Zum Inhalt springen

EU GDPR

The EU General Data Protection Regulation (GDPR) is one of the most comprehensive data privacy laws in the world. It came into effect in 2018 and has since become the global gold standard for data protection — inspiring regulations around the world.

The GDPR has extra-territorial scope meaning that it applies also to organisations outside of Europe. If a company does not have an establishment in Europe but targets the EU market or monitors EU data subjects, it falls under the scope of the GDPR. In addition to all other obligations under the GDPR such organisations are required to appoint a representative to act on their behalf as the addressee for authorities and data subjects.

One of the GDPR's core objectives is to give individuals more control over how their personal data is processed. This is reflected in a wide range of data subject rights, including the right to access, rectification, erasure (the "right to be forgotten"), restriction of processing, data portability, and the right to object. Organizations must provide transparent information about data processing and respond to these rights promptly, usually within one month.

The GDPR also imposes strict obligations on organizations to ensure data is processed lawfully, fairly, and securely. Controllers and processors must implement appropriate technical and organizational measures, maintain detailed records of processing activities, and conduct Data Protection Impact Assessments (DPIAs) for high-risk processing. Appointing a Data Protection Officer (DPO) is required in certain cases to ensure ongoing compliance and oversight.

A critical aspect of GDPR compliance is the requirement to report personal data breaches. Organizations must notify the relevant supervisory authority within 72 hours of becoming aware of a breach, unless it’s unlikely to pose a risk to individuals’ rights and freedoms. If the breach is likely to result in high risk, affected data subjects must also be informed. These obligations highlight the GDPR’s focus on accountability, transparency, and the protection of individual privacy.

EU GDPR Legal Text

Regulation Gesamten Rechtstext lesen
Link zur offiziellen Rechtstext
https://eur-lex.europa.eu/eli/reg/2016/679/oj/eng
Full name of the law

Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation)

Application or Transposition date

25 May 2018

EU GDPR FAQ

What are the objectives of the GDPR?

Set uniform rules that (1) protect natural persons’ fundamental rights—especially the right to personal-data protection—and (2) ensure the free movement of personal data within the EU is not restricted for data-protection reasons. (Article 1)

Who must comply with the GDPR?

The GDPR applies to:

  • Entities established in the EU that process personal data, regardless of whether the processing takes place in the EU or not.
  • Entities not established in the EU, if they offer goods or services to individuals in the EU or monitor their behaviour as far as that behaviour takes place within the EU.

Does the GDPR apply to a non-EU company offering services to EU residents?

Yes. Under Article 3(2) GDPR, the Regulation applies to controllers and processors not established in the EU if they:

  • Offer goods or services to individuals in the Union, or
  • Monitor their behaviour as far as it takes place within the Union.

This extraterritorial application ensures that the rights and freedoms of EU data subjects are protected regardless of where the data processing entity is located.

Importantly, such non-EU entities are required to appoint a representative in the EU under Article 27 GDPR, unless an exemption applies (e.g. occasional processing that does not include special categories of data and is unlikely to result in a risk to individuals’ rights and freedoms). This representative acts as the point of contact for supervisory authorities and data subjects.

What are the GDPR fines?

The GDPR establishes two tiers of administrative fines, depending on the nature and gravity of the infringement:

  • Up to €10 million, or 2% of the total worldwide annual turnover of the preceding financial year (whichever is higher), for violations such as failure to implement technical and organizational measures, failure to appoint a Data Protection Officer where required, or failure to designate an EU representative (Article 83(4)).
  • Up to €20 million, or 4% of the total worldwide annual turnover of the preceding financial year (whichever is higher), for more serious violations including breaches of the data protection principles, data subjects’ rights, or conditions for consent (Article 83(5)–(6)).

What is a Data Protection Officer?

A Data Protection Officer (DPO) is a person designated by an organization to oversee GDPR compliance, advise on data protection obligations, and serve as a point of contact with supervisory authorities and data subjects. A DPO is mandatory where:

  • The processing is carried out by a public authority or body,
  • The core activities consist of processing operations which require regular and systematic monitoring of data subjects on a large scale, or
  • The core activities involve processing on a large scale of special categories of data or personal data relating to criminal convictions and offences.

The DPO must operate independently and report to the highest management level.
(Article 37-39, Recital 97)

Brauchen Sie Hilfe bei EU GDPR?

Unsere Expert:innen helfen Ihnen, die Komplexität dieser Regulierung zu bewältigen und die Compliance sicherzustellen.

Expertenhilfe anfordern

Verwandte Artikel