The EU’s General Data Protection Regulation (GDPR) – an overview

Most international privacy laws — such as those in Brazil, South Africa, or China — only cover the jurisdiction of the country where they were drafted and passed. The General Data Protection Regulation, however, has covered the EU’s 27 member countries and the three additional European Economic Area (EEA) countries of Iceland, Liechtenstein and Norway since it came into force in 2018.

The General Data Protection Regulation (GDPR) is arguably the best known and most influential of the global privacy laws passed to date and continues to influence legislation. Other regulations passed in the EU since 2018 have also been designed to be enforced in conjunction with or defer to the GDPR’s provisions.

The GDPR was not the first international privacy law. Canada’s Personal Information Protection and Electronic Documents Act (PIPEDA) was passed in 2000, and South Africa’s Protection of Personal Information Act (POPIA) was passed in 2013. The world’s first data protection legislation was enacted in 1970 in the German state of Hesse.

The General Data Protection Regulation is a privacy law that requires organizations that offer goods and services to, or monitor the behavior of, individuals located in the EU/EEA to uphold their privacy rights and safeguard personal data that has been collected or processed.

The GDPR replaced the 1995 Data Protection Directive, which created data protection laws on a country by country basis, resulting in a less cohesive patchwork of regulations in Europe.

The regulation requires the implementation of seven principles of data protection and facilitates eight privacy rights for consumers. Member states have their own data protection authorities to handle enforcement; it is not handled by a central authority.

As noted in Art. 3, the GDPR applies to organizations that process the personal data of “anyone in EU territory” in the course of offering goods or services or monitoring behavior, regardless of whether or not there is payment. It doesn’t matter if the company is headquartered in the EU or even has a physical presence there.

Further, Recital 25 outlines the applicability of the GDPR as a consequence of the applicability of international law:

“Where Member State law applies by virtue of public international law, this Regulation should also apply to a controller not established in the Union, such as in a Member State’s diplomatic mission or consular post.”

Art. 4 GDPR has a full list of definitions of important terms used in the regulation. We’ve included some of the most relevant and frequently used to help organizations and individuals understand key GDPR requirements and provisions.

Any information relating to “an identified or identifiable natural person” who can be directly or indirectly identified using it is personal data. This can include obvious information like names, ID numbers, phone numbers, or email addresses, but also IP addresses, information collected via browser cookies, or sensitive personal details like gender, religious beliefs, or political affiliation.

Personally Identifiable Information (PII), is a term commonly used in the United States to refer to information that can be used on its own or with other information to identify, contact, or locate a single person, or to identify an individual in context. There can be some differences, including in regulatory text, between what is categorized as personal data/information and what is PII.

Any action performed on personal data or sets of personal data, whether automated or manual, is data processing. This can include, among other actions, “collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction” of the personal data.

The GDPR defines “data subject” as a natural person whose personal data is being processed by a controller or processor.

For companies online, or businesses with a physical location that have an online presence, most commonly this would include visitors to a website, customers, or app users.

A data controller is the “natural or legal person, public authority, agency or other body which, alone or jointly with others,” decides why and how personal data will be processed.

Most commonly this is a company or international organization. The controller also liaises with and directs the data processor, if that entity is a third party.

When two or more data controllers decide the purposes and means of data processing individually or jointly, they are joint controllers.

Art. 26 GDPR provides detailed provisions for joint controllership and requires joint controllers to have a recorded (contractual) arrangement between them. This agreement outlines respective roles and responsibilities, specifically regarding exercise of data subjects’ rights and the joint controllers’ duties to provide information under the GDPR.

Data subjects may exercise their rights against any or all controllers in a joint controllership arrangement.

A third party that processes personal data on behalf of a data controller is a data processor. This could include a wide variety of entities, including a natural or legal person, public authority, agency or other body.

Employees of a data controller acting within the scope of their employment duties are typically considered agents of the data controller, not data processors. Data processors can range from cloud-based server providers, to payment processors, , adtech or martech companies and more.

Art. 5 GDPR lays out the principles of the GDPR that organizations must uphold while processing users’ personal data.

Organizations must have a lawful or legal basis for processing personal data, e.g. with user consent or the performance of a contract. They must manage data in a way that is not unduly detrimental, unexpected, or misleading, and must provide clear and accessible information about its data processing activities.

Personal data can only be collected for a specific, explicit, and legitimate purpose, and organizations cannot process it further in a manner incompatible with those purposes. If the purpose(s) for which a company has collected and processed personal data changes, they must obtain new user consent for the new processing purpose(s).

Organizations should only process the least amount of personal data that is necessary to achieve its processing purposes and should only share data with the fewest entities necessary to complete processing.

Personal data must be retained only for as long as organizations need it for processing purposes. After fulfilling these purposes, organizations are expected to return, delete, or anonymize the data to prevent unnecessary storage of personal information. Storage limitation also applies to third-party processors.

Personal data must be accurate and kept up to date. Inaccurate data should be corrected or deleted without delay. The right to rectification is included among data subjects’ rights.

Organizations must process personal data in a manner that ensures appropriate security, including protection against unauthorized or unlawful access or processing and against accidental loss, destruction, or damage.

Organizations are responsible for complying with the GDPR and must be able to demonstrate compliance with all of these principles. Third-party processors have security and privacy compliance responsibilities as well, but ultimate responsibility belongs to the controller, so strong contracts and oversight are important.

Art. 6 GDPR covers “lawfulness of processing”, or legal bases, as they’re commonly referred to. These are the circumstances under which data processing by a controller is legal.

While user consent is probably the one that comes most easily to mind, there are six in total:

• the data subject has given consent
• to perform a contract with the data subject
• compliance with a legal obligation to which the data controller is subject
• to protect the vital interests of the data subject or of another natural person
• in the public interest, or if the data controller is exercising official authority
• legitimate interests pursued by the controller or by a third party

Companies need to be careful where legitimate interest is concerned. It can be convenient for a data controller to claim, as it avoids having to obtain and store user consent. However, it also has to be provable to authorities. Under the GDPR, legitimate interest does not apply “where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child.”

Legitimate interest has also been restricted as a viable legal basis more recently in version 2.2 of IAB Europe’s Transparency and Consent Framework. Legitimate interest can no longer be selected as a legal basis for advertising and content personalization (purposes 3,4,5, and 6), so now consent is the only option that can be selected.

Certain situations require a data controller to share an individual’s data with a third party to fulfill the obligations of a contract. An example of this is ecommerce companies, which often work with third parties like payment processors and logistics and fulfillment companies to complete orders and deliver purchases to the customer.

Under the GDPR, controllers can share personal data with these third parties. This is known as processing “necessary for the performance of a contract” under Article 6 of the GDPR. The data controller in this case is required to ensure, through a data protection agreement or appropriate contractual clauses, that these third parties also comply with the GDPR’s data protection requirements.

Consumers online are often asked for their consent for collection and processing of their personal data multiple times a day. Websites regularly pop up cookie walls or cookie banners asking for consent. Many of these provide varying levels of transparency in communicating rights and options, granularity in customizing consent choices, or rejecting consent altogether, although many cookie banners are still not GDPR-compliant.

Recital 32 lists the GDPR’s conditions for valid consent:

“Consent should be given by a clear affirmative act establishing a freely given, specific, informed and unambiguous indication of the data subject’s agreement to the processing of personal data relating to him or her, such as by a written statement, including by electronic means, or an oral statement.”

The Recital also outlines conditions that are not valid for consent and how to accurately represent the scope of the consent request.

• Silence, pre-ticked boxes or inactivity do not constitute valid consent as they are not a clear indication of the data subject’s explicit consent.
• Consent should cover all processing activities carried out for the same purpose or purposes.
• When the data will be processed for multiple purposes, the data subject must give explicit consent for all of them.
• If the data subject’s consent is to be given following an electronic request, the request must be clear and concise and must not unnecessarily disrupt the use of the service for which consent is provided.

Communications or user interface features that manipulate or trick users into providing consent or otherwise completing actions they may not have otherwise chosen are known as “dark patterns”. Legislators and authoritative bodies are taking an increasingly negative view of such activities and organizations that employ them, and some regulations have explicitly prohibited them.

Art. 7 GDPR outlines conditions for consent with the data controller’s responsibilities.

• The controller must be able to prove that the data subject consented to the processing of their data, e.g. to data protection authorities in the event of an audit, or a data subject access request.
• If consent is given in a written declaration covering other matters, the request for consent must be presented in a clearly distinguishable and intelligible way that is easily accessible, with clear and plain language.
• The data subject must be able to withdraw consent at any time, and it has to be as easy to do so as to grant consent. This can include changing preferences to provide partial or different granular-level consent.
• Performing a contract or providing services cannot be provisional upon receiving the data subject’s consent if consent is not necessary to perform the contract or provide services.

The EU’s GDPR uses an “opt in” model of user consent, which means that organizations cannot collect or process data until the user — an online shopper, website visitor, app user, etc. — explicitly consents to it. This requirement includes both personal data like names and email addresses, and also quite granular and “behind the scenes” data. For example, under the GDPR users must consent to the processing of personal data, often obtained through the use of cookies and other tracking technologies on websites before those services are allowed to be active for that user’s online activities.

Internationally, many other laws, like Brazil’s Lei Geral de Proteção de Dados Pessoais / General Data Protection Law (LGPD) also use this consent model.

The state-level data privacy laws in the United States, however, have to date implemented an “opt out” model of user consent. Organizations subject to these regulations do not have to obtain user consent prior to collection of data in most cases (with the typical exception of children’s data or data categorized as sensitive), but they do have to obtain consent prior to selling the data or using it for profiling or targeted advertising purposes.

The GDPR provides data subjects with eight explicit rights under Chapter 3, Articles 15 to 22. These have also formed the backbone of consumers’ rights under data privacy laws passed in other countries, though the “right to be forgotten” has been less widely adopted outside of the EU.

Data subjects have the right to be informed about the collection of their personal data, including:

• identity of the data controller
• purposes of the processing
• recipients or categories of recipients of the personal data
• the envisaged period for which the personal data will be stored

If a Data Protection Officer (DPO) has been appointed, data subjects also have the right to access the DPO’s contact details. This information is typically provided through a privacy notice or privacy policy.

Data subjects have the right to know if a data controller has processed their personal information, and, where this is the case, to access the data collected. They also have the right to know the purposes of processing, types of personal data, how long the data will be stored for, and who has access to it. They can make a request to the controller using a Data Subject Access Request (DSAR).

If the data controller has inaccurate or incomplete data, the data subject has the right to request a rectification or completion of this data.

In certain situations, the data subject has the right to request that the controller delete their personal data. These situations include when the data is no longer needed, when the user withdraws consent, and when the data has been unlawfully processed, among others.

Data subjects have the right to request that their personal data not be processed in certain instances, such as when the data is inaccurate (until the controller can verify its accuracy), processing is unlawful, and the controller no longer needs the data, among others.

Data subjects have the right to receive a copy of the personal data they have provided to a controller. The controller must provide this data in a “structured, commonly used and machine-readable format.” The data subject has the right to transfer this data to another controller without any objection or impediments from the original controller, provided that the processing is based on consent or on a contract, and is carried out by automated means. This right has been extended in the EU under regulations like the Digital Markets Act (DMA).

Data subjects have the right to object to the processing of their personal data on certain grounds, such as when the data is processed on the grounds of legitimate interests or is used for direct marketing purposes (Art. 21 GDPR). If data is processed for direct marketing, individuals can object at any time, and their data can no longer be processed for these purposes.

Data subjects have the right not to be subjected to important decisions made solely by automated processes or profiling, such as those made by computers without human involvement (e.g. AI tools), if these decisions significantly impact them legally or in other major ways.

Learn more: Artificial intelligence (AI), personal data and consent

Some key questions from companies that arise from the GDPR revolve around compliance:

• Who is responsible for GDPR compliance?
• Are there any exceptions to GDPR compliance requirements?
• What are the requirements to comply with the GDPR?
• How can companies comply with the GDPR?

Any legal entity — whether a natural or legal person — that processes the personal data of natural persons located within the EU in the course of offering goods or services or monitoring behavior must comply with the provisions of the GDPR.

This includes both data controllers, who determine the purpose and means of processing personal data, and data processors, who process data on behalf of the controller. Each has specific responsibilities under the GDPR to ensure compliance.

What’s important is that the data subject must be located in the EU; the legal entity responsible for compliance can be located anywhere in the world.

Per Art. 2 GDPR on material scope, it does not apply in all circumstances of data processing. Exceptions include activities that:

• fall outside the scope of European Union law
• fall within the scope of Title V, Chapter 2 of the Treaty on European Union
• are by an individual (natural person) in the course of a purely personal or household activity
• are for law enforcement purposes (e.g. crime prevention, investigation or prosecution), including preventing threats to public security

There are exemptions for other authorities as well (e.g. tax, customs, etc.) in the course of fulfilling their duties, as outlined by Recital 31, Art. 89 GDPR also has exceptions for scientific, statistical, and historical purposes, and Recital 153 has considerations relating to journalism, academia, artistic and/or literary expression.

With regards to data itself, rather than its processing specifically, Recital 26 outlines exceptions that apply to anonymized/pseudonymized data.

Among other responsibilities in pursuing GDPR compliance, companies must clearly communicate:

• what categories of data they collect
• for what purposes it’s being collected
• how it’s being collected
• who will have access to it (Recital 39)

If any of these circumstances change, the data subject must be notified and consent obtained for the new circumstances. A privacy policy on the company’s website is a common location to present this information.

If a data controller engages a third party to process data on its behalf, there must also be contractual agreement in place between them (Art. 28 GDPR). The data processor must implement appropriate security measures and assist the controller in ensuring GDPR compliance. Processors are also required to notify the controller if they believe an instruction violates the GDPR and to assist the controller in fulfilling data subject rights requests.

With some exceptions, data controllers can’t retain the data for any longer than is necessary to complete the purpose for which it was collected (Art. 5 GDPR). They are obligated to delete it upon request by the data subject and notify the subject upon completion of the request (Art. 17 GDPR). Data subjects also have the right to withdraw their consent to collection and processing of their data at any time under the GDPR, even if they previously provided consent. Data controllers must make it as easy to change or revoke consent as it was to give it.

The GDPR also provides specific cases in which an organization must appoint a Data Protection Officer (DPO) (Arts. 37 to 39 GDPR), namely any of the following:

• where a public authority or body carries out data processing activities
• the data processing activities require regular, systematic, and large scale monitoring of data subjects
• data processing pertaining to sensitive categories is being carried out on a large scale, such as:
  • genetic data
  • biometric data
  • medical data
  • data that can reveal racial or ethnic origin
  • political opinions
  • religious or philosophical beliefs

The organization must provide the DPO’s contact details to the supervisory authority and make them publicly available, typically through its privacy policy or on its website.

Section 3 (Arts. 35 and 36 GDPR) of the GDPR outlines the requirements for Data Protection Impact Assessments (DPIA) in certain situations. Data controllers have the responsibility to conduct a DPIA for processing that may pose high risks to the safety or privacy rights of individuals.

Controllers must document these assessments, outlining the process, risks identified, and measures taken to address these risks, ensuring GDPR compliance and protecting individual rights. Controllers must obtain the DPO’s advice when carrying out the DPIA and must consult with the supervisory authority before processing data that the DPIA determines would result in a high risk that cannot be mitigated.

Data controllers and processors must maintain records of processing activities (Art. 30 GDPR). The records should contain information regarding, among other things:

• name and contact details of the controller/joint controller/processor
• any transfers of personal data to third countries or international organizations
• general descriptions of technical and organizational security measures

These records are an essential part of demonstrating compliance with the GDPR and must be made available to the supervisory authority upon request.

Art. 33 GDPR requires controllers to notify the supervisory authority of a personal data breach “without undue delay” and, in any event, no later than 72 hours after the controller becomes aware of it. If the notification is not made within 72 hours, controllers must explain why it was delayed. The controller must document the data breach and include the facts surrounding the breach, its effects, and measures taken to remedy it. Controllers must also notify data subjects of the data breach (Art. 34 GDPR) if there is a “high risk to the rights and freedoms” of the data subjects as a result of the breach.

Businesses that act as data controllers or data processors can take several steps to comply with the GDPR’s requirements.

A GDPR data privacy audit evaluates the data your organization processes and stores, its sources, and your compliance with the GDPR. It focuses on various critical areas such as consent management, data security practices, and access controls to identify risks and areas for improvement.

A detailed privacy policy that’s easily accessible to users can fulfill the GDPR’s transparency requirements. Ensure your privacy policy stays up to date if there are any changes in your data handling practices, and include key information required by the GDPR, such as:

• types of personal data collected
• legal bases and purpose(s) for processing data
• how long you will retain the data
• data subjects’ rights
• how data subjects can exercise their rights
• how dats subjects can withdraw consent
• contact details of the DPO, if your organization has one

User consent must fulfill all the requirements of the GDPR’s definition of consent to be valid, and consent must be obtained without manipulations. Businesses that handle the data of users in the EU can use a consent management platform (CMP) like Usercentrics CMP to collect explicit, informed, legally valid consent.

Usercentrics CMP enables you to collect opt-in consent from users in the EU and records consent as required by the GDPR. It enables granular consent collection so that users may allow consent for certain purposes and reject consent for others. It also enables users to easily change or withdraw their consent at any time.

Whether you’re a data controller or processor, you must maintain detailed records of processing activities. The required information is slightly different for controllers and processors (Art. 30 GDPR details what is required), and you must keep the relevant records to demonstrate compliance with GDPR requirements.

Chapter 5 (Arts. 44 to 50 GDPR) deals with transfers of data from the EU to third countries or international organizations, either while undergoing processing or after. Transferring data outside of the EU requires measures beyond the standard ones, particularly for data protection, and often requires a specific adequacy agreement (Art. 45 GDPR).

Adequacy agreements enable ongoing data processing between entities, so additional authorization is not required on a regular basis unless the terms of the original agreement change: “where the Commission has decided that the third country, a territory or one or more specified sectors within that third country, or the international organization in question ensures an adequate level of protection.”

Adequacy agreements most commonly exist between countries but can exist with international organizations as well. For example, Canada’s PIPEDA has been deemed adequate for data transfers with the EU. The EU-U.S. Data Privacy Framework, in effect since July 2023, is the current adequacy decision for data transfers to the US.

When assessing adequacy, some of the conditions considered include:

• relevant regulations
• the rule of law and human rights record
• public security
• access to personal data by public authorities
• data protection rules
• existence of independent supervisory authorities
• other international commitments the third country or organization has entered into

The GDPR requires that adequacy decisions are periodically reviewed, at least every four years. However, they can be repealed, amended, or suspended at any time if new information demonstrates that the third country or organization no longer guarantees an adequate level of data protection.

Data can still be transferred to a third country or international organization without an adequacy agreement in place, but only if the controller or processor has provided appropriate safeguards (Art. 46 GDPR) and can abide by and enforce data subject rights.

Absent an adequacy agreement or confirmation of appropriate safeguards, data transfers can still be done, but only under the following circumstances (Art. 49 GDPR).

• The data subject has been informed of possible risks of the transfer and lack of adequacy decision or appropriate safeguards, and has explicitly consented.
• The transfer is necessary for performance of a contract between the controller and the data subject.
• The transfer is necessary for performance or conclusion of a contract between the controller and another legal/natural person and is in the data subject’s interest.
• Important reasons of public interest.
• To establish, exercise, or defend legal claims.
• To protect the data subject’s or other persons’ vital interest where the data subject is physically or legally incapable of giving consent.
• The transfer is, for a particular case, made from a register intended to provide information to the public, is open to consultation by anyone who can demonstrate a legitimate interest, and within the laws of the EU or member state.

There are two tiers of penalties for GDPR violations, with conditions for levying them outlined in Art. 83 GDPR.

In the first tier of penalties, infringement of the following provisions are subject to fines up to EU 10 million, or up to 2 percent of the total worldwide annual turnover (gross revenue) for the preceding financial year, whichever is higher, for violations of:

• obligations of the controller and the processor (Arts. 8, 11, 25 to 39, 42 and 43 GDPR)
• obligations of the certification body (Arts. 42 and 43 GDPR)
• obligations of the monitoring body (Art. 41 GDPR)

In the second tier of GDPR penalties, for more egregious violations, infringement of the following provisions are subject to fines up to EU 20 million, or up to 4 percent of the total worldwide annual turnover (gross revenue) for the preceding financial year, whichever is higher, for violations of:

• basic principles for processing, including conditions for consent (Arts. 5, 6, 7 and 9 GDPR)
• the data subjects’ rights (Arts. 12 to 22 GDPR)
• the transfers of personal data to a recipient in a third country or an international organization (Arts. 44 to 49 GDPR)
• any obligations pursuant to Member State law adopted under Chapter 9 GDPR
• noncompliance with an order or a temporary or definitive limitation on processing or the suspension of data flows by the supervisory authority (Art. 58 GDPR) or failure to provide access in violation of Article 58

Enforcement of the EU GDPR is a collective effort across several authorities within the EU and is mainly in the hands of national Data Protection Authorities (DPAs) within each EU member state. These supervisory authorities, established under Chapter 6 GDPR, are independent public authorities that have the power to investigate compliance, handle complaints, and issue penalties or fines for violations. DPAs also issue guidelines and resources on GDPR compliance.

They work together to ensure consistent application of GDPR across the EU, supported by the European Data Protection Board (EDPB), which enhances cooperation among DPAs and advises on key data protection matters.

Under Art. 77 GDPR, data subjects have the right to lodge a complaint with a supervisory authority or DPA “in the Member State of his or her habitual residence, place of work or place of the alleged infringement”.

Any person who has suffered “material or non-material damage” as a result of a GDPR violation has the right under Art. 82 GDPR to receive compensation from the data controller or data processor for the damage suffered, unless the controller or processor can prove it is not responsible for the event that caused the damage. The GDPR is one of the international privacy laws that enables private right of action, i.e. data subjects can sue companies or other entities if harmed by a violation.

There are a number of international privacy laws that predate the GDPR, including Canada’s PIPEDA and South Africa’s POPIA. The GDPR garnered global attention when it was implemented, and it has served as an influence and a template for legislation in many places since. The GDPR has also been bolstered by subsequent laws with data privacy provisions to account for the evolution of the legal and technology landscapes.

Although the GDPR is one of the most widely discussed data privacy laws, it’s not the only data privacy law in Europe. The ePrivacy Directive (often known as the “cookie law”) sits alongside the GDPR and specifically addresses privacy issues in electronic communication. The ePrivacy Directive is not a European data protection regulation like the GDPR and is not automatically enforced within the EU. Instead, it requires incorporation into the national laws of the EU member states, such as Spain’s Law of Information Society Services and Electronic Commerce and Denmark’s Cookiebekendtgørelsen.

The GDPR applied to the United Kingdom (UK) as an EU member state until its exit from the EU in January 2020. As a result, the UK has had to establish its own data protection law, known as the UK General Data Protection Regulation. The UK’s national data protection authority is the Information Commissioner’s Office (ICO), which oversees the UK GDPR as well as the earlier Data Protection Act 2018, among other laws. The EU does now have an adequacy decision with the UK to enable flow of data.

The US does not yet have a federal privacy law or a North American regional law with major trading partners (like Canada and Mexico). Instead, there is a patchwork of state-level data privacy laws, with more being passed each year. As mentioned above, the EU-U.S. Data Privacy Framework is the current adequacy decision for data transfers to the US.

When Japan’s Act on Protection of Personal Information (APPI) was updated in 2017, it became extraterritorial, like the GDPR. Japan and the European Commission have reached a mutual adequacy agreement.

India’s Digital Personal Data Protection Act (DPDPA) came into effect in 2023. It applies to the processing of personal data within India when the data is collected digitally or when non-digital data is later digitized. It has extraterritorial application if the processing of personal data takes place outside India in connection with any activity related to the offering of goods or services within India. Its definition of consent is modeled closely after the GDPR’s definition: consent under Indian law shall be “free, specific, informed, unconditional and unambiguous with a clear affirmative action, and shall signify an agreement to the processing of personal data for the specified purpose and be limited to such personal data as is necessary for such specified purpose.”

Technology continually evolves, requiring privacy law to evolve with it. What will need to change when third-party cookies go extinct? How will children be protected from social apps harvesting their biometric data? How will AI be used and regulated? This is just a small sample of questions that regulators, companies, and citizens will have to address, and that will have to be reflected in the regulation, or related regulations.

Fortunately there are tools, such as those for consent management, to help companies navigate GDPR requirements and communicate them to users.

If you have questions about how the GDPR affects your business, or about consent management for websites and apps, we’re happy to help. Contact one of our experts!