Who does the GDPR apply to?

The GDPR applies to any organisation worldwide that processes personal data of individuals located in the EU/EEA, regardless of where the organisation is based. This includes companies offering goods or services to EU residents, or monitoring their behaviour. A small US e-commerce shop shipping to Germany is just as covered as a Berlin-based startup.

What counts as "personal data" under the GDPR?

Personal data is any information relating to an identified or identifiable natural person. This includes obvious identifiers like names and email addresses, but also IP addresses, cookie IDs, location data, and even pseudonymised data if the original person can be re-identified. The CJEU's 2025 SRB ruling clarified that sufficiently pseudonymised data may not constitute personal data for a recipient who cannot reverse the pseudonymisation.

What are the maximum fines under the GDPR?

The GDPR allows fines of up to EUR 20 million or 4% of global annual turnover, whichever is higher. In practice, supervisory authorities have issued fines well above EUR 20 million: the largest single fine to date was EUR 1.2 billion against Meta in 2023, followed by EUR 746 million against Amazon (2021) and EUR 530 million against TikTok (2025). Cumulative GDPR fines now exceed EUR 7 billion. Smaller organisations typically face proportionally lower fines, but even fines in the tens of thousands can be devastating for SMEs.

What is a Data Protection Officer (DPO) and do I need one?

A DPO is an independent expert who oversees your organisation's data protection strategy and compliance. You must appoint one if you are: (a) a public authority, (b) an organisation whose core activities require large-scale systematic monitoring of individuals, or (c) processing special categories of data at scale. Even if not legally required, appointing a DPO is considered best practice.

What changed with the EU-US Data Privacy Framework?

Adopted in July 2023, the EU-US Data Privacy Framework replaced the invalidated Privacy Shield as the mechanism for transatlantic data transfers. US companies that self-certify under the framework are deemed to provide adequate protection for EU personal data. However, the framework faces ongoing legal challenges and could be invalidated like its predecessors (Safe Harbor and Privacy Shield).

What is the Digital Omnibus Package and how does it change the GDPR?

Proposed by the European Commission on 19 November 2025, the Digital Omnibus Package includes targeted amendments to the GDPR. Key changes include: clarifying when pseudonymised data counts as personal data, adding legitimate interest as a legal basis for AI processing, allowing controllers to refuse abusive data subject access requests, raising the breach notification threshold to high-risk breaches only, and standardising Data Protection Impact Assessments at EU level. The proposals entered the ordinary legislative procedure in the European Parliament and Council in late 2025, with adoption expected by mid-2026.

How long do I have to respond to a data subject access request?

You must respond to a data subject access request within one month of receipt. This can be extended by a further two months for complex or numerous requests, but you must inform the data subject of the extension within the initial one-month period. The response must be provided free of charge, though a reasonable fee can be charged for manifestly unfounded or excessive requests.

What do I need to do within 72 hours of a data breach?

When you become aware of a personal data breach, you must notify your lead supervisory authority within 72 hours unless the breach is unlikely to result in a risk to individuals' rights and freedoms. The notification must describe the nature of the breach, the approximate number of individuals affected, likely consequences, and measures taken to address it. If there is a high risk to individuals, you must also notify the affected data subjects directly.

TOPICS·PRIVACY·EU

General Data Protection Regulation

The EU's comprehensive data protection framework governing how organisations worldwide collect, store, and process personal data of individuals in the European Economic Area.

1,051ENFORCEMENT DECISIONS

€2.5BIN FINES ISSUED

479REGULATIONS TRACKED

822COURT RULINGS

Updated April 2026

WHAT

The EU's comprehensive data protection law governing how organisations collect, store, and process personal data of individuals in the EEA.

WHO

Every organisation worldwide that processes personal data of EU/EEA residents -- from global tech companies to local shops.

SINCE

Enforceable since 25 May 2018. Compliance is ongoing. The November 2025 Digital Omnibus Package proposes targeted amendments.

PENALTY

Up to EUR 20 million or 4% of global annual turnover, whichever is higher. Over EUR 7 billion in fines issued since 2018.

THE ESSENTIALS

The GDPR is an EU law that controls what companies can do with your personal information. Your name, email address, location, browsing history, even the IP address of your phone -- all of it is "personal data" under this law. Any organisation that collects or uses that kind of information about people in Europe must follow the GDPR's rules, no matter where in the world that organisation is based.

The core idea is simple: you own your data, not the company that collected it. You have the right to see what a company knows about you, to have mistakes corrected, and to ask for your data to be deleted entirely. Companies must tell you upfront what they collect, why they need it, and how long they plan to keep it. They cannot just harvest your data and figure out a justification later.

The consequences for breaking these rules are real. Regulators across Europe have handed out over EUR 7 billion in fines since 2018. The biggest penalties have hit household names -- Meta, Amazon, TikTok -- but smaller companies face enforcement too. A fine of even a few thousand euros can be devastating for a small business.

If your company has customers, employees, or website visitors in Europe, the GDPR applies to you. It is not optional, and "we didn't know" is not a defence.

WHAT IS THE GDPR?

The General Data Protection Regulation (Regulation (EU) 2016/679) is the most significant piece of data protection legislation in history. It replaced the 1995 Data Protection Directive and established a single, directly-applicable set of rules across all EU and EEA member states. Its extraterritorial reach means it also applies to organisations outside the EU that offer goods or services to, or monitor the behaviour of, EU residents.

At its core, the GDPR gives individuals control over their personal data. It establishes rights to access, correct, delete, and port personal data, and requires organisations to have a valid legal basis for every processing activity. It mandates transparency -- organisations must clearly explain what data they collect, why, and how long they keep it.

Enforcement has been vigorous and accelerating. National Data Protection Authorities have collectively issued over EUR 7 billion in fines since 2018, with landmark penalties against major technology companies setting precedent across sectors. Ireland's DPC alone has issued over EUR 4 billion in fines -- nearly four times the next-largest authority -- due to Silicon Valley companies maintaining their European headquarters in Dublin.

The regulatory landscape continues to evolve. The CJEU issued several landmark rulings in 2025 clarifying core GDPR concepts, while the European Commission's Digital Omnibus Package proposes the first substantive amendments to the regulation since its adoption -- including provisions for AI processing and streamlined cross-border enforcement. Separately, Regulation (EU) 2025/2518, adopted in November 2025, introduces binding procedural rules for cross-border enforcement and will apply from April 2027.

KEY MILESTONES — 2016 TO PRESENT

Apr 14, 2016

ADOPTEDGDPR adopted by European Parliament and Council

May 25, 2018

IN FORCEGDPR becomes enforceable across the EEA

Jan 21, 2019

ENFORCEMENTFirst major fine: Google fined EUR 50M by French CNIL

Jul 16, 2020

COURT RULINGSchrems II: CJEU invalidates EU-US Privacy Shield

Jun 4, 2021

AMENDMENTNew Standard Contractual Clauses adopted

Jul 16, 2021

ENFORCEMENTAmazon fined EUR 746M by Luxembourg DPA

May 22, 2023

ENFORCEMENTMeta fined EUR 1.2B for unlawful US data transfers

Jul 10, 2023

ADOPTEDEU-US Data Privacy Framework adequacy decision

Feb 27, 2025

COURT RULINGCJEU ruling on automated decision-making transparency (C-203/22)

May 2, 2025

ENFORCEMENTTikTok fined EUR 530M for unlawful China data transfers

Sep 4, 2025

COURT RULINGCJEU SRB ruling: pseudonymised data not always personal data

Nov 19, 2025

AMENDMENTEU Digital Omnibus Package proposes GDPR amendments

Dec 2, 2025

COURT RULINGCJEU Russmedia: platforms are controllers for user-generated ads

Apr 23, 2026

YOU ARE HERE

Aug 2, 2026

DEADLINEEU AI Act compliance deadline (high-risk systems)

ENFORCEMENT TRACKER

Our database tracks 1,051 GDPR enforcement decisions with a combined value of €2.5B. Here is where the money went.

FINES BY YEAR

€1.2B

2024500 decisions

€1.2B

2025467 decisions

€34.1M

202633 decisions

LARGEST FINES

#	DECISION	AUTHORITY	FINE	DATE
01	DPC (Ireland) - TikTok	DPC (Ireland)	€530.0M	May 2, 2025
02	CNIL (France) - SAN-2025-004	CNIL (France)	€325.0M	Sep 1, 2025
03	DPC (Ireland) - LinkedIn inquiry	DPC (Ireland)	€310.0M	Oct 22, 2024
04	AP (The Netherlands) - Uber	AP (The Netherlands)	€290.0M	Jul 22, 2024
05	CNIL (France) - SAN-2025-005	CNIL (France)	€150.0M	Sep 1, 2025
06	DPC (Ireland) - Meta Ireland	DPC (Ireland)	€91.0M	Sep 27, 2024
07	Garante per la protezione dei dati personali (Italy) - 10097012	Garante per la protezione dei dati personali (Italy)	€89.3M	Nov 27, 2024
08	NAIH (Hungary) - NAIH-3932-5/2024	NAIH (Hungary)	€80.0M	Jul 2, 2024
09	Garante per la protezione dei dati personali (Italy) - 9988710	Garante per la protezione dei dati personali (Italy)	€79.1M	Feb 8, 2024
10	CNIL (France) - SAN-2024-019	CNIL (France)	€50.0M	Nov 14, 2024

TOP DATA PROTECTION AUTHORITIES

DPC (Ireland)

11 decisions€931.2M

CNIL (France)

20 decisions€563.9M

AP (The Netherlands)

8 decisions€328.6M

Garante per la protezione dei dati personali (Italy)

138 decisions€219.4M

NAIH (Hungary)

6 decisions€86.0M

DEVELOPMENTS — 2025 / 2026

LEGISLATIVE

Digital Omnibus Package

19 Nov 2025

The European Commission proposed the first substantive amendments to the GDPR since its adoption. Key changes: narrowed definition of personal data so pseudonymised data may not be personal for recipients who cannot re-identify (codifying the CJEU SRB ruling), new legitimate interest basis for AI model training and operation, right to refuse abusive access requests, raised breach notification threshold to high-risk breaches only, and standardised DPIAs at EU level.

COURT RULING

SRB v EDPS: Pseudonymised Data

4 Sep 2025

The CJEU confirmed that pseudonymised data is not automatically personal data for all parties. A recipient who cannot reverse the pseudonymisation and has no other means to identify individuals does not process personal data within the meaning of the GDPR.

ENFORCEMENT

TikTok: EUR 530M Fine

2 May 2025

Ireland's DPC fined TikTok EUR 530 million for unlawful cross-border data transfers to China, making it the second-largest GDPR fine ever. The decision highlighted the risks of transferring data to jurisdictions without adequate protection frameworks.

COURT RULING

Russmedia: Platform Controller Duties

2 Dec 2025

In Case C-492/23, the CJEU ruled that online marketplace operators qualify as data controllers for personal data in user-generated advertisements, even if they do not create or select the content. Platforms and advertisers are considered joint controllers, and the hosting safe harbour under the e-Commerce Directive does not exempt platforms from GDPR obligations.

COURT RULING

Automated Decision-Making Transparency

27 Feb 2025

The CJEU ruled that data controllers must provide concise, transparent, and easily accessible explanations of the procedure and principles actually applied by automated systems to arrive at a specific result. This strengthens Article 15 access rights in the context of algorithmic decision-making.

LEGISLATIVE

Cross-Border Enforcement Regulation

26 Nov 2025

Regulation (EU) 2025/2518 was adopted to improve cooperation between supervisory authorities, introducing uniform complaint admissibility criteria, mandatory investigation deadlines (15 months, extendable to 27 for complex cases), and enhanced cooperation files. It will apply from 2 April 2027, addressing long-standing criticism of the one-stop-shop mechanism.

KEY COMPLIANCE REQUIREMENTS

Lawful basis for processing

Establish and document a valid legal basis (consent, contract, legitimate interest, etc.) for every data processing activity.

Data subject rights

Enable individuals to access, rectify, erase, port, and object to processing of their personal data within 30 days.

Data Protection Officer

Appoint a DPO if you are a public authority, conduct large-scale monitoring, or process special categories of data at scale.

Breach notification

Report personal data breaches to your supervisory authority within 72 hours; notify affected individuals if there is high risk.

Privacy by design

Integrate data protection safeguards into the design of systems and processes from the outset, not as an afterthought.

Records of processing

Maintain written records of all processing activities including purpose, categories of data, recipients, and retention periods.

Cross-border transfers

Ensure adequate safeguards (SCCs, adequacy decisions, BCRs) for any transfer of personal data outside the EEA.

Impact assessments

Conduct Data Protection Impact Assessments before any processing likely to result in high risk to individuals.

COMPLIANCE BY INDUSTRY

Select your company type for tailored compliance guidance and risk assessment.

KEY OBLIGATIONS

☐Appoint a Data Protection Officer if processing personal data at scale

☐Implement privacy by design and by default in product development

☐Maintain Records of Processing Activities (ROPA)

☐Conduct Data Protection Impact Assessments for high-risk processing

☐Ensure lawful cross-border data transfer mechanisms for international infrastructure

YOUR FIRST STEP

Conduct a data mapping exercise to understand what personal data you process, where it flows, and on what legal basis

FREQUENTLY ASKED QUESTIONS