Everything developers, product managers, and data teams need to know about the General Data Protection Regulation – from core principles to enforcement fines.
The General Data Protection Regulation is the world's strongest data privacy law, governing how organizations collect, store, and process personal data of EU residents.
GDPR applies to any organization worldwide that processes personal data of people located in the EU/EEA, regardless of where the organization is based. If your product has EU users, GDPR applies to you.
European Parliament formally adopts the regulation.
GDPR enters into force with a 2-year transition period.
The regulation becomes fully applicable. Organizations must comply.
Google fined €50M by CNIL (France) for lack of transparency.
New adequacy decision replacing Privacy Shield for US transfers.
Record fines continue. Meta: €1.2B, TikTok: €345M, LinkedIn: €310M. See Enforcement Tracker.
All personal data processing must adhere to these foundational principles.
Data must be processed lawfully, fairly, and in a transparent manner to the data subject.
Data must be collected for specified, explicit, and legitimate purposes – not processed beyond those purposes.
Only collect data that is adequate, relevant, and limited to what is necessary for the purpose.
Personal data must be accurate and, where necessary, kept up to date. Inaccurate data must be corrected or erased.
Data should not be kept longer than necessary for its purpose. Define retention policies.
Data must be processed securely – protecting against unauthorized access, loss, destruction, or damage.
The data controller is responsible for, and must be able to demonstrate compliance with, all the above principles. Keep records, conduct DPIAs, appoint a DPO if required.
"The GDPR is not just a compliance exercise – it's about building the right habits for handling people's data with respect and care."
You must have a valid legal basis before processing any personal data. Choose carefully – the basis affects your obligations.
Many organizations default to consent for everything. This is often unnecessary and creates compliance burdens. Evaluate whether another basis (like legitimate interests or contract) is more appropriate first.
| Basis | When to Use | Key Condition | Right to Object? |
|---|---|---|---|
| Consent | Marketing emails, optional cookies, third-party sharing | Freely given, specific, informed, unambiguous – and withdrawable | Yes – withdraw at any time |
| Contract | Account creation, order processing, service delivery | Processing is necessary to perform or enter a contract with the data subject | No |
| Legal Obligation | Tax records, employment law, AML compliance | You are required to process data by EU or Member State law | No |
| Vital Interests | Emergency medical situations | Processing is necessary to protect someone's life. Rarely used. | No |
| Public Task | Government functions, public health authorities | Processing is for an official function or task in the public interest | Yes |
| Legitimate Interests | Fraud prevention, network security, internal analytics | Your interests are balanced against the rights of data subjects via an LIA | Yes – must stop if overridden |
When relying on legitimate interests, document a three-part test: (1) identify the legitimate interest, (2) check processing is necessary, (3) balance against data subject rights and freedoms.
Individuals have powerful rights under GDPR. You must be able to respond to requests within one month (extendable by 2 more in complex cases).
Individuals must be told how their data is used – at the point of collection via a privacy notice.
Art. 13–14 ↗Individuals can request a copy of their personal data and information about how it's processed (SAR).
Art. 15 ↗Individuals can have inaccurate personal data corrected or incomplete data completed.
Art. 16 ↗The "right to be forgotten" – individuals can request deletion of their data in certain circumstances.
Art. 17 ↗Individuals can request that processing is restricted – data is stored but not used – in certain situations.
Art. 18 ↗Individuals can receive their data in a structured, machine-readable format and transfer it elsewhere.
Art. 20 ↗Individuals can object to processing based on legitimate interests or for direct marketing (absolute right).
Art. 21 ↗Individuals can request human review of automated decisions (including profiling) that significantly affect them.
Art. 22 ↗You have 1 calendar month from receipt to respond to data subject requests. You may extend by a further 2 months for complex or numerous requests, but must notify the person within the first month and explain why.
Use this checklist to assess your organization's GDPR readiness. Click items to mark as reviewed.
A personal data breach requires prompt action. The 72-hour clock starts when you become aware.
Isolate affected systems. Assess scope, what data was affected, and how many individuals are impacted. Assemble your breach response team.
Gather facts. Categorize breach type (confidentiality, integrity, availability). Document everything – timelines, evidence, decisions made.
Notify your lead DPA if the breach is likely to result in a risk to individuals. Include: nature of breach, categories of data, estimated numbers, likely consequences, measures taken.
If the breach is likely to result in a high risk to individuals, notify them directly without undue delay. Be clear, plain, and direct.
A breach that is unlikely to result in a risk to individuals' rights and freedoms does not need to be reported to the DPA – but it must still be documented internally.
GDPR enforcement has real teeth. Fines are calculated as the greater of the fixed amount or percentage of global annual turnover.
| Organization | Fine | Year | Reason | Authority |
|---|---|---|---|---|
| Meta (Facebook) | €1.2 Billion | 2023 | Unlawful data transfers to the US ↗ | DPC (Ireland) |
| Amazon | €746 Million | 2021 | Cookie consent / advertising tracking violations ↗ | CNPD (Luxembourg) |
| Instagram (Meta) | €405 Million | 2022 | Children's data handling violations ↗ | DPC (Ireland) |
| WhatsApp (Meta) | €225 Million | 2021 | Lack of transparency in data sharing | DPC (Ireland) |
| TikTok | €345 Million | 2023 | Children's data, default public profiles ↗ | DPC (Ireland) |
| Google LLC | €90 Million | 2022 | Cookie rejection mechanism not equal to acceptance ↗ | CNIL (France) |
Certain types of sensitive data require an explicit lawful basis under Art. 6 plus an additional condition under Art. 9.
Special category data cannot be processed unless you meet one of the explicit conditions listed in Article 9(2). The general legitimate interests basis does NOT apply here.
"The processing of biometric data for the purpose of uniquely identifying a natural person constitutes processing of special category data – including facial recognition."
Transferring personal data outside the EU/EEA requires appropriate safeguards.
Frequently asked questions from developers and product teams.
Generally, GDPR applies to personal data of natural persons. Data about a company (like "Acme Corp") is not personal data. However, if the data can identify an individual (e.g. "john@acme.com" or a named contact), GDPR applies even in a B2B context. Sole traders are always natural persons.
Under GDPR (and the ePrivacy Directive), non-essential cookies – including most analytics cookies – require prior informed consent. Strictly necessary cookies for the service to function (session cookies, authentication) do not need consent. Note: Google Analytics is typically considered non-essential and requires consent in the EU.
The controller decides why and how personal data is processed (the "decision-maker"). The processor acts on the controller's instructions – like a CRM, email service, or cloud hosting provider. Both have obligations under GDPR, but controllers bear primary responsibility. A single entity can be both controller and processor for different activities.
No. The CJEU confirmed in Breyer v Germany (2016) that IP addresses are personal data when you have the ability (directly or indirectly) to link the IP to a person. This includes dynamic IPs. Server logs, access logs, and analytics that include IPs are subject to GDPR.
GDPR does not set specific retention periods – it requires you to determine them based on your purpose. You must not keep data longer than necessary. Define a retention schedule for each data category, document it in your ROPA, and implement automated deletion where possible. Legal obligations may require minimum retention (e.g. tax records: 7 years in many jurisdictions).
Pseudonymisation replaces direct identifiers (like name or email) with artificial identifiers (like a UUID). The data is still personal data under GDPR – because it can theoretically be re-identified – but pseudonymised data is treated more favourably. It reduces risk, enables some secondary use (Art. 89), and is a recommended security measure under Art. 32. Full anonymisation (irreversible) removes the data from GDPR scope entirely.
In-depth articles on GDPR, CCPA, online privacy, and data security.
GDPR geo-blocking is a side effect of compliance costs. Learn how VPN, proxy, Tor and Smart DNS differ – and why the free options may leave you worse off.
Read →425 million accounts were breached in 2025 – roughly 14 every second. Here are 7 specific, actionable steps to significantly reduce your exposure starting today.
Read →CCPA started as a landmark US privacy law. CPRA transformed it with a dedicated enforcement agency, new consumer rights, and mandatory cybersecurity audits from January 2026.
Read →GDPR fundamentally changed what 'no-logs' means and gave users real legal teeth to hold VPN providers accountable. Eight years in, we know which promises have held up.
Read →The 'nothing to hide' argument misunderstands what privacy is for. It's not about hiding wrongdoing – it's about the conditions under which free thought and autonomous choice are possible.
Read →