GDPR — General Data Protection Regulation

Scope and territorial reach

The General Data Protection Regulation harmonized EU privacy law and replaced Directive 95/46/EC. Direct effect — no national transposition required, though most member states layered additional national acts on top (TTDSG in Germany, Loi I&L in France, DPA 2018 in UK).

Scope

Applies extraterritorially under Art 3(2) — any controller offering goods/services to or monitoring behavior of EU/EEA data subjects.

Where it applies — 20 jurisdictions

🇦🇹Austria

🇧🇪Belgium

🇨🇿Czech Republic

🇩🇰Denmark

🇪🇪Estonia

🇫🇮Finland

🇫🇷France

🇩🇪Germany

🇬🇷Greece

🇭🇺Hungary

🇮🇪Ireland

🇮🇹Italy

+ 8 more — see full list

Seven principles (Article 5)

The constitutional backbone — every processing activity must satisfy all seven simultaneously.

01

Lawfulness, fairness, transparency Art 5(1)(a)

Process data on a clear legal basis, fairly, and tell users what you do.
02

Purpose limitation Art 5(1)(b)

Collect data for specified, explicit purposes — don't repurpose later.
03

Data minimisation Art 5(1)(c)

Only collect what's adequate, relevant, and necessary for the purpose.
04

Accuracy Art 5(1)(d)

Keep data accurate and up to date; correct or erase inaccurate data without delay.
05

Storage limitation Art 5(1)(e)

Keep data only as long as necessary; define and document retention periods.
06

Integrity & confidentiality Art 5(1)(f)

Protect data against unauthorized access, loss, or destruction (security).
07

Accountability Art 5(2)

Demonstrate compliance — document everything (ROPA, DPIA, policies).

Six lawful bases (Article 6)

You must identify and document one before processing — and consent isn't always the right one.

Art 6(1)(a)

Consent

User explicitly opts in (free, specific, informed, unambiguous).

Common for: Analytics, marketing cookies, newsletters

Art 6(1)(b)

Contract

Necessary to perform a contract with the user.

Common for: Account creation, order processing

Art 6(1)(c)

Legal obligation

Required by law (tax records, AML, GDPR itself).

Common for: Invoice retention, KYC

Art 6(1)(d)

Vital interests

Necessary to protect someone's life.

Common for: Medical emergencies (rare for web)

Art 6(1)(e)

Public task

Performing a task in the public interest / official authority.

Common for: Government services, public health

Art 6(1)(f)

Legitimate interest

Your interest doesn't override user rights — needs an LIA.

Common for: Fraud prevention, basic security logging

Cookie banner under GDPR Consent Mode v2

Eight data-subject rights (Articles 12–22)

What individuals can demand from you, with the response window and scope.

Right	Article	Response	Scope
Right to be informed	Art 13–14	At collection	At collection — privacy notice must be transparent.
Right of access	Art 15	30 days	User can request copy of all their data.
Right to rectification	Art 16	30 days	Correct inaccurate or incomplete data.
Right to erasure	Art 17	30 days	"Right to be forgotten" — deletion under specific conditions.
Right to restrict processing	Art 18	30 days	Pause processing while disputes are resolved.
Right to data portability	Art 20	30 days	Receive data in machine-readable format, transfer to another controller.
Right to object	Art 21	30 days	Object to processing (esp. direct marketing — absolute right).
Rights re: automated decisions	Art 22	30 days	Not subject to solely-automated decisions with legal effect.

Topic: DSARs in practice Template: DSR reply (Art 15)

Fines & enforcement

Maximum administrative penalty: €20.0M or 4% of global annual turnover (Art 83(5)). Tiered structure: Art 83(4) = 2% / €10M for procedural failures.

2023-05 €1.2B

Meta Platforms Ireland DPC · IE · Art 46(1)

Largest GDPR fine on record. Transfers of EU user data to the US under SCCs without sufficient supplementary measures, following the CJEU Schrems II ruling (C-311/18).
2021-07 €746.0M

Amazon Europe CNPD · LU · Art 6, 12-17, 21

Targeted advertising without valid consent — second-largest GDPR fine. Appealed in Luxembourg administrative court.
2022-09 €405.0M

Instagram (Meta) DPC · IE · Art 5(1)(a/c), 6(1), 12(1), 24, 25(1-2), 35(1)

Children's data: business-account contact info public-by-default; privacy-by-design failures; insufficient DPIA.
2023-09 €345.0M

TikTok DPC · IE · Art 5(1)(a/c/f), 12(1), 13(1)(e), 24, 25(1-2)

Children's data: profiles default-public for minors; data-protection-by-design failures; ineffective transparency for under-13s. Under appeal in Irish High Court.
2024-12 €251.0M

Meta Platforms DPC · IE · Art 25(1-2), 33(3), 33(5)

2018 'View As' breach affecting 29M accounts. Privacy-by-design failures (€130M + €110M sub-fines under Art 25) plus incomplete breach notification.
2024-05 €251.0M

Meta Platforms DPC · IE · Art 33

Late breach notification — 72h rule
2021-09 €225.0M

WhatsApp DPC · IE · Art 12, Art 13, Art 14

Transparency failures — privacy notice unclear about data shared with Facebook.
2024-02 €79.1M

Enel Energia Garante · IT · Art 5, Art 6

Unlawful processing for marketing — re-affirmation of strict opt-in (Garante order 8 Feb 2024).

Sources: national supervisory-authority press releases. Full enforcement database available via CMS Law tracker.

National addons

GDPR is a Regulation — directly applicable, no transposition required. But Member States layer additional rules on top via national acts.

Country	National act	Stricter than GDPR baseline?	Note
🇩🇪 Germany DE	TDDDG (ex-TTDSG) + BDSG	Stricter	TTDSG renamed TDDDG on 14 May 2024 to align with EU Digital Services Act; §25 cookie-consent rule unchanged and stricter than ePrivacy.
🇫🇷 France FR	Loi Informatique et Libertés	Stricter	CNIL issued formal notices (mises en demeure) on GA4 from Feb 2022 — no fine, but drove migration. Post-DPF (2023) practical posture relaxed for DPF-certified Google entities.
🇮🇹 Italy IT	Codice Privacy	Stricter	Garante prov. 9782890 (23 Jun 2022, Caffeina Media) ruled pre-DPF GA4 transfers unlawful. Post-DPF (Jul 2023) the transfer dimension shifted; ePrivacy/consent issues remain.
🇦🇹 Austria AT	DSG 2018	Stricter	DSB precedent on GA4 (2021)
🇪🇸 Spain ES	LOPDGDD	Aligned	AEPD aligned with EDPB baseline
🇳🇱 Netherlands NL	UAVG	Aligned	AP published practical GA config manual
🇮🇪 Ireland IE	Data Protection Act 2018	Aligned	Lead DPA for many US tech companies
🇵🇱 Poland PL	UODO	Aligned	Standard GDPR baseline
🇧🇪 Belgium BE	Loi du 30 juillet 2018	Aligned	APD active on cookie banners
🇩🇰 Denmark DK	Databeskyttelsesloven	Aligned	Datatilsynet pragmatic enforcement
🇸🇪 Sweden SE	Dataskyddslag	Aligned	IMY active on legitimate-interest scrutiny
🇫🇮 Finland FI	Tietosuojalaki	Aligned	Standard baseline
🇳🇴 Norway NO	Personopplysningsloven (EEA)	Aligned	Datatilsynet aligned via EEA agreement
🇵🇹 Portugal PT	Lei n.º 58/2019	Aligned	CNPD baseline
🇬🇷 Greece GR	Law 4624/2019	Aligned	HDPA baseline
🇬🇧 United Kingdom UK	UK GDPR + DPA 2018	Aligned	Post-Brexit clone with minor divergences

Compared to other laws

Side-by-side rule comparison with the same field on each side.

COMPARE · 2 ENTITIES

GDPR vs CCPA / CPRA

Opt-in EU baseline against opt-out California — same rows on each side.

COMPARE · 2 ENTITIES

GDPR vs UK GDPR

Post-Brexit divergence — DPA 2018, ICO, UK Extension to DPF.

COMPARE · 2 ENTITIES

GDPR vs LGPD

EU baseline vs Brazilian privacy law modeled on it.

Common questions

Does GDPR apply to my US-based site?

Yes, if you offer goods/services to people in the EEA or monitor their behavior — territorial scope under Art 3(2) is extraterritorial. A US site with EU visitors and EU-targeted marketing falls in scope.

What's the difference between GDPR and ePrivacy?

GDPR governs processing of personal data. ePrivacy (Directive 2002/58, plus national laws like Germany's TDDDG — renamed from TTDSG in May 2024) governs terminal-device access — cookies, fingerprinting — regardless of whether the data is personal. Cookies often trigger both.

Do I need consent for analytics?

It depends on the tool. Cookieless tools (Plausible, Fathom, Umami) often don't trigger ePrivacy and can run on legitimate interest. Cookie-based tools (GA4, GTM) trigger ePrivacy → opt-in required, full stop, in the EU.

What's the maximum GDPR fine?

Two-tier structure under Art 83. Tier 1 (Art 83(5)) — substantive violations of Arts 5, 6, 7, 9, 12-22 and Chapter V transfers: up to €20M or 4% of global annual turnover, whichever higher. Tier 2 (Art 83(4)) — administrative/procedural violations such as missing records (Art 30), inadequate breach notification (Art 33), or DPIA failures (Art 35): up to €10M or 2% of global annual turnover. Largest single fine to date: Meta €1.2B (DPC, May 2023).

How fast must I respond to a data subject request?

One month (30 days) from receipt, extendable by two months for complex requests with notice. Identification verification can pause the clock.

Do I need to appoint a DPO?

Required for public authorities and for organizations whose core activities involve large-scale systematic monitoring of data subjects, or large-scale processing of special-category data. Most analytics-first SMEs do not need a DPO.

What's a DPIA and when is it mandatory?

A Data Protection Impact Assessment evaluates risks of high-risk processing. Mandatory for: systematic profiling with legal effects, large-scale special-category data, large-scale public monitoring (CCTV, session replay).

Does Schrems II still affect transfers post-DPF?

The EU-US Data Privacy Framework (Commission Implementing Decision (EU) 2023/1795, July 2023) restored adequacy for DPF-certified US recipients. The EU General Court upheld the DPF on 3 September 2025 in T-553/23 (La Quadrature du Net); a 'Schrems III' appeal to the CJEU remains possible. For non-DPF US vendors, the Schrems II logic still applies — supplementary measures (Transfer Impact Assessment, encryption, EU proxy) remain the prudent baseline.

Which countries enforce GDPR most strictly?

Historically: Italy (Garante), Austria (DSB), France (CNIL), Germany (LfDI BW). Ireland (DPC) issues the largest fines due to lead-DPA role for US tech companies.

Is GDPR or CCPA stricter?

GDPR is stricter on lawful basis (opt-in default), territorial scope, and enforcement consistency. CCPA gives broader rights to certain US categories (sale/share opt-out) but applies only to CA residents and to businesses meeting revenue/data thresholds.