The general data protection regulation
The EU general data protection regulation (GDPR) governs how the personal data of individuals in the EU may be processed and transferred.
What is the GDPR?
The EU general data protection regulation (GDPR) is the strongest privacy and security law in the world.
This regulation updated and modernised the principles of the 1995 data protection directive. It was adopted in 2016 and entered into application on 25 May 2018.
The GDPR defines:
- individuals’ fundamental rights in the digital age
- the obligations of those processing data
- methods for ensuring compliance
- sanctions for those in breach of the rules
Rights of individuals
The GDPR lists the rights of the data subject, meaning the rights of the individuals whose personal data are being processed. These strengthened rights give individuals more control over their personal data, including through:
- the need for an individual's clear consent to the processing of his or her personal data
- easier access for the data subject to his or her personal data
- the right to rectification, to erasure and ‘to be forgotten’
- the right to object, including to the use of personal data for the purposes of ‘profiling’
- the right to data portability from one service provider to another
The data protection regulation sets out the rights of individuals and establishes the obligations of those processing the data and those responsible for the processing.
Obligations for businesses and organisations
The GDPR establishes the general obligations of data controllers and of those processing personal data on their behalf (processors).
These include the obligation to implement appropriate security measures, according to the risk involved in the data processing operations they perform.
In certain cases, controllers are also required to provide notification of personal data breaches. All public authorities and companies that perform certain risky data processing operations will also need to appoint a data protection officer.
Application of data protection rules
The regulation confirms the existing obligation for member states to establish an independent supervisory authority at national level and establishes a mechanism to ensure consistency in the application of data protection law across the EU.
The GDPR establishes that a single supervisory decision is taken in cross-border cases where several national supervisory authorities are involved. This principle, known as the ‘one-stop-shop’ principle, means that a company with subsidiaries in several member states will only have to deal with the data protection authority in the member state of its main establishment.
The European Data Protection Board makes sure that the GDPR is applied fully and consistently. This board consists of representatives of all 27 independent supervisory authorities.
On 17 November 2025, the Council adopted an EU law, which should enter into force in 2026. The law makes cooperation between national data protection authorities faster and more efficient when handling cross-border GDPR complaints that involve several EU countries. The rules simplify administrative procedures and aim to ensure:
- swift handling of cross-border complaints and improved cooperation
- investigation of the rights of complainants and parties
Under the GDPR, severe sanctions are provided for against controllers or processors who violate data protection rules. Data controllers can face fines of up to €20 million or 4% of their global annual turnover.
In addition, individuals can lodge a complaint with a supervisory authority and have the right to judicial remedy and compensation. They have the right to have a decision by their data protection authority reviewed by their national court, irrespective of the member state in which the data controller concerned is established.
Transfers to non-EU countries
The GDPR also covers the transfer of personal data to non-EU countries and international organisations. The European Commission is in charge of assessing the level of protection given by a territory or processing sector in a non-EU country.
Where the Commission has not taken an adequacy decision on a territory or sector, transfer of personal data may still take place in particular cases or when there are appropriate safeguards in place.
See also
Data protection in the EU
Data protection in law enforcement
Last review: 22 May 2026