪Estonia
EE
🇫🇮Finland
FI
🇫🇷France
FR
🇩🇪Germany
DE
🇬🇷Greece
GR
🇭🇺Hungary
HU
🇮🇪Ireland
IE
🇮🇹Italy
IT

+ 8 more — see full list

Seven principles (Article 5)

The constitutional backbone — every processing activity must satisfy all seven simultaneously.

  1. 01
    Lawfulness, fairness, transparency Art 5(1)(a)

    Process data on a clear legal basis, fairly, and tell users what you do.

  2. 02
    Purpose limitation Art 5(1)(b)

    Collect data for specified, explicit purposes — don't repurpose later.

  3. 03
    Data minimisation Art 5(1)(c)

    Only collect what's adequate, relevant, and necessary for the purpose.

  4. 04
    Accuracy Art 5(1)(d)

    Keep data accurate and up to date; correct or erase inaccurate data without delay.

  5. 05
    Storage limitation Art 5(1)(e)

    Keep data only as long as necessary; define and document retention periods.

  6. 06
    Integrity & confidentiality Art 5(1)(f)

    Protect data against unauthorized access, loss, or destruction (security).

  7. 07
    Accountability Art 5(2)

    Demonstrate compliance — document everything (ROPA, DPIA, policies).

Six lawful bases (Article 6)

You must identify and document one before processing — and consent isn't always the right one.

Art 6(1)(a)

Consent

User explicitly opts in (free, specific, informed, unambiguous).

Common for: Analytics, marketing cookies, newsletters
Art 6(1)(b)

Contract

Necessary to perform a contract with the user.

Common for: Account creation, order processing
Art 6(1)(c)

Legal obligation

Required by law (tax records, AML, GDPR itself).

Common for: Invoice retention, KYC
Art 6(1)(d)

Vital interests

Necessary to protect someone's life.

Common for: Medical emergencies (rare for web)
Art 6(1)(e)

Public task

Performing a task in the public interest / official authority.

Common for: Government services, public health
Art 6(1)(f)

Legitimate interest

Your interest doesn't override user rights — needs an LIA.

Common for: Fraud prevention, basic security logging
Cookie banner under GDPR Consent Mode v2

Eight data-subject rights (Articles 12–22)

What individuals can demand from you, with the response window and scope.

RightArticleResponseScope
Right to be informed Art 13–14 At collection At collection — privacy notice must be transparent.
Right of access Art 15 30 days User can request copy of all their data.
Right to rectification Art 16 30 days Correct inaccurate or incomplete data.
Right to erasure Art 17 30 days "Right to be forgotten" — deletion under specific conditions.
Right to restrict processing Art 18 30 days Pause processing while disputes are resolved.
Right to data portability Art 20 30 days Receive data in machine-readable format, transfer to another controller.
Right to object Art 21 30 days Object to processing (esp. direct marketing — absolute right).
Rights re: automated decisions Art 22 30 days Not subject to solely-automated decisions with legal effect.
Topic: DSARs in practice Template: DSR reply (Art 15)

Fines & enforcement

Maximum administrative penalty: €20.0M or 4% of global annual turnover (Art 83(5)). Tiered structure: Art 83(4) = 2% / €10M for procedural failures.

  1. 2023-05 €1.2B
    Meta Platforms Ireland DPC · IE · Art 46(1)

    Largest GDPR fine on record. Transfers of EU user data to the US under SCCs without sufficient supplementary measures, following the CJEU Schrems II ruling (C-311/18).

  2. 2021-07 €746.0M
    Amazon Europe CNPD · LU · Art 6, 12-17, 21

    Targeted advertising without valid consent — second-largest GDPR fine. Appealed in Luxembourg administrative court.

  3. 2022-09 €405.0M
    Instagram (Meta) DPC · IE · Art 5(1)(a/c), 6(1), 12(1), 24, 25(1-2), 35(1)

    Children's data: business-account contact info public-by-default; privacy-by-design failures; insufficient DPIA.

  4. 2023-09 €345.0M
    TikTok DPC · IE · Art 5(1)(a/c/f), 12(1), 13(1)(e), 24, 25(1-2)

    Children's data: profiles default-public for minors; data-protection-by-design failures; ineffective transparency for under-13s. Under appeal in Irish High Court.

  5. 2024-12 €251.0M
    Meta Platforms DPC · IE · Art 25(1-2), 33(3), 33(5)

    2018 'View As' breach affecting 29M accounts. Privacy-by-design failures (€130M + €110M sub-fines under Art 25) plus incomplete breach notification.

  6. 2021-09 €225.0M
    WhatsApp DPC · IE · Art 12, Art 13, Art 14

    Transparency failures — privacy notice unclear about data shared with Facebook.

  7. 2024-02 €79.1M
    Enel Energia Garante · IT · Art 5, Art 6

    Unlawful processing for marketing — re-affirmation of strict opt-in (Garante order 8 Feb 2024).

  8. 2019-01 €50.0M
    Google LLC CNIL · FR · Art 6, Art 13

    Lack of transparency, inadequate information, valid consent regarding ad personalization. Landmark first big-tech GDPR fine.

Sources: national supervisory-authority press releases. Full enforcement database available via CMS Law tracker.

National addons

GDPR is a Regulation — directly applicable, no transposition required. But Member States layer additional rules on top via national acts.

CountryNational actStricter than GDPR baseline?Note
🇩🇪 Germany DE TDDDG (ex-TTDSG) + BDSG Stricter TTDSG renamed TDDDG on 14 May 2024 to align with EU Digital Services Act; §25 cookie-consent rule unchanged and stricter than ePrivacy.
🇫🇷 France FR Loi Informatique et Libertés Stricter CNIL issued formal notices (mises en demeure) on GA4 from Feb 2022 — no fine, but drove migration. Post-DPF (2023) practical posture relaxed for DPF-certified Google entities.
🇮🇹 Italy IT Codice Privacy Stricter Garante prov. 9782890 (23 Jun 2022, Caffeina Media) ruled pre-DPF GA4 transfers unlawful. Post-DPF (Jul 2023) the transfer dimension shifted; ePrivacy/consent issues remain.
🇦🇹 Austria AT DSG 2018 Stricter DSB precedent on GA4 (2021)
🇪🇸 Spain ES LOPDGDD Aligned AEPD aligned with EDPB baseline
🇳🇱 Netherlands NL UAVG Aligned AP published practical GA config manual
🇮🇪 Ireland IE Data Protection Act 2018 Aligned Lead DPA for many US tech companies
🇵🇱 Poland PL UODO Aligned Standard GDPR baseline
🇧🇪 Belgium BE Loi du 30 juillet 2018 Aligned APD active on cookie banners
🇩🇰 Denmark DK Databeskyttelsesloven Aligned Datatilsynet pragmatic enforcement
🇸🇪 Sweden SE Dataskyddslag Aligned IMY active on legitimate-interest scrutiny
🇫🇮 Finland FI Tietosuojalaki Aligned Standard baseline
🇳🇴 Norway NO Personopplysningsloven (EEA) Aligned Datatilsynet aligned via EEA agreement
🇵🇹 Portugal PT Lei n.º 58/2019 Aligned CNPD baseline
🇬🇷 Greece GR Law 4624/2019 Aligned HDPA baseline
🇬🇧 United Kingdom UK UK GDPR + DPA 2018 Aligned Post-Brexit clone with minor divergences

Compared to other laws

Side-by-side rule comparison with the same field on each side.

COMPARE · 2 ENTITIES
GDPR vs CCPA / CPRA
Opt-in EU baseline against opt-out California — same rows on each side.
COMPARE · 2 ENTITIES
GDPR vs UK GDPR
Post-Brexit divergence — DPA 2018, ICO, UK Extension to DPF.
COMPARE · 2 ENTITIES
GDPR vs LGPD
EU baseline vs Brazilian privacy law modeled on it.

Common questions

Does GDPR apply to my US-based site?
Yes, if you offer goods/services to people in the EEA or monitor their behavior — territorial scope under Art 3(2) is extraterritorial. A US site with EU visitors and EU-targeted marketing falls in scope.
What's the difference between GDPR and ePrivacy?
GDPR governs processing of personal data. ePrivacy (Directive 2002/58, plus national laws like Germany's TDDDG — renamed from TTDSG in May 2024) governs terminal-device access — cookies, fingerprinting — regardless of whether the data is personal. Cookies often trigger both.
Do I need consent for analytics?
It depends on the tool. Cookieless tools (Plausible, Fathom, Umami) often don't trigger ePrivacy and can run on legitimate interest. Cookie-based tools (GA4, GTM) trigger ePrivacy → opt-in required, full stop, in the EU.
What's the maximum GDPR fine?
Two-tier structure under Art 83. Tier 1 (Art 83(5)) — substantive violations of Arts 5, 6, 7, 9, 12-22 and Chapter V transfers: up to €20M or 4% of global annual turnover, whichever higher. Tier 2 (Art 83(4)) — administrative/procedural violations such as missing records (Art 30), inadequate breach notification (Art 33), or DPIA failures (Art 35): up to €10M or 2% of global annual turnover. Largest single fine to date: Meta €1.2B (DPC, May 2023).
How fast must I respond to a data subject request?
One month (30 days) from receipt, extendable by two months for complex requests with notice. Identification verification can pause the clock.
Do I need to appoint a DPO?
Required for public authorities and for organizations whose core activities involve large-scale systematic monitoring of data subjects, or large-scale processing of special-category data. Most analytics-first SMEs do not need a DPO.
What's a DPIA and when is it mandatory?
A Data Protection Impact Assessment evaluates risks of high-risk processing. Mandatory for: systematic profiling with legal effects, large-scale special-category data, large-scale public monitoring (CCTV, session replay).
Does Schrems II still affect transfers post-DPF?
The EU-US Data Privacy Framework (Commission Implementing Decision (EU) 2023/1795, July 2023) restored adequacy for DPF-certified US recipients. The EU General Court upheld the DPF on 3 September 2025 in T-553/23 (La Quadrature du Net); a 'Schrems III' appeal to the CJEU remains possible. For non-DPF US vendors, the Schrems II logic still applies — supplementary measures (Transfer Impact Assessment, encryption, EU proxy) remain the prudent baseline.
Which DPAs are typically most active in enforcement?
Historically among the more active: Italy (Garante), France (CNIL), Austria (DSB), and several German Länder regulators (LfDI BW, BfDI, HmbBfDI). Ireland (DPC) issues the largest fines because of its lead-DPA role for US tech subsidiaries. 'Most strict' shifts year to year — this is an editorial reading of recent activity, not a ranking.
Is GDPR or CCPA stricter?
GDPR is stricter on lawful basis (opt-in default), territorial scope, and enforcement consistency. CCPA gives broader rights to certain US categories (sale/share opt-out) but applies only to CA residents and to businesses meeting revenue/data thresholds.