eu
European Union
GDPR remains the benchmark comprehensive privacy regime across the European Union.
Editorial caveat
Structured values summarize official materials for research and planning. They are reviewed by humans before publication and should not be treated as legal advice.
Breach
- Breach deadline (hours)
- 72
- Breach notification required
- Yes
Marketing
- Cookie consent rule
- Consent is generally required for non-essential cookies under ePrivacy rules.
Transfers
- Cross-border transfer restricted
- Yes
- Data localization required
- No
Governance
- DPO required
- Yes
- Impact assessment required
- Yes
- Records of processing required
- Yes
Identity
- Effective date
- 2018-05-25
- Effective status
- in-force
- Last amended
- 2023-05-11
- Law status
- active
Scope
- Extraterritorial application
- Yes
- Private sector coverage
- Yes
- Public sector coverage
- Yes
- Territorial scope
- Applies across EU member states and to controllers/processors targeting individuals in the EU.
Legal Basis
- Legal bases
- consent, contract, legal obligation, vital interests, public task, legitimate interests
- Requires legal basis
- Yes
Enforcement
- Maximum fine
- Up to €20 million or 4% of worldwide annual turnover.
- Private right of action
- No
Definitions
- Personal data definition
- Any information relating to an identified or identifiable natural person.
- Sensitive data recognized
- Yes
Rights
- Right of access
- Yes
- Right to appeal
- Yes
- Right to deletion
- Yes
- Right to object
- Yes
- Right to portability
- Yes
Official sources
- European Data Protection Board guidance hubofficial-regulator • en • html
- EUR-Lex consolidated GDPR textofficial-law • en • html