LLMpediaThe first transparent, open encyclopedia generated by LLMs

GDPR

Generated by GPT-5-mini
Note: This article was automatically generated by a large language model (LLM) from purely parametric knowledge (no retrieval). It may contain inaccuracies or hallucinations. This encyclopedia is part of a research project currently under review.
Article Genealogy
Parent: CDP Hop 4
Expansion Funnel Raw 63 → Dedup 5 → NER 3 → Enqueued 2
1. Extracted63
2. After dedup5 (None)
3. After NER3 (None)
Rejected: 2 (not NE: 2)
4. Enqueued2 (None)
GDPR
NameGeneral Data Protection Regulation
Long nameRegulation (EU) 2016/679
Enacted byEuropean Parliament and Council of the European Union
Adopted27 April 2016
Effective25 May 2018
TerritoryEuropean Union member states, European Economic Area
StatusIn force

GDPR

The General Data Protection Regulation is a Regulation (European Union) enacted by the European Parliament and the Council of the European Union to harmonize data protection rules across the European Union and the European Economic Area. It replaced the Data Protection Directive 95/46/EC and interfaces with instruments such as the ePrivacy Directive, while influencing legislation in the United Kingdom, United States, Canada, Brazil, and Japan. The regulation shapes practices for multinational firms like Google, Facebook, Apple Inc., Microsoft, and Amazon (company) and informs supervisory authorities including the European Data Protection Board and national bodies such as the Information Commissioner's Office.

Overview

The regulation establishes a uniform legal framework for processing personal data across the European Union and the European Economic Area, superseding the earlier Data Protection Directive 95/46/EC and aligning with international standards seen in instruments like the OECD Guidelines on the Protection of Privacy and Transborder Flows of Personal Data. It sets out definitions, legal bases, rights, obligations, and enforcement mechanisms that interact with judicial bodies such as the Court of Justice of the European Union and national courts in member states like Germany, France, Italy, and Spain.

Key Principles and Rights

The text codifies principles including lawfulness, fairness, transparency, purpose limitation, data minimization, accuracy, storage limitation, integrity, confidentiality, and accountability. It grants individuals rights such as the right of access, the right to rectification, the right to erasure, the right to restriction of processing, the right to data portability, and the right to object. These rights have been invoked in cases before the Court of Justice of the European Union and debated by regulators like the Bundesbeauftragte für den Datenschutz und die Informationsfreiheit and advocacy groups including Electronic Frontier Foundation, Privacy International, and European Digital Rights.

Scope and Applicability

The regulation applies to processing of personal data wholly or partly by automated means and to non-automated processing forming part of filing systems. Its territorial scope covers controllers and processors offering goods or services to, or monitoring the behaviour of, data subjects in the European Union, affecting companies headquartered in jurisdictions such as the United States, China, India, and Australia. It distinguishes between controllers and processors, includes special categories of personal data, and provides derogations for processing by public authorities like the European Central Bank under conditions set by member states.

Obligations of Controllers and Processors

Controllers and processors must implement appropriate technical and organizational measures, conduct data protection impact assessments for high-risk processing, and maintain records of processing activities. They must appoint data protection officers where required, cooperate with supervisory authorities such as the Commission nationale de l'informatique et des libertés and the Autorité de protection des données in Belgium, and ensure lawful bases such as consent, contract performance, legal obligation, vital interests, public task, or legitimate interests. Controllers must employ measures like encryption and pseudonymization and manage contracts with subprocessors in line with provisions influencing service providers like Akamai Technologies, Cloudflare, and Salesforce.

Enforcement and Penalties

Supervisory authorities empowered under the regulation can investigate breaches, issue warnings, order compliance, and impose administrative fines up to 20 million euros or 4% of global annual turnover, whichever is higher. Enforcement actions have been taken against major entities including Google LLC, Facebook, Inc., British Airways, and Marriott International and adjudicated in tribunals and the Court of Justice of the European Union. Cross-border cooperation is coordinated by the European Data Protection Board, and remedies include compensation claims in national courts such as those in Ireland, Netherlands, and Poland.

Impact and Criticism

The regulation has driven global privacy reforms, prompting legislative initiatives like the California Consumer Privacy Act, the Brazilian General Data Protection Law, and reforms in South Korea and India. It has catalyzed product changes at companies including Twitter, LinkedIn, and TikTok and influenced standards-setting bodies such as the International Organization for Standardization and European Telecommunications Standards Institute. Criticism has arisen from industry groups like DigitalEurope and legal scholars at institutions such as Oxford University and Harvard Law School over compliance costs, legal uncertainty, extraterritorial reach, and tensions with law enforcement agencies including Europol and national police. Debates continue in forums like the European Council and the European Commission regarding adequacy decisions with countries such as the United States and South Korea, and on balancing privacy with innovation and security.

Category:European Union law Category:Privacy law