EU Data Privacy Laws: Complete GDPR Guide and Compliance (2026)
The General Data Protection Regulation (GDPR) is the most comprehensive data privacy law in the world. It governs how organizations collect, store, process, and share the personal data of individuals located in the European Union and European Economic Area.
The European Parliament adopted the GDPR as Regulation (EU) 2016/679 on April 14, 2016. It replaced the 1995 Data Protection Directive and took effect on May 25, 2018. Every EU member state enforces it through national data protection authorities (DPAs), coordinated by the European Data Protection Board (EDPB).
This guide covers the full GDPR framework: its seven core principles, six legal bases for processing, data subject rights, organizational obligations, enforcement mechanisms, and cross-border transfer rules.
This article is for informational purposes only and does not constitute legal advice. Consult a qualified data protection attorney or privacy professional for guidance specific to your situation.
What Is the GDPR?
The GDPR is a regulation of the European Union that standardizes data protection law across all 27 EU member states plus Iceland, Liechtenstein, and Norway (the EEA countries). Unlike a directive, a regulation applies directly in every member state without requiring national legislation to implement it.
The regulation aims to give individuals control over their personal data while creating a unified regulatory framework for businesses operating across Europe. It replaced a patchwork of national data protection laws that had developed under the 1995 Data Protection Directive (Directive 95/46/EC).
Personal data under the GDPR means any information relating to an identified or identifiable natural person. This includes names, email addresses, location data, IP addresses, cookie identifiers, health information, biometric data, and any other information that can directly or indirectly identify someone.
Territorial Scope: Who Must Comply (Article 3)
The GDPR has an exceptionally broad territorial reach. It applies in three situations outlined in Article 3.
First, it applies to any organization that processes personal data in the context of an establishment in the EU, regardless of whether the processing itself takes place within the EU.
Second, it applies to organizations outside the EU that offer goods or services to individuals in the EU. This means a company in the United States, Japan, or anywhere else must comply with the GDPR if it targets EU customers.
Third, it applies to organizations outside the EU that monitor the behavior of individuals in the EU. Website analytics, behavioral advertising, and tracking technologies all fall under this provision.
The EDPB Guidelines 3/2018 on territorial scope provide detailed interpretations of how Article 3 applies in practice.
The Seven GDPR Principles (Article 5)
Article 5 of the GDPR establishes seven principles that form the foundation of all data processing activities. Every organization that handles personal data must follow these principles.
1. Lawfulness, Fairness, and Transparency
Personal data must be processed lawfully, fairly, and in a transparent manner. Organizations must tell individuals what data they collect, why they collect it, and how they use it. Privacy notices must be written in clear, plain language.
2. Purpose Limitation
Data may only be collected for specified, explicit, and legitimate purposes. Organizations cannot collect data for one purpose and then use it for something entirely different without a valid legal basis.
3. Data Minimization
Organizations must collect only the personal data that is adequate, relevant, and limited to what is necessary for the stated purpose. Collecting data "just in case" it might be useful later violates this principle.
4. Accuracy
Personal data must be accurate and kept up to date. Organizations must take reasonable steps to erase or correct inaccurate data without delay.
5. Storage Limitation
Data must be kept in a form that permits identification of the data subject for no longer than necessary. Once the purpose of processing is fulfilled, organizations must delete or anonymize the data.
6. Integrity and Confidentiality
Personal data must be processed in a manner that ensures appropriate security. This includes protection against unauthorized access, accidental loss, destruction, or damage through technical and organizational measures.
7. Accountability
The data controller is responsible for demonstrating compliance with all of the above principles. This means maintaining records, conducting assessments, and being able to prove compliance to regulators upon request.
Six Legal Bases for Processing (Article 6)
Under Article 6 of the GDPR, processing personal data is only lawful if it falls under one of six legal bases. An organization must identify and document its legal basis before processing begins.
1. Consent
The data subject has given clear, informed, and unambiguous consent for processing their data for one or more specific purposes. Consent must be freely given, and the individual must be able to withdraw it at any time as easily as they gave it.
2. Contractual Necessity
Processing is necessary to perform a contract with the data subject or to take steps at their request before entering a contract. For example, an online retailer processing a shipping address to fulfill an order.
3. Legal Obligation
Processing is necessary to comply with a legal obligation to which the controller is subject. Tax reporting, employment law requirements, and anti-money laundering regulations are common examples.
4. Vital Interests
Processing is necessary to protect the vital interests of the data subject or another person. This applies in life-or-death situations, such as medical emergencies where the individual cannot give consent.
5. Public Interest or Official Authority
Processing is necessary for performing a task carried out in the public interest or in the exercise of official authority vested in the controller. Government agencies and public bodies most commonly rely on this basis.
6. Legitimate Interests
Processing is necessary for the legitimate interests of the controller or a third party, except where those interests are overridden by the rights and freedoms of the data subject. Organizations must conduct a legitimate interest assessment to use this basis. The EDPB Guidelines 1/2024 on legitimate interest provide detailed guidance.
Data Subject Rights (Articles 15-22)
The GDPR grants individuals eight specific rights over their personal data. Organizations must respond to rights requests within one month, extendable by two additional months for complex requests.
Right of Access (Article 15)
Individuals have the right to obtain confirmation of whether their personal data is being processed and, if so, to receive a copy of that data along with information about the purposes, categories, recipients, and retention periods.
Right to Rectification (Article 16)
Individuals can require organizations to correct inaccurate personal data or complete incomplete data without undue delay.
Right to Erasure (Article 17)
Also known as the "right to be forgotten," this allows individuals to request deletion of their personal data when it is no longer necessary for the original purpose, when they withdraw consent, or when the data was unlawfully processed. This right is not absolute and does not apply when processing is necessary for exercising freedom of expression, complying with legal obligations, or establishing legal claims.
Right to Restriction of Processing (Article 18)
Individuals can request that an organization restrict the processing of their data in certain circumstances, such as when they contest the accuracy of the data or when the processing is unlawful but the individual prefers restriction over erasure.
Right to Data Portability (Article 20)
Individuals have the right to receive their personal data in a structured, commonly used, and machine-readable format. They can also request that the data be transmitted directly to another controller where technically feasible.
Right to Object (Article 21)
Individuals can object to processing based on legitimate interests or public interest grounds, including profiling. When an individual objects, the organization must stop processing unless it can demonstrate compelling legitimate grounds that override the individual's interests.
For direct marketing purposes, the right to object is absolute. Organizations must stop processing for direct marketing as soon as an objection is received.
Rights Related to Automated Decision-Making (Article 22)
Individuals have the right not to be subject to decisions based solely on automated processing, including profiling, that produce legal effects or similarly significant effects. This includes the right to obtain human intervention, express their point of view, and contest the decision.
Controller and Processor Obligations
The GDPR distinguishes between data controllers (organizations that determine the purposes and means of processing) and data processors (organizations that process data on behalf of controllers).
Data Protection Officer (Articles 37-39)
Organizations must appoint a Data Protection Officer (DPO) in three situations: when the processing is carried out by a public authority, when core activities require regular and systematic monitoring of data subjects on a large scale, or when core activities involve large-scale processing of special categories of data.
The DPO must be independent, report to the highest level of management, and cannot be dismissed or penalized for performing their duties. Organizations must provide the DPO with adequate resources and ensure they are involved in all data protection matters.
Data Protection Impact Assessment (Article 35)
A Data Protection Impact Assessment (DPIA) is required before any processing that is likely to result in a high risk to the rights and freedoms of individuals. This includes systematic profiling with legal effects, large-scale processing of special categories of data, and large-scale systematic monitoring of publicly accessible areas.
The DPIA must describe the processing, assess its necessity and proportionality, evaluate risks to individuals, and identify measures to address those risks.
Records of Processing Activities (Article 30)
Controllers and processors with more than 250 employees must maintain written records of their processing activities. Smaller organizations must also keep records if their processing is likely to result in a risk to rights and freedoms, is not occasional, or includes special categories of data.
Data Protection by Design and by Default (Article 25)
Organizations must implement data protection principles from the earliest stages of system design. By default, only personal data that is necessary for each specific purpose should be processed. This applies to the amount of data collected, the extent of processing, storage periods, and accessibility.
Breach Notification Requirements
The GDPR imposes strict breach notification obligations in Articles 33 and 34.
Notification to the Supervisory Authority (Article 33)
When a personal data breach occurs, the data controller must notify the competent supervisory authority within 72 hours of becoming aware of the breach. If notification is not made within 72 hours, the controller must provide a reasoned justification for the delay.
The notification must describe the nature of the breach, the approximate number of data subjects affected, the likely consequences, and the measures taken to address the breach.
Notification to Data Subjects (Article 34)
When a breach is likely to result in a high risk to the rights and freedoms of individuals, the controller must communicate the breach to affected data subjects without undue delay. The communication must describe the nature of the breach in clear and plain language.
Notification to data subjects is not required if the controller has implemented appropriate technical protection measures (such as encryption), has taken subsequent measures that ensure the high risk is no longer likely to materialize, or if individual notification would involve disproportionate effort.
GDPR Penalties and Fines (Article 83)
Article 83 of the GDPR establishes a two-tier penalty structure.
The lower tier provides for fines of up to EUR 10 million or 2% of the organization's total worldwide annual turnover of the preceding financial year, whichever is higher. This applies to violations of controller and processor obligations, certification body obligations, and monitoring body obligations.
The upper tier provides for fines of up to EUR 20 million or 4% of total worldwide annual turnover, whichever is higher. This applies to violations of the core processing principles, data subject rights, international transfer rules, and specific member state laws.
Supervisory authorities consider several factors when determining fines, including the nature, gravity, and duration of the violation, whether it was intentional or negligent, actions taken to mitigate damage, the degree of cooperation with the authority, and any previous violations.
Top 10 Largest GDPR Fines
Since May 2018, data protection authorities across the EU have issued over 2,700 fines totaling approximately EUR 6.8 billion. The following table shows the ten largest fines as of early 2026.
| Rank | Company | Fine (EUR) | DPA | Year | Violation |
|---|---|---|---|---|---|
| 1 | Meta (Facebook) | 1.2 billion | Irish DPC | 2023 | Transferring EU user data to the US without adequate safeguards |
| 2 | Amazon | 746 million | Luxembourg CNPD | 2021 | Non-compliance with general data processing principles for ad targeting |
| 3 | TikTok | 530 million | Irish DPC | 2025 | Transferring EEA user data to China without adequate safeguards |
| 4 | Meta (Instagram) | 405 million | Irish DPC | 2022 | Processing children's data without adequate protections |
| 5 | Meta (Facebook/Instagram) | 390 million | Irish DPC | 2023 | Lacking valid legal basis for behavioral advertising |
| 6 | TikTok | 345 million | Irish DPC | 2023 | Failures in handling children's data and privacy settings |
| 7 | 310 million | Irish DPC | 2024 | Insufficient legal basis for behavioral advertising | |
| 8 | Uber | 290 million | Dutch AP | 2024 | Transferring EU driver data to the US without adequate safeguards |
| 9 | Meta (Facebook) | 265 million | Irish DPC | 2022 | Insufficient security measures leading to data scraping of 533 million users |
| 10 | Meta (Facebook) | 251 million | Irish DPC | 2024 | Security breach affecting 29 million users globally |
Ireland's Data Protection Commission has issued approximately EUR 4 billion in total fines, largely because major technology companies including Meta, Google, Apple, TikTok, LinkedIn, and Microsoft have their European headquarters in Ireland under the GDPR's one-stop-shop mechanism.
Spain's Agencia Espanola de Proteccion de Datos leads in volume, having issued over 1,000 individual fines, though most are smaller amounts targeting domestic companies.
Cross-Border Data Transfers
Transferring personal data outside the EU and EEA requires specific legal mechanisms under Chapter V of the GDPR.
Adequacy Decisions
The European Commission can determine that a country, territory, or international organization provides an adequate level of data protection. Once an adequacy decision is in place, data can flow freely to that destination without additional safeguards.
As of early 2026, the following countries and territories have received adequacy decisions from the European Commission:
Andorra, Argentina, Brazil (2026), Canada (commercial organizations), Faroe Islands, Guernsey, Israel, Isle of Man, Japan, Jersey, New Zealand, Republic of Korea, Switzerland, United Kingdom, United States (via the EU-US Data Privacy Framework, commercial organizations), and Uruguay. The European Patent Organisation also received an adequacy finding in 2025.
EU-US Data Privacy Framework
The European Commission adopted the EU-US Data Privacy Framework adequacy decision on July 10, 2023. This framework replaced the invalidated Privacy Shield and allows certified US organizations to receive EU personal data without additional transfer mechanisms.
The framework introduced new safeguards including limitations on US intelligence agencies' access to EU data to what is necessary and proportionate, and the creation of a Data Protection Review Court (DPRC) for EU individuals to seek redress.
US companies must self-certify their compliance with the framework's principles through the Department of Commerce. The framework applies only to organizations that have actively certified, not to all US companies.
Standard Contractual Clauses (SCCs)
For transfers to countries without adequacy decisions, Standard Contractual Clauses adopted by the European Commission provide a legal mechanism. The current SCCs were adopted in June 2021 and include modules for controller-to-controller, controller-to-processor, processor-to-processor, and processor-to-controller transfers.
Organizations using SCCs must conduct a transfer impact assessment to evaluate whether the laws of the recipient country provide adequate protection for the transferred data.
Binding Corporate Rules (BCRs)
Multinational organizations can adopt Binding Corporate Rules to govern international data transfers within their corporate group. BCRs must be approved by the competent supervisory authority and provide enforceable data subject rights.
EDPB and Enforcement Structure
The European Data Protection Board (EDPB) is the independent EU body responsible for ensuring consistent application of the GDPR across all member states. It replaced the Article 29 Working Party when the GDPR took effect.
One-Stop-Shop Mechanism
The GDPR's one-stop-shop mechanism allows organizations with establishments in multiple EU member states to deal with a single lead supervisory authority for cross-border processing activities. The lead authority is typically the DPA in the country where the organization has its main establishment.
This mechanism is designed to prevent organizations from facing multiple parallel investigations in different countries for the same processing activities. However, concerned supervisory authorities in other member states can raise objections, and the EDPB can issue binding decisions to resolve disputes.
In May 2025, the EU adopted the GDPR Procedural Regulation, which introduces fixed deadlines for cross-border enforcement decisions and streamlines cooperation between national DPAs.
National Data Protection Authorities
Each EU member state has at least one independent supervisory authority responsible for monitoring GDPR compliance. These DPAs have investigative powers (including conducting audits and inspections), corrective powers (including issuing warnings, reprimands, and fines), and authorization powers (including approving BCRs and certifications).
The most active enforcement authorities by fine volume include the Irish DPC, French CNIL, Luxembourg CNPD, Dutch Autoriteit Persoonsgegevens, and Italian Garante per la protezione dei dati personali.
Coordinated Enforcement Framework
The EDPB conducts annual coordinated enforcement actions focused on specific GDPR themes. The 2026 coordinated enforcement action focuses on transparency and information obligations under the GDPR, with all national DPAs conducting parallel investigations on the same topic.
Special Categories of Data
Article 9 of the GDPR prohibits processing of special categories of personal data unless a specific exception applies. These categories include racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, genetic data, biometric data for identification purposes, health data, and data concerning a person's sex life or sexual orientation.
Exceptions allowing processing of special category data include explicit consent, employment and social security obligations, vital interests, legitimate activities of foundations or associations, data manifestly made public by the data subject, legal claims, substantial public interest, healthcare purposes, public health, and archiving or research purposes.
GDPR Compliance Checklist
Organizations processing EU personal data should address these core compliance requirements:
- Identify and document the legal basis for each processing activity
- Maintain a record of processing activities
- Implement appropriate technical and organizational security measures
- Appoint a Data Protection Officer if required
- Conduct Data Protection Impact Assessments for high-risk processing
- Establish procedures for responding to data subject rights requests within 30 days
- Implement data breach detection and 72-hour notification procedures
- Ensure data processing agreements are in place with all processors
- Maintain lawful transfer mechanisms for any data sent outside the EU/EEA
- Provide clear and accessible privacy notices
- Implement data protection by design and by default
- Train staff on data protection responsibilities
More Data Privacy Laws
The GDPR has influenced data privacy legislation worldwide. Explore our guides to data privacy laws in other jurisdictions:
- World Data Privacy Laws Hub for a complete overview of global data privacy frameworks
- United Kingdom Data Privacy Laws for the UK GDPR and Data Protection Act 2018
- Brazil Data Privacy Laws (LGPD) for South America's comprehensive data protection framework
- Canada Data Privacy Laws (PIPEDA) for Canadian federal and provincial privacy law
- Japan Data Privacy Laws (APPI) for Japan's Act on the Protection of Personal Information
- South Korea Data Privacy Laws (PIPA) for South Korea's Personal Information Protection Act
Sources and References
- GDPR Full Text - Regulation (EU) 2016/679(eur-lex.europa.eu).gov
- European Commission - Data Protection in the EU(ec.europa.eu).gov
- EDPB Guidelines 3/2018 on Territorial Scope (Article 3)(edpb.europa.eu).gov
- EDPB Guidelines 1/2024 on Legitimate Interest(edpb.europa.eu).gov
- European Commission - Adequacy Decisions for International Data Transfers(ec.europa.eu).gov
- EU-US Data Privacy Framework Adequacy Decision(ec.europa.eu).gov
- European Data Protection Board (EDPB)(edpb.europa.eu).gov
- EDPB - 1.2 Billion Euro Fine for Facebook (EDPB Binding Decision)(edpb.europa.eu).gov
- EDPB CEF 2026 - Coordinated Enforcement on Transparency(edpb.europa.eu).gov
- GDPR Enforcement Tracker - Fines and Penalties Database(enforcementtracker.com)
- EDPB - Guidelines on Calculation of Administrative Fines(edpb.europa.eu).gov