EU GDPR – Global Relay Intelligence & Practice

EU GDPR

Rule Collection

The General Data Protection Regulation or GDPR imposes data privacy and security obligations on organizations that handle the personal data of or provide goods or services to EU citizens or residents.

Rule Overview

Jurisdiction: European Union

Regulator: EDPB

Topic: Data Protection

Overview

Rules in This Collection

Notable

Latest News

Further Reading

GDPR has an extraterritorial effect. In other words it also applies to organizations that are based outside of the EU.

Five key GDPR definitions

Personal data – any information that relates to an individual who can be directly or indirectly identified.
Data processing – any action that is performed on data including collecting, recording, organizing, structuring and storing.
Data subject – the person whose data is processed.
Data controller – the person who decided why and how personal data will be processed.
Data processor – a third party that processes personal data on behalf of a data controller.

Article 3

Territorial scope

Article 5

Principles

Article 6

Lawfulness of processing

Article 7

Conditions for consent

Article 8

Conditions for child's consent

Article 9

Special categories

Article 12

Measures for the exercise of the rights of the data subject

Article 13

Information to be provided where personal data is collected

Article 14

Information to be provided where personal data has not been collected

Article 22

Automated individual decision-making, including profiling

Article 25

Data protection by design and default

Article 28

Processor

Article 30

Records of processing activities

Article 32

Security of processing

Article 45

Data transfers on the basis of an adequacy decision

Article 49

Derogations for specific situations

Article 83

General conditions for imposing administrative fines

Rules in This Collection

EU GDPR This Rule

Notable

New data bridge for UK-US data transfers to help firms

Privacy

New data bridge for UK-US data transfers to help firms

October 10, 2023

Transfer of UK personal data to US simplified, UK data transfer rules back in step with EU, ICO offers qualified backing.

Paula Barrett | Eversheds Sutherland, Michael Bahar | Eversheds Sutherland7 min read

Amazon France Logistique fined €32m for intrusive employee monitoring

Privacy

Amazon France Logistique fined €32m for intrusive employee monitoring

January 26, 2024

CNIL found that the company's monitoring and data collection were disproportionate and excessively intrusive.

Martina Lindberg2 min read

Santa Claus is coming to town, but is he GDPR compliant?

Data

Santa Claus is coming to town, but is he GDPR compliant?

December 22, 2023

"He’s making a list, he’s checking it twice, he’s gonna find out who’s naughty or nice" … but is Santa doing so in compliance with the GDPR?

Sherif Malak | Shoosmiths, Sarah Moss | Shoosmiths5 min read

Privacy

New data bridge for UK-US data transfers to help firms

Privacy

Amazon France Logistique fined €32m for intrusive employee monitoring

Data

Santa Claus is coming to town, but is he GDPR compliant?

Latest News More on EU GDPR

Security

Celito Tech's Ravi Monangi and Ethan Grammer on compliant growth in life science

March 24, 2025

We explored how small and mid-sized pharmaceutical and biotech companies can avoid costly early compliance mistakes and minimize risk as they scale.

Alexander Barzacanos7 min read
Privacy

GRIP Q&A: Tyler Thompson of Reed Smith on AI data privacy

March 19, 2025

Ahead of his talk at the AI Governance & Strategy Summit in Seattle, Tyler Thompson spoke to GRIP about AI strategy and future developments.

Jean Hurley5 min read
Data

Telenor fined NKr 4m for DPO scheme and internal controls failures

March 19, 2025

Datatilsynet in Norway found that Telenor contravened EU GDPR with multiple failures.

Martina Lindberg<1 min read
Conferences and events

Experts discuss collaboration on AI regulation and the value of data

March 18, 2025

The last of our reports from this year's Data Insights x Shoosmiths conference.

Jean Hurley, Martina Lindberg4 min read
Privacy

DeepSeek and personal data transfers to China

February 14, 2025

DeepSeek may disrupt laws on data protection and transfers on both sides of the Atlantic, as well as disrupting US markets.

Alice Wallbank | Shoosmiths, Sherif Malak | Shoosmiths, Adam Fox | Shoosmiths4 min read
Enforcement

Rise in sanctions and compliance orders by CNIL in 2024

February 14, 2025

The Commission nationale de l'informatique et des libertés issued 45 more sanctions in 2024 than in 2023.

Martina Lindberg2 min read
Data

European GDPR fines down 33% in 2024, but enforcement 'remains dynamic'

February 6, 2025

The Irish Data Protection Commission continues to take the lead on GDPR fines in Europe.

Martina Lindberg4 min read
Privacy

The GDPR needs to be reviewed, states Swedish Privacy Protection Authority

January 30, 2025

IMY argues that the regulation risks losing legitimacy if it is not refined.

Martina Lindberg1 min read

Further Reading

SME data protection guide

White & Case guide to national implementation