What Is GDPR? Complete Guide to EU Data Protection (2026)
The General Data Protection Regulation (Regulation (EU) 2016/679) is the European Union's binding data protection law, enforceable since May 25, 2018. It grants individuals rights over their personal data, places compliance obligations on organizations that handle it, and extends to any organization worldwide that targets or monitors EU residents.
The General Data Protection Regulation, universally known as the GDPR, is the world's most influential data protection law. Published as Regulation (EU) 2016/679 in the Official Journal of the European Union on May 4, 2016, it became enforceable on May 25, 2018, after a two-year transition period. It applies directly in every EU member state and, through Article 3, reaches organizations based anywhere in the world that process the personal data of people located in the EU.
This guide explains the GDPR from the ground up: its origins, territorial scope, seven core principles, key definitions, the six lawful bases for processing, an overview of data subject rights, who enforces it, what penalties look like, how it relates to national law, and the latest 2024-2026 developments. For detailed treatment of specific topics, use the sibling guides linked throughout.
For the broader EU legal context, see our EU data privacy laws overview.
This article is for informational purposes only and does not constitute legal advice. Consult a qualified data protection attorney or privacy professional for advice specific to your situation.
Quick Answer: What Is the GDPR?
The GDPR is a directly applicable EU regulation that sets uniform rules for collecting, storing, using, and sharing the personal data of individuals located in the EU and European Economic Area. "Regulation" is the key word: unlike an EU directive, a regulation does not require member states to pass implementing legislation. It became binding law in all 27 EU member states automatically on the same day.
At its core, the GDPR does three things. It gives individuals (called "data subjects") enforceable rights over their personal data. It places obligations on the organizations (called "controllers" and "processors") that handle that data. And it establishes independent supervisory authorities in every member state to investigate complaints and levy fines when things go wrong.
The GDPR replaced Directive 95/46/EC, the 1995 Data Protection Directive, which had governed EU data protection for over two decades.
History and Purpose
The 1995 Data Protection Directive
The EU's first major data protection framework was Directive 95/46/EC, adopted in October 1995. A directive does not apply directly; each member state had to pass its own national implementing law. The result was a patchwork of 28 different national statutes. Businesses operating across Europe had to navigate a different compliance regime in each country.
The directive worked tolerably for the dial-up internet era but grew increasingly inadequate as social media platforms, cloud services, and smartphones generated personal data on an unprecedented scale through the 2000s and early 2010s.
From Proposal to Adoption
The European Data Protection Supervisor (EDPS) documented that the European Commission first proposed replacing the directive with a regulation in January 2012. Choosing a regulation rather than a new directive solved the patchwork problem: a single set of rules would apply uniformly across all member states.
Negotiations between the European Parliament, the Council of the European Union, and the Commission ran for four years and involved more than 3,000 parliamentary amendments. The Council adopted its position on April 8, 2016. The European Parliament approved the final text on April 14, 2016. The regulation was published in the Official Journal on May 4, 2016, with May 25, 2018, set as the enforcement date, giving organizations two years to prepare.
Post-Enforcement Evolution
The GDPR did not freeze data protection law in 2018. The European Data Protection Board (EDPB) has published dozens of guidelines interpreting specific provisions. Courts across Europe have issued landmark rulings on consent, legitimate interests, and international data transfers. Cumulative GDPR fines exceeded EUR 7.1 billion by early 2026, with approximately EUR 1.15 billion issued in 2025 alone.
April 2026 marked ten years since the GDPR's adoption in April 2016. The EDPB noted that the regulation had established the first comprehensive data protection framework spanning an entire continent and had directly influenced privacy legislation in more than 150 countries.
Territorial Scope: Who Must Comply? (Article 3)
Article 3 of the GDPR is unusually broad for a national or regional law. It establishes two main criteria for applicability.
The Establishment Criterion (Article 3(1))
The GDPR applies to any controller or processor that processes personal data "in the context of the activities of an establishment" in the EU. Establishment does not require formal incorporation; a branch, subsidiary, or stable arrangement of any kind qualifies.
Critically, processing does not need to occur on EU soil. A company headquartered in Berlin that processes customer data on servers in the United States is still subject to the GDPR because processing occurs in the context of its EU establishment.
The Targeting Criterion (Article 3(2))
Organizations with no EU establishment must still comply if they:
- Offer goods or services to individuals in the EU, whether or not payment is required; or
- Monitor the behavior of individuals located in the EU, including through website analytics, behavioral advertising, location tracking, and cookie-based profiling.
The EDPB Guidelines 3/2018 on territorial scope clarify that a website merely being accessible from the EU is not sufficient. There must be evidence of intent to target EU residents: accepting euros, providing content in EU languages, or expressly referencing EU customers are all indicators.
The EU Representative Requirement (Article 27)
Non-EU organizations subject to the GDPR by virtue of the targeting criterion must designate a written representative within the EU. This representative acts as the point of contact for supervisory authorities and data subjects.
The Seven Data Protection Principles (Article 5)
Article 5 of the GDPR lays down seven principles that apply to every processing activity. Violating them triggers the higher tier of fines (up to EUR 20 million or 4% of global turnover). The accountability principle in Article 5(2) places the burden of proof on the organization to demonstrate compliance with all seven.
1. Lawfulness, Fairness, and Transparency
Processing must have a valid legal basis under Article 6. It must be conducted in ways that people would reasonably expect and not cause unjustified harm. Organizations must clearly tell people what happens to their data through accessible privacy notices.
2. Purpose Limitation
Personal data may only be collected for specified, explicit, and legitimate purposes and may not be further processed in a manner incompatible with those original purposes. Collecting email addresses for order confirmations and later using them for marketing without a separate legal basis violates this principle. Limited exceptions exist for archiving, scientific research, and statistical purposes.
3. Data Minimization
Only personal data that is adequate, relevant, and limited to what is strictly necessary for the stated purpose may be processed. Organizations should not collect data "just in case" it becomes useful later.
4. Accuracy
Personal data must be accurate and kept up to date. Organizations must take every reasonable step to erase or correct inaccurate data without delay. The ICO guidance on data protection principles notes that accuracy means the data must not be misleading in context, not merely technically correct.
5. Storage Limitation
Data must be held in identifiable form only for as long as necessary for the processing purpose. Once the purpose is fulfilled, the organization must delete or anonymize the data. Retention schedules must be documented; indefinite storage is not permitted.
6. Integrity and Confidentiality (Security)
Personal data must be processed with appropriate technical and organizational security measures to protect it against unauthorized access, accidental loss, destruction, or damage. This principle underpins the breach notification obligations in Articles 33 and 34.
7. Accountability
The controller is responsible for, and must be able to demonstrate, compliance with all six principles above. This is an active obligation: maintaining records of processing activities, conducting data protection impact assessments where required, appointing a Data Protection Officer where mandated, and making compliance evidence available to supervisory authorities.
Key Definitions (Article 4)
Article 4 of the GDPR contains 26 definitions. The six that appear throughout every compliance analysis are:
Personal Data
Any information relating to an identified or identifiable natural person (the "data subject"). The definition is intentionally broad and technology-neutral. It covers names, email addresses, phone numbers, IP addresses, cookie identifiers, location data, genetic data, biometric data, photographs, and any combination of data that could directly or indirectly identify someone.
The European Commission emphasizes that the GDPR applies whether data is stored digitally, on paper, or captured through video surveillance.
Processing
"Processing" covers virtually any operation performed on personal data: collection, recording, organization, structuring, storage, adaptation, retrieval, use, disclosure, combination, restriction, erasure, or destruction. The definition is deliberately expansive; if you handle personal data in any way, you are processing it.
Controller
The data controller is the natural or legal person, public authority, agency, or other body that determines the purposes and means of processing. Controllers decide why data is collected and how it will be used. They bear primary GDPR compliance responsibility.
Processor
A data processor processes personal data on behalf of, and under the instructions of, a controller. A cloud hosting company that stores a retailer's customer database is acting as a processor. Processors must follow the controller's instructions, implement appropriate security, and enter into a written data processing agreement under Article 28. EDPB Guidelines 07/2020 provide detailed guidance on determining roles.
Data Subject
The natural person whose personal data is being processed. Data subjects are the rights-holders under Chapter III of the GDPR.
Special Categories of Personal Data
Article 9 identifies categories of data that are especially sensitive and warrant extra protection: racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, genetic data, biometric data used for unique identification, health data, and data about sex life or sexual orientation. Processing these categories is prohibited by default; only the specific exceptions listed in Article 9(2) permit it.
The Six Lawful Bases for Processing (Article 6)
Every act of processing must rest on one of the six lawful bases set out in Article 6. Controllers must identify and document the applicable basis before processing begins. Bases cannot be switched after the fact.
| Lawful Basis | When It Applies | Typical Example |
|---|---|---|
| Consent | Data subject gives a freely given, specific, informed, and unambiguous indication of agreement | Newsletter signup with an explicit opt-in checkbox |
| Contractual Necessity | Processing is necessary to perform a contract with the data subject, or to take pre-contractual steps at their request | Using a shipping address to fulfill an online order |
| Legal Obligation | Processing is required to comply with a legal obligation under EU or member state law | Retaining payroll records for tax purposes |
| Vital Interests | Processing is necessary to protect the life of the data subject or another person | Sharing medical data in an emergency |
| Public Interest / Official Authority | Processing is necessary for a task carried out in the public interest or in the exercise of official authority | Public health surveillance by a government agency |
| Legitimate Interests | Processing is necessary for the controller's (or a third party's) legitimate interests, which are not overridden by the data subject's interests or fundamental rights | Fraud prevention, network security, direct marketing (with care) |
Consent is often misidentified as the default basis. The EDPB Guidelines 1/2024 on legitimate interests clarify that legitimate interests requires a balancing test and cannot be used for processing that clearly overrides individual rights.
For detailed guidance on when consent is needed and what makes it valid, see our guide to GDPR consent requirements.
Data Subject Rights: An Overview (Chapter III)
Chapter III of the GDPR grants eight categories of rights to data subjects. Controllers must respond to rights requests without undue delay and within one month (extendable by two further months for complex requests). Responses must be free of charge.
| Right | Article | What It Means |
|---|---|---|
| Right to be informed | Arts. 13, 14 | Receive clear information about processing through privacy notices |
| Right of access | Art. 15 | Obtain confirmation of processing and a copy of personal data held |
| Right to rectification | Art. 16 | Have inaccurate or incomplete data corrected |
| Right to erasure ("right to be forgotten") | Art. 17 | Have data deleted when no longer needed, consent is withdrawn, or processing was unlawful |
| Right to restriction | Art. 18 | Limit processing in defined circumstances while a dispute is resolved |
| Right to data portability | Art. 20 | Receive personal data in a structured, machine-readable format and transfer it to another controller |
| Right to object | Art. 21 | Object to processing based on legitimate interests or direct marketing |
| Rights related to automated decision-making | Art. 22 | Not be subject solely to automated decisions that produce significant legal or similar effects |
None of these rights is absolute. The GDPR sets out specific grounds on which controllers may refuse or limit requests. For a full treatment of each right and how organizations must respond, see our guide to GDPR data subject rights.
Enforcement: How the GDPR Is Policed
National Supervisory Authorities (DPAs)
Each EU member state has at least one independent Data Protection Authority. DPAs have three categories of powers under Article 58:
- Investigative powers: audits, access to premises, ordering information to be provided, and carrying out data protection audits.
- Corrective powers: warnings, reprimands, orders to comply, temporary or permanent bans on processing, and administrative fines.
- Authorization and advisory powers: approving binding corporate rules, issuing opinions, authorizing standard contractual clauses.
Well-known DPAs include Ireland's Data Protection Commission (DPC), France's CNIL, Germany's multiple Landesbeauftragten, Italy's Garante, and Spain's AEPD.
The European Data Protection Board (EDPB)
The EDPB is the independent EU body comprising all national DPAs and the European Data Protection Supervisor. It replaced the Article 29 Working Party when the GDPR took effect. The EDPB issues binding decisions in cross-border disputes, publishes interpretive guidelines, and coordinates enforcement across member states.
The One-Stop-Shop Mechanism
For organizations operating across multiple EU member states, the GDPR's one-stop-shop mechanism designates a single "lead supervisory authority": typically the DPA in the member state of the organization's main EU establishment. Other "concerned" DPAs can raise objections to draft decisions, and unresolved disputes are escalated to the EDPB for a binding decision.
Ireland's DPC has emerged as the dominant enforcer by monetary value because so many large technology companies (Meta, Google, Apple, TikTok, LinkedIn, X) have their European headquarters in Dublin.
Penalties (Articles 83 and 84)
The GDPR establishes two tiers of administrative fines:
Lower tier (Article 83(4)): up to EUR 10 million or 2% of global annual turnover, whichever is higher. This applies to violations of controller and processor obligations under Articles 8, 11, 25-39, 42, and 43 (including DPO requirements, data protection by design, and breach notification).
Upper tier (Article 83(5)): up to EUR 20 million or 4% of global annual turnover, whichever is higher. This applies to violations of the basic principles (Article 5), lawful bases (Article 6), consent conditions (Article 7), special categories rules (Article 9), data subject rights (Chapter III), and international transfer rules (Chapter V).
Member states may also impose additional penalties under Article 84, including criminal sanctions.
Notable enforcement examples:
- Ireland's DPC fined TikTok EUR 530 million in 2025 for unlawful transfers of EU user data to China.
- Ireland's DPC fined Meta EUR 1.2 billion in 2023 for unlawful data transfers to the United States via standard contractual clauses.
- Ireland's DPC fined Meta EUR 251 million in December 2024 for breach notification and data security failures related to the 2018 "View As" vulnerability.
- LinkedIn was fined EUR 310 million in 2024 for using behavioral advertising without a valid lawful basis.
Cumulative GDPR fines exceeded EUR 7.1 billion by early 2026. For the complete breakdown of how fines are calculated and the full list of major enforcement actions, see our guide to GDPR fines and penalties.
GDPR and National Implementing Laws
Despite being a directly applicable regulation, the GDPR includes more than 50 opening clauses that permit or require member states to add, restrict, or adapt specific provisions under national law. The result is that GDPR compliance in Germany is not identical to GDPR compliance in France or Ireland.
Common areas of national variation include:
Age of consent for children's data. Article 8 sets the default at 16 years but allows member states to lower it to a minimum of 13. The UK (which applied the GDPR before Brexit) set it at 13.
Special categories of data. Article 9(4) allows member states to impose additional conditions on processing health data, genetic data, and biometric data for identification purposes.
Employment data. Article 88 permits member states to adopt specific rules for employee data, including pre-employment screening and workplace monitoring.
Freedom of expression and journalism. Article 85 requires member states to reconcile data protection with freedom of expression, including for journalistic, academic, and artistic purposes.
Criminal convictions data. Article 10 leaves to member states the conditions under which records of criminal offenses may be processed by private parties.
Organizations operating across multiple member states need to verify not only the GDPR itself but the applicable national implementation law in each relevant state.
Recent Developments: 2024 to 2026
GDPR Procedural Regulation (Regulation (EU) 2025/2518)
One persistent criticism of the GDPR was that cross-border enforcement cases took too long. The one-stop-shop mechanism required extensive cooperation between the lead DPA and concerned DPAs, and there were no binding deadlines.
The EU addressed this with Regulation (EU) 2025/2518, the GDPR Procedural Regulation. Published in the Official Journal on December 12, 2025, it entered into force on January 1, 2026, and will apply from April 2, 2027 (with transitional rules protecting ongoing investigations).
Key changes:
- Binding 15-month deadline for lead DPA investigations, extendable by 12 months for complex cases.
- Standardized procedures for complainants and parties under investigation.
- Greater transparency obligations on enforcement timelines.
- Clarified participation rights for complainants during the enforcement process.
This regulation does not alter substantive GDPR obligations; it governs how DPAs coordinate and what procedural rights parties have.
The Digital Omnibus Proposal (November 2025)
On November 19, 2025, the European Commission adopted a wide-ranging Digital Omnibus package proposing amendments to multiple EU digital laws including the GDPR, the Data Act, the ePrivacy Directive, NIS 2, and others. As of May 2026, the Digital Omnibus is a legislative proposal only; it has not been enacted and is undergoing standard EU co-legislative procedure involving the European Parliament and the Council.
Key proposed GDPR amendments include:
- Narrowing the record-keeping obligation under Article 30 for organizations with fewer than 750 employees, unless processing poses a high risk.
- Amending Articles 13, 14, and 15 to introduce limits on the scope of information rights in defined circumstances.
- Adjusting the purpose-limitation rule in Article 5(1)(b).
- Introducing a "single entry point" for data breach notifications under a new Article 33a.
- Refining Article 22 on automated decision-making.
The EDPB and EDPS issued a joint opinion in early 2026 supporting certain simplification elements but raising serious concerns about proposed changes to the definition of personal data, which they argued went beyond established CJEU case law and would significantly narrow the concept. The current GDPR text remains in force until any amendments complete the legislative process and are formally published.
EU AI Act and GDPR
The EU AI Act entered into application on a phased timeline from 2024 to 2026. The EDPB has confirmed that processing personal data to develop or deploy AI systems is subject to GDPR obligations, and the EDPB is working with the Commission's AI Office on joint guidelines on the interplay between the AI Act and GDPR, expected for adoption in 2026. The core principle is straightforward: AI Act compliance does not substitute for GDPR compliance.
The GDPR's Global Influence
Since 2018, the GDPR has influenced privacy legislation in more than 150 countries. Brazil's Lei Geral de Protecao de Dados (LGPD), Japan's amended Act on the Protection of Personal Information (APPI), South Korea's Personal Information Protection Act (PIPA), and India's Digital Personal Data Protection Act of 2023 all incorporate GDPR-derived concepts. California's CCPA and CPRA introduced GDPR-style data subject rights into US law.
The European Commission's adequacy framework reinforces this influence: countries seeking to receive personal data freely from the EU must demonstrate protections "essentially equivalent" to the GDPR, effectively setting GDPR compliance as a global benchmark.
Frequently Asked Questions
What does GDPR stand for?
GDPR stands for General Data Protection Regulation. It is Regulation (EU) 2016/679 of the European Parliament and of the Council, adopted on April 14, 2016, and enforceable since May 25, 2018. The regulation standardizes data protection law across all EU member states and the European Economic Area, replacing the 1995 Data Protection Directive.
Does the GDPR apply outside of Europe?
Yes. Article 3 gives the GDPR extraterritorial reach. Any organization worldwide that offers goods or services to EU residents, or that monitors the behavior of EU residents (such as through website analytics, behavioral advertising, or tracking), must comply with the GDPR regardless of where it is based. A company in the United States, Canada, or Japan is subject to the GDPR if it processes EU residents' personal data in these contexts.
What are the seven principles of the GDPR?
The seven principles under Article 5 are: (1) lawfulness, fairness, and transparency; (2) purpose limitation; (3) data minimization; (4) accuracy; (5) storage limitation; (6) integrity and confidentiality (security); and (7) accountability. These principles apply to all processing of personal data. The accountability principle places the burden on the controller to demonstrate compliance with the other six.
What is the difference between a data controller and a data processor?
A controller decides the purposes and means of processing personal data and bears primary GDPR compliance responsibility. A processor handles personal data on behalf of the controller, following the controller's instructions. For example, a retailer (controller) that uses a cloud hosting provider (processor) to store customer data. Controllers and processors must enter into a written data processing agreement under Article 28.
What are the six lawful bases for processing?
Article 6 sets out six lawful bases: (1) consent of the data subject; (2) contractual necessity; (3) compliance with a legal obligation; (4) protection of vital interests; (5) performance of a task in the public interest or exercise of official authority; and (6) legitimate interests of the controller or a third party. Every processing activity must be justified under one of these bases before processing begins.
What are the maximum GDPR fines?
The highest tier of GDPR fines is EUR 20 million or 4% of total worldwide annual turnover from the preceding financial year, whichever is higher. This applies to violations of core principles, lawful bases, data subject rights, and international transfer rules. A lower tier of EUR 10 million or 2% applies to more procedural violations. The largest single GDPR fine to date is EUR 1.2 billion, issued to Meta by Ireland's DPC in 2023 for unlawful data transfers.
What is the GDPR Procedural Regulation?
Regulation (EU) 2025/2518, known as the GDPR Procedural Regulation, was published in December 2025 and entered into force on January 1, 2026, with application from April 2, 2027. It introduces binding deadlines for cross-border enforcement cases (a 15-month investigation window, extendable by 12 months), standardized procedural rights for complainants and parties under investigation, and improved transparency. It does not change the substantive obligations in the GDPR itself.
What is the EU Digital Omnibus and how does it affect the GDPR?
The Digital Omnibus is a legislative proposal adopted by the European Commission on November 19, 2025 that would amend multiple EU digital laws including the GDPR. As of May 2026 it is still under co-legislative negotiation between the European Parliament and the Council and has not been enacted. Proposed changes to the GDPR include narrowing record-keeping obligations for smaller organizations, modifying information rights, adjusting breach notification rules, and refining automated decision-making rules. The current GDPR text remains in force until any amendments are formally adopted and published.
When did the GDPR take effect?
The GDPR was adopted on April 14, 2016, published on May 4, 2016, and took effect on May 25, 2018, after a two-year transition period. It replaced the 1995 Data Protection Directive (Directive 95/46/EC). The GDPR was adopted on April 14, 2016 and became applicable on May 25, 2018. May 25, 2026 marked the eighth anniversary of the GDPR becoming applicable.
Sources and References
- GDPR Full Text — Regulation (EU) 2016/679(eur-lex.europa.eu).gov
- Directive 95/46/EC — 1995 Data Protection Directive(eur-lex.europa.eu).gov
- GDPR Consolidated Text (EUR-Lex)(eur-lex.europa.eu).gov
- European Data Protection Board (EDPB)(edpb.europa.eu).gov
- EDPB Guidelines 3/2018 on Territorial Scope (Article 3)(edpb.europa.eu).gov
- EDPB — Article 5 Principles(edpb.europa.eu).gov
- EDPB Guidelines 1/2024 on Legitimate Interests (Article 6(1)(f))(edpb.europa.eu).gov
- EDPB Guidelines 07/2020 — Controller and Processor(edpb.europa.eu).gov
- EDPB SME Guide — Data Controller vs Data Processor(edpb.europa.eu).gov
- EDPB SME Guide — Respecting Individuals Rights(edpb.europa.eu).gov
- EDPB and EDPS Joint Opinion on Digital Omnibus (2026)(edpb.europa.eu).gov
- EDPB — Marking 10 Years of the GDPR (2026)(edpb.europa.eu).gov
- EDPS — History of the GDPR(edps.europa.eu).gov
- European Commission — Principles of the GDPR(commission.europa.eu).gov
- European Commission — Controller vs Processor(commission.europa.eu).gov
- European Commission — Data Protection Explained(commission.europa.eu).gov
- European Commission — Adequacy Decisions(commission.europa.eu).gov
- European Commission — Data Protection in the EU(commission.europa.eu).gov
- ICO — Guide to the Data Protection Principles(ico.org.uk).gov
- Article 3 GDPR — Territorial Scope(gdpr-info.eu)
- Article 5 GDPR — Principles(gdpr-info.eu)
- Article 6 GDPR — Lawfulness of Processing(gdpr-info.eu)
- GDPR Chapter 3 — Rights of the Data Subject(gdpr-info.eu)