← Glossary·Frameworks

GDPR

Also known as: General Data Protection Regulation · EU 2016/679
GDPR

EU regulation governing processing of personal data of EU/EEA data subjects; fines up to €20M or 4% of global turnover.

The General Data Protection Regulation (EU 2016/679) is the EU's omnibus data-protection law. It applies extraterritorially to any controller or processor offering goods/services to, or monitoring, EU/EEA data subjects — regardless of where the business is established (Art. 3).

Why it matters
GDPR carries the steepest privacy fines in the world (Tier 2: €20M or 4% of global annual turnover, whichever is higher). Meta has been fined over €2.5B cumulatively.
Example
Meta Ireland's €1.2B fine in 2023 for unlawful EU→US data transfers is the largest single GDPR penalty to date.

Related terms

Data Processing Agreement (DPA)
Contract between a controller and processor codifying GDPR Art. 28 obligations.
Lawful Basis (Legal Basis for Processing)
One of six GDPR Art. 6 grounds that must apply for personal data processing to be lawful.
Data Subject Rights (DSAR)
Rights granted to individuals over their personal data — access, rectification, erasure, portability, restriction, objection.
Data Protection Officer (DPO)
Independent role mandated by GDPR Art. 37 for public authorities and certain large-scale processors.
Schrems II
2020 CJEU ruling invalidating Privacy Shield and requiring case-by-case TIA for EU→US data transfers.

Does your program actually cover GDPR?

Run a free ComplianceIQ audit against GDPR and we'll surface every gap on this — and the other controls auditors flag — with the exact clause references to fix.

Free GDPR auditBack to glossary