Glossary · EU Privacy Law GDPR (General Data Protection Regulation)
The European regulation, in force since May 2018, that protects personal data of EU residents and shapes how every business worldwide handles their data.
## What GDPR actually does
The General Data Protection Regulation (Regulation (EU) 2016/679) entered into force on 25 May 2018, replacing the 1995 Data Protection Directive. It applies to any organization processing personal data of people in the EU, regardless of where the organization is based.
Personal data under GDPR includes anything that can identify a person, directly or indirectly: name, email, IP address, device ID, location, biometrics, online identifiers — the definition is deliberately broad.
## The seven principles
GDPR establishes seven principles that all personal data processing must respect:
1. **Lawfulness, fairness, and transparency** — process data only with valid legal basis, clearly explained
2. **Purpose limitation** — collect data only for specific stated purposes
3. **Data minimization** — collect only what's actually needed
4. **Accuracy** — keep data current and correct errors
5. **Storage limitation** — keep data only as long as needed
6. **Integrity and confidentiality** — secure data against unauthorized access
7. **Accountability** — be able to demonstrate compliance
## The rights GDPR gives EU residents
EU residents have eight specific rights regarding their personal data:
- **Right to access** (Article 15) — request a copy of your data
- **Right to rectification** (Article 16) — correct inaccurate data
- **Right to erasure / right to be forgotten** (Article 17) — request deletion
- **Right to restriction of processing** (Article 18) — limit how data is used
- **Right to data portability** (Article 20) — receive data in machine-readable format
- **Right to object** (Article 21) — object to processing including direct marketing
- **Rights related to automated decision-making** (Article 22) — limits on AI/algorithmic decisions
- **Right to be informed** — know how data is processed
## Why GDPR shaped global tech
GDPR's territorial scope (Article 3) means it applies extraterritorially — any company offering goods/services to EU residents or monitoring their behavior must comply, regardless of company location.
The result: most global tech companies built GDPR-compliant infrastructure for EU users, and many extended those protections globally rather than maintain separate systems.
Penalty structure made enforcement credible: fines up to €20 million or 4% of global annual turnover, whichever is higher. Meta, Amazon, and dozens of other major tech companies have received nine-figure fines.
## Why GDPR matters for tool choice
For European businesses choosing software, GDPR creates two compliance pressures:
1. **Subprocessor sovereignty** — if your tool uses US-based subprocessors, transatlantic data transfers require additional safeguards (SCCs, TIAs)
2. **Data subject rights fulfillment** — your tools must support data export, deletion, and access requests; some US tools handle this poorly
EU-native tools have these requirements built into architecture; US tools typically retrofit compliance through configuration. Both can technically achieve compliance, but the friction differs significantly.
## Recent developments
- **Schrems II ruling (2020)** invalidated the EU-US Privacy Shield, complicating transatlantic transfers
- **Standard Contractual Clauses** updated 2021 to address Schrems II concerns
- **EU-US Data Privacy Framework** (2023) replaced Privacy Shield but faces ongoing legal challenges
- **GDPR review** ongoing through 2025-2026 — possible "GDPR 2.0" addressing enforcement inconsistency and SME compliance burden
Was this helpful?
Thanks for your feedback!