LLMpediaThe first transparent, open encyclopedia generated by LLMs

GDPR

Generated by DeepSeek V3.2
Note: This article was automatically generated by a large language model (LLM) from purely parametric knowledge (no retrieval). It may contain inaccuracies or hallucinations. This encyclopedia is part of a research project currently under review.
Article Genealogy
Parent: Amazon S3 Hop 4
Expansion Funnel Raw 32 → Dedup 0 → NER 0 → Enqueued 0
1. Extracted32
2. After dedup0 (None)
3. After NER0 ()
4. Enqueued0 ()
GDPR
NameGeneral Data Protection Regulation
Long nameRegulation (EU) 2016/679
JurisdictionEuropean Union, European Economic Area
Date effective25 May 2018
Date passed14 April 2016
LegislationEuropean Parliament, Council of the European Union
StatusIn force

GDPR is a comprehensive data protection and privacy law that became directly applicable across the European Union and the European Economic Area. It was designed to harmonize data privacy laws across Europe, empower individuals, and reshape the way organizations approach data privacy. The regulation imposes strict obligations on entities that process personal data and grants significant new rights to individuals. Its extraterritorial scope means it affects organizations worldwide that handle the data of individuals in the EU.

Overview

The regulation was developed by the European Commission and formally adopted by the European Parliament and the Council of the European Union after extensive negotiations. It replaced the outdated Data Protection Directive 95/46/EC, creating a single, directly enforceable legal framework. A primary goal was to address the challenges of the digital age, where entities like Facebook and Google process vast amounts of personal information. The final text was published in the Official Journal of the European Union in 2016, with a two-year implementation period before it became enforceable.

Key provisions

Central to the regulation are the principles of lawfulness, fairness, and transparency, requiring that data processing have a clear legal basis such as consent or legitimate interest. It mandates data protection by design and by default, requiring privacy measures to be integrated into systems from the outset. A critical requirement is the implementation of appropriate technical and organizational measures, which can include encryption and pseudonymization, to ensure a level of security appropriate to the risk. The regulation also introduces strict rules for data breach notification, requiring controllers to report certain breaches to supervisory authorities like the Commission nationale de l'informatique et des libertés within 72 hours.

Scope and applicability

The regulation applies to the processing of personal data by controllers and processors established in the EU, regardless of where the processing takes place. Crucially, it also applies to organizations outside the EU if they offer goods or services to, or monitor the behavior of, individuals within the EU. This extraterritorial effect has global implications, impacting multinational corporations from the United States to Japan. The definition of personal data is broad, encompassing any information relating to an identified or identifiable natural person, including online identifiers like IP addresses.

Rights of data subjects

Individuals are granted a suite of enhanced rights, including the right to access their personal data and the right to rectification of inaccurate information. The right to erasure, often called the "right to be forgotten," allows individuals to request the deletion of their data under specific circumstances. Other key rights include the right to data portability, enabling individuals to obtain and reuse their data across different services, and the right to object to processing, including for direct marketing purposes. Data subjects also have rights related to automated decision-making and profiling.

Compliance and enforcement

Organizations must demonstrate compliance through measures such as maintaining detailed records of processing activities and conducting data protection impact assessments for high-risk processing. The appointment of a data protection officer is mandatory for certain controllers and processors. Enforcement is the responsibility of independent supervisory authorities in each member state, such as the Information Commissioner's Office in the United Kingdom and the Federal Commissioner for Data Protection and Freedom of Information in Germany. These authorities have the power to impose significant administrative fines, which can reach up to €20 million or 4% of global annual turnover.

Impact and criticism

The regulation has had a profound global impact, prompting many countries, including Brazil with its Lei Geral de Proteção de Dados and California with the California Consumer Privacy Act, to enact similar comprehensive privacy laws. It has forced major changes in the operations of technology giants like Amazon and Microsoft. Criticism has included concerns about the compliance burden on small and medium-sized enterprises and complexities in implementation across different jurisdictions. Some legal scholars have also debated the practical application of certain rights and the consistency of enforcement actions by different national authorities like the Garante per la protezione dei dati personali in Italy.

Category:European Union law Category:Data privacy