Set uniform rules that (1) protect natural persons’ fundamental rights—especially the right to personal-data protection—and (2) ensure the free movement of personal data within the EU is not restricted for data-protection reasons. (Article 1)

The GDPR applies to:

• Entities established in the EU that process personal data, regardless of whether the processing takes place in the EU or not.
• Entities not established in the EU, if they offer goods or services to individuals in the EU or monitor their behaviour as far as that behaviour takes place within the EU.

Yes. Under Article 3(2) GDPR, the Regulation applies to controllers and processors not established in the EU if they:

• Offer goods or services to individuals in the Union, or
• Monitor their behaviour as far as it takes place within the Union.

This extraterritorial application ensures that the rights and freedoms of EU data subjects are protected regardless of where the data processing entity is located.

Importantly, such non-EU entities are required to appoint a representative in the EU under Article 27 GDPR, unless an exemption applies (e.g. occasional processing that does not include special categories of data and is unlikely to result in a risk to individuals’ rights and freedoms). This representative acts as the point of contact for supervisory authorities and data subjects.

The GDPR establishes two tiers of administrative fines, depending on the nature and gravity of the infringement:

• Up to €10 million, or 2% of the total worldwide annual turnover of the preceding financial year (whichever is higher), for violations such as failure to implement technical and organizational measures, failure to appoint a Data Protection Officer where required, or failure to designate an EU representative (Article 83(4)).
• Up to €20 million, or 4% of the total worldwide annual turnover of the preceding financial year (whichever is higher), for more serious violations including breaches of the data protection principles, data subjects’ rights, or conditions for consent (Article 83(5)–(6)).

A Data Protection Officer (DPO) is a person designated by an organization to oversee GDPR compliance, advise on data protection obligations, and serve as a point of contact with supervisory authorities and data subjects. A DPO is mandatory where:

• The processing is carried out by a public authority or body,
• The core activities consist of processing operations which require regular and systematic monitoring of data subjects on a large scale, or
• The core activities involve processing on a large scale of special categories of data or personal data relating to criminal convictions and offences.

The DPO must operate independently and report to the highest management level.
(Article 37-39, Recital 97)