The General Data Protection Regulation (GDPR) is an extensive legislation enacted to protect personal data in the European Union (EU). Implemented in 2016, it is composed of eleven chapters that discuss various aspects, such as the principles, rights, and responsibilities associated with data processing. GDPR is applicable to both data manipulators (controllers and processors) and data subjects within the EU, and it also extends to entities outside the EU that handle data of EU citizens. Within the context of GDPR, personal data pertains to any details that can be used to identify a person. The regulation provides individuals with several rights, including the right to access, rectify, erase their data, and limit its processing. It also necessitates businesses to implement data protection through various methods like pseudonymisation, impact evaluations, and integrating data protection into their business operations. The transfer of personal data to third countries is allowed under specific conditions. Failure to comply can result in hefty penalties.
The General Data Protection Regulation (Regulation (EU) 2016/679, abbreviated GDPR) is a European Union regulation on information privacy in the European Union (EU) and the European Economic Area (EEA). The GDPR is an important component of EU privacy law and human rights law, in particular Article 8(1) of the Charter of Fundamental Rights of the European Union. It also governs the transfer of personal data outside the EU and EEA. The GDPR's goals are to enhance individuals' control and rights over their personal information and to simplify the regulations for international business. It supersedes the Data Protection Directive 95/46/EC and, among other things, simplifies the terminology.
| European Union regulation | |
| Text with EEA relevance | |
 | |
| Title | Regulation on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (Data Protection Directive) |
|---|---|
| Made by | European Parliament and Council of the European Union |
| Journal reference | L119, 4 May 2016, p. 1–88 |
| History | |
| Date made | 14 April 2016 |
| Implementation date | 25 May 2018 |
| Preparative texts | |
| Commission proposal | COM/2012/010 final – 2012/0010 (COD) |
| Other legislation | |
| Replaces | Data Protection Directive |
| Current legislation | |
The European Parliament and Council of the European Union adopted the GDPR on 14 April 2016, to become effective on 25 May 2018. As an EU regulation (instead of a directive), GDPR is directly applicable with force of law on its own without the need of transposition. However, it also provides flexibility for individual member states to modify (derogate from) some of its provisions.
The regulation became a model for many other laws around the world, including in Turkey, Mauritius, Chile, Japan, Brazil, South Korea, South Africa, Argentina and Kenya. After leaving the European Union the United Kingdom enacted its "UK GDPR", identical to the GDPR. The California Consumer Privacy Act (CCPA), adopted on 28 June 2018, has many similarities with the GDPR.
English 
Español 
Français