EU regulation
General Data Protection Regulation
EU regulation

General Data Protection Regulation

All frameworks

What it is

EU regulation protecting personal data of individuals in the EU/EEA. Applies extraterritorially — any organization processing EU residents' data is in scope.

Who uses it

Any organization with EU customers, users, or employees — including U.S. SaaS companies.

Why it matters

Fines reach 4% of global annual turnover or €20M, whichever is greater. Data Protection Impact Assessments and data mapping are recurring junior GRC work.

Structure

6 lawful bases

Consent, contract, legal obligation, vital interests, public task, legitimate interests — every processing activity needs one.

Data subject rights

Access, rectification, erasure, restriction, portability, objection, and rights related to automated decisions.

Roles

Controller (decides why/how) vs Processor (acts on controller's instructions) — different obligations.

DPIA

Data Protection Impact Assessment, required for high-risk processing.

Transfers

Cross-border transfers need a mechanism — SCCs, adequacy decision, BCRs.

Terminology

Controller / Processor
Controller decides purposes; Processor acts under instruction.
DPO
Data Protection Officer — required for some organizations.
ROPA
Record of Processing Activities — Article 30 register.
SCC
Standard Contractual Clauses — EU-approved contract for international transfers.
72-hour rule
Personal data breaches must be reported to the supervisory authority within 72 hours.

Beginner explanation

GDPR is about respecting individuals' control over their own personal data. Every processing activity needs a documented reason, and individuals have rights you must honor.

Practical examples

  • A SaaS adds a 'Delete my account' flow to satisfy the right to erasure.
  • A marketing team's plan to scrape LinkedIn for prospects requires a lawful basis — 'legitimate interests' with a balancing test.

Advanced notes

Post-Schrems II, transfers to the U.S. require either the EU-U.S. Data Privacy Framework certification or SCCs plus a transfer impact assessment.