Any processing of personal data of individuals in the EU/EEA, regardless of where the controller / processor is established. Extra-territorial via Article 3.
Controllers and processors handling personal data of EU/EEA data subjects, including non-EU companies offering goods/services or monitoring behaviour in the EU.
Breach notification — 72 hours to supervisory authority
Notify the competent supervisory authority "without undue delay and, where feasible, not later than 72 hours after having become aware" of the breach (Art. 33). Notification can be in stages if all facts aren't yet known.
Trigger: Awareness of a breach by the controller (regardless of severity assessment).
Individuals: Notify affected individuals "without undue delay" if the breach is likely to result in a high risk to their rights and freedoms (Art. 34).
Data subject / individual rights (7)
Right of accessArt. 15
Right to a copy of personal data and information on processing — purposes, categories, recipients, retention, sources.
Right to rectificationArt. 16
Right to correct inaccurate or complete incomplete personal data.
Right to erasure ("right to be forgotten")Art. 17
Right to deletion when data is no longer needed, consent withdrawn, processing unlawful, or other Art. 17(1) grounds.
Right to restriction of processingArt. 18
Right to restrict processing while accuracy is contested, processing is unlawful but data is needed, or pending objection.
Right to data portabilityArt. 20
Right to receive a structured, commonly-used, machine-readable copy of data and to transmit it to another controller.
Right to objectArt. 21
Right to object to processing based on legitimate interests, direct marketing (always wins), profiling, or research.
Rights re: automated decisions / profilingArt. 22
Right not to be subject to a decision based solely on automated processing (incl. profiling) producing legal or similarly significant effects.
One of: consent, contract, legal obligation, vital interests, public task, legitimate interests. Document the basis up front.
Privacy by design & defaultArt. 25
Implement appropriate technical & organisational measures to embed privacy from system design through to operation.
Processor obligations & DPA contractsArt. 28
Controllers must use only processors providing sufficient guarantees; mandatory DPA contract with prescribed clauses.
Records of processing activities (RoPA)Art. 30
Maintain a written record of categories of processing, purposes, data flows, retention. Required at scale (>250 employees or risky processing).
Security of processingArt. 32
Appropriate technical and organisational measures including pseudonymisation, encryption, integrity, availability, regular testing.
Data Protection Impact Assessment (DPIA)Art. 35
Required before high-risk processing — large-scale automated decisions, sensitive data at scale, systematic monitoring of public areas.
Data Protection Officer (DPO)Art. 37
Mandatory DPO when core activities involve large-scale regular monitoring or special-category data.
International transfersArt. 44-49
Transfers outside EEA require adequacy decision, Standard Contractual Clauses + transfer impact assessment, BCRs, or other Art. 46 safeguards.
Enforcement & penalties
Up to €20M or 4% of annual global turnover — whichever is higher (Art. 83). Supervisory authorities (lead authority via one-stop-shop) issue fines, corrective orders, processing bans.