GDPR-Specific Privacy Requirements

The General Data Protection Regulation (GDPR) is the EU's comprehensive privacy law, applicable since May 2018. GDPR applies to processing of personal data of EU/EEA residents, regardless of where the organization is located. GDPR has extraterritorial scope—if you offer goods or services to EU residents or monitor their behavior, GDPR applies. This primer covers GDPR-specific implementation details; see Privacy Primer for universal privacy principles.

GDPR Territorial Scope

GDPR applies when personal data of EU/EEA residents is processed in connection with: (1) establishment in the EU (organization with offices/operations in EU), (2) offering goods or services to EU residents (intentionally targeting EU market, regardless of payment), or (3) monitoring behavior of EU residents (tracking online activity, profiling). The third criterion is particularly broad—website analytics, cookies, behavioral advertising, and social media tracking often constitute monitoring.

No establishment required. Organizations with no EU presence can be subject to GDPR if they offer services to EU residents or monitor their behavior. Merely having a website accessible in the EU doesn't trigger GDPR, but translating to EU languages, accepting Euros, or advertising to EU markets likely does.

Representative requirement. Organizations outside the EU subject to GDPR must designate a representative in the EU unless processing is occasional, doesn't include special category data, and unlikely to pose risks to individuals. Representatives act as local contact points for supervisory authorities and data subjects.

Supervisory authorities are independent public authorities in each EU member state responsible for enforcing GDPR. The lead supervisory authority for cross-border processing is the authority in the member state where the controller has its main establishment. Organizations may deal with multiple supervisory authorities for local processing or when no main establishment exists.

Lawful Bases for Processing

Consent requires clear affirmative action, specific, informed, and freely given. Pre-checked boxes, silence, inactivity, or consent bundled with terms of service don't qualify. Consent must be granular—one consent cannot cover multiple purposes. Consent can be withdrawn at any time, and withdrawing must be as easy as giving. Organizations must demonstrate they obtained valid consent (consent records). Consent obtained before GDPR may need refreshing if it wasn't GDPR-compliant.

Contractual necessity applies when processing is necessary to perform a contract with the data subject or take steps at their request before entering a contract. Processing must be necessary (not just helpful) for the contract. This basis doesn't cover processing for general business operations beyond what's strictly necessary for the contract.

Legal obligation applies when processing is required by EU or member state law. This includes tax reporting, employment law obligations, anti-money laundering requirements, and court orders. The legal obligation must be specified in law, and processing must be limited to what's required.

Vital interests applies when processing is necessary to protect someone's life or physical safety. This is typically limited to emergencies where other bases aren't available. It cannot be used to process employee data in normal circumstances.

Public task applies when processing is necessary for tasks carried out in the public interest or official authority. This primarily applies to public authorities but can apply to private organizations performing public tasks under law.

Legitimate interests applies when processing is necessary for your interests or those of third parties, unless overridden by data subject interests. Legitimate interests require a balancing test: identify your interest, assess necessity, and balance against data subject rights. Legitimate interests can be objected to by data subjects, who can force you to demonstrate compelling grounds. Marketing, fraud prevention, network security, and business improvement often rely on legitimate interests, but profiling, sensitive data, and processing likely to cause harm typically require consent.

No hierarchy of bases. All lawful bases are equal—none is "better" than others. The appropriate basis depends on the specific processing activity and circumstances.

Special Category Data

Special category data (also called "sensitive personal data") includes racial/ethnic origin, political opinions, religious beliefs, trade union membership, genetic data, biometric data for identification, health data, and sexual orientation. Processing special category data is generally prohibited unless you have both a lawful basis (from the six above) AND a special category condition.

Special category conditions include explicit consent, employment/social security obligations, vital interests, legitimate activities of non-profits, manifestly public data, legal claims, substantial public interest, preventive/occupational medicine, public health, archiving/research/statistics. Processing special category data without meeting these conditions violates GDPR even if you have a lawful basis.

Explicit consent for special category data requires clearer, more specific consent than regular consent. The term "explicit" suggests stronger emphasis on the specific nature of the data and processing, though GDPR doesn't define it precisely. Organizations should make special category processing more prominent and obtain unambiguous agreement.

Health data is any data concerning health, including medical records, diagnoses, prescriptions, disabilities, and inferences about health status (e.g., fitness tracker data revealing health conditions). Health data receives enhanced protection, and most processing requires explicit consent or specific conditions like medical treatment, public health, or research with safeguards.

Data Subject Rights Under GDPR

Right of access entitles individuals to confirmation of whether you're processing their data, a copy of their data, information about processing purposes, categories of data, recipients, retention periods, and their rights. You must respond within one month (extendable to three months for complex requests). You can charge a reasonable fee only if requests are manifestly unfounded or excessive. You must provide data in a structured, commonly used, machine-readable format if requested.

Right to rectification requires correcting inaccurate personal data and completing incomplete data. You must respond within one month. If data was shared with third parties, you must inform them of corrections unless this involves disproportionate effort.

Right to erasure (right to be forgotten) requires deleting data when: it's no longer necessary, consent is withdrawn, objection succeeds, data was unlawfully processed, or legal obligation requires deletion. Erasure isn't absolute—legal obligations, public interest, legal claims, and freedom of expression may justify retention. You must respond within one month and inform third parties if data was shared.

Right to restriction limits processing when: accuracy is contested, processing is unlawful, you no longer need data but the individual requires it for claims, or objection is pending. During restriction, you can store data but process it only with consent, for legal claims, to protect others' rights, or for important public interest.

Right to data portability applies to data provided by the individual and processed by consent or contract. Individuals can receive their data in a structured, commonly used, machine-readable format and transmit it to another controller. Portability doesn't include inferred or derived data.

Right to object allows individuals to object to processing based on legitimate interests or direct marketing. For legitimate interests processing, you must stop unless you demonstrate compelling legitimate grounds. For direct marketing, you must stop immediately with no justification needed.

Automated decision-making rights restrict decisions based solely on automated processing, including profiling, that produce legal or similarly significant effects. Individuals have the right not to be subject to such decisions, unless necessary for a contract, authorized by law, or based on explicit consent. Even when automated decisions are allowed, individuals have the right to human intervention, explanation, and contestation.

Controller and Processor Roles

Data controller determines the purposes and means of processing personal data. The controller is legally responsible for compliance and liable for violations. Organizations are controllers when they decide what data to collect, why, and how it will be used. A single organization can be both controller (for employee data, marketing) and processor (for customer data processed on behalf of others).

Data processor processes personal data on behalf of a controller. Processors act only on controller instructions and cannot process data for their own purposes without becoming controllers. Processors must provide appropriate security, assist controllers with data subject requests, and notify controllers of breaches. Processors are directly liable for security violations and can be fined, but controllers remain primarily responsible for compliance.

Joint controllers share decision-making about purposes and means of processing. Joint controllers must clearly allocate responsibilities, either in an agreement or through their relationship. Joint controllers are jointly liable for compliance, though their agreement can allocate responsibilities internally.

Controller-processor agreement is required when processors process data on behalf of controllers. The agreement must specify subject matter, duration, nature/purpose of processing, types of data, categories of data subjects, and controller obligations/processor rights. Processors cannot process data beyond controller instructions. Controllers must use only processors providing sufficient guarantees.

Sub-processors can be engaged by processors only with controller authorization (general or specific). Sub-processor arrangements require the same obligations as controller-processor agreements. Processors remain fully liable to controllers for sub-processor compliance.

Cross-Border Transfers Under GDPR

Transfer restriction principle prohibits transferring personal data outside the EU/EEA unless the destination provides adequate protection or appropriate safeguards exist. This prevents data being moved to jurisdictions with weaker privacy protections.

Adequacy decisions recognize that certain countries provide equivalent protection to GDPR, allowing free flow of data without additional safeguards. The EU has granted adequacy to countries including Andorra, Argentina, Canada, Faroe Islands, Guernsey, Israel, Isle of Man, Japan, Jersey, New Zealand, Republic of Korea, Switzerland, UK, and Uruguay. Adequacy decisions are subject to periodic review and can be withdrawn (as with Privacy Shield for the US).

Standard contractual clauses (SCCs) are pre-approved contracts providing legal safeguards for transfers when adequacy doesn't apply. The EU Commission has adopted new SCCs (2021) covering controller-to-controller, controller-to-processor, processor-to-processor, and processor-to-controller scenarios. Organizations using SCCs must complete them correctly, assess destination country laws, and implement supplementary measures if laws in the destination country might compromise safeguards.

Binding corporate rules (BCRs) allow multinational organizations to transfer data internally under approved policies that meet GDPR requirements. BCRs require significant documentation, regulatory approval, and ongoing compliance, but provide flexible intra-organizational transfers. BCRs are suitable for organizations with extensive cross-border operations.

Derogations provide limited exceptions for transfers without adequacy or safeguards: explicit consent, contractual necessity, public interest, legal claims, vital interests, and public register. Derogations are narrow, apply on a case-by-case basis, and don't justify systematic transfers.

Schrems II implications require organizations to assess whether destination country laws (particularly government surveillance laws) might compromise transfer safeguards. If laws in the destination country prevent compliance with safeguards, supplementary measures must be implemented or transfers suspended. The EDPB provides guidance on supplementary measures including encryption, pseudonymization, and contractual commitments.

GDPR Enforcement

Supervisory authorities are independent public authorities in each EU member state responsible for enforcing GDPR. Authorities have powers to conduct investigations, issue warnings, order compliance, ban processing, and impose fines. The lead supervisory authority for cross-border processing is the authority in the member state where the controller has its main establishment.

Fines can reach €20 million or 4% of global annual revenue, whichever is higher. Fines depend on factors including nature/gravity of violation, intentionality, mitigation, previous violations, cooperation, categories of data affected, notification, and adherence to codes of conduct. Maximum fines apply to violations of basic principles (lawfulness, consent, data subject rights) or transfer restrictions.

Administrative fines are separate from other remedies (warnings, compliance orders, bans). Organizations can face multiple penalties for the same violation. Fines must be effective, proportionate, and dissuasive.

Data subject complaints can be filed with supervisory authorities in any EU member state, typically where the individual resides. Supervisory authorities must investigate complaints and inform complainants of outcomes. Data subjects can also seek judicial remedies including compensation for damages.

One-stop shop allows organizations with main establishment in the EU to deal primarily with one supervisory authority (their lead authority) for cross-border processing. This reduces complexity but doesn't eliminate engagement with other authorities for local processing or when no main establishment exists.

Key Numbers

GDPR breach notification: 72 hours to supervisory authority. Access request response: one month (extendable to three months). Right to object response: immediate for direct marketing. GDPR fine maximum: €20 million or 4% global revenue. DPO required when: systematic monitoring on large scale, or processing special category data on large scale. Representative required: organizations outside EU subject to GDPR unless processing is occasional, doesn't include special category data, and unlikely to pose risks.

Common Misconceptions

"GDPR only applies in Europe." GDPR applies to any organization processing EU/EEA residents' data, regardless of location. Territorial scope is broad—offering services to EU residents or monitoring their behavior triggers GDPR.

"Consent is always required." Many legal bases exist beyond consent. Consent isn't always appropriate or required—contractual necessity, legitimate interests, and legal obligations are often preferable.

"GDPR prevents all data processing." GDPR regulates how data is processed, not whether it can be processed. With proper lawful basis and safeguards, data processing is permitted.

"SCCs automatically make transfers compliant." SCCs provide a mechanism for transfers but require proper implementation, completion, and assessment of destination country laws. Supplementary measures may be needed.

"GDPR compliance is one-time." Compliance requires ongoing monitoring, updating policies, training staff, and adapting to regulatory guidance. GDPR obligations are continuous, not one-time implementation.