Rule

Businesses processing personal data of EU/EEA residents must comply with the General Data Protection Regulation (GDPR) regardless of where the business is located. Compliance requires establishing a lawful basis for processing (consent, contract, legitimate interest, legal obligation, vital interest, or public task), appointing a Data Protection Officer where required, implementing data protection by design and default, and maintaining records of processing activities. Organizations must respond to data subject rights requests (access, rectification, erasure, portability, objection) within one month. [src1, src2]

Evidence

Since enforcement began in May 2018 through February 2026, EU Data Protection Authorities have issued over EUR 4.5 billion in cumulative GDPR fines. Tier 1 violations (breaching core principles) carry penalties up to EUR 20 million or 4% of global annual turnover, whichever is higher. Tier 2 violations (specific obligations like processor duties) carry penalties up to EUR 10 million or 2% of turnover. Data breaches must be reported to the supervisory authority within 72 hours, and to affected individuals without undue delay if the breach poses high risk. The European Commission proposed targeted amendments in Q4 2025 that will reshape cookie consent, expand SME exemptions, and clarify AI obligations under the EU AI Act taking full effect on 2 August 2026. [src1, src2, src3]

Key Properties

Maximum penalty (Tier 1): EUR 20 million or 4% of global annual turnover, whichever is higher
Maximum penalty (Tier 2): EUR 10 million or 2% of global annual turnover
Breach notification deadline: 72 hours to supervisory authority; without undue delay to individuals if high risk
Data subject request response time: 1 month (extendable by 2 months for complex requests)
Enforcement body: National DPAs in each EU/EEA member state, coordinated via the EDPB
Cumulative fines issued (2018-2026): Over EUR 4.5 billion across the EU/EEA

Conditions

Applies when: Any organization worldwide that processes personal data of individuals located in the EU/EEA, offers goods or services to them, or monitors their behavior -- no minimum size threshold exists
Does NOT apply when: Processing is purely for personal or household activities, or data is truly anonymized (not pseudonymized) and cannot be re-identified
Confidence degrades when: National implementations diverge (each EU member state has supplementary legislation), proposed 2025-2026 amendments change core obligations, or post-Brexit UK GDPR further diverges from EU GDPR

Constraints

Jurisdiction: applies only to processing of EU/EEA resident data or monitoring of EU/EEA individuals [src1]
Temporal: proposed 2025-2026 amendments may change core obligations including cookie consent simplification and SME exemptions [src5]
Entity threshold: no minimum size -- even sole proprietors and micro-enterprises must comply (though proposed amendments may ease record-keeping for SMEs) [src5]
Prerequisite: organizations must first classify themselves as controller or processor, as obligations differ significantly [src1]
Interaction: UK GDPR (post-Brexit) is a separate regime; Switzerland has its own revFADP; EEA countries follow EU GDPR via the EEA Agreement [src3]

Rationale

The GDPR replaced the 1995 Data Protection Directive to create a unified framework across the EU, eliminating the patchwork of 28 different national laws. Its extraterritorial scope ensures that EU residents' data is protected regardless of where it is processed, and the severe penalty structure (up to 4% of global turnover) creates a credible deterrent that has driven widespread adoption of privacy-by-design practices even among non-EU companies. [src1, src3]

Framework Selection Decision Tree

START -- User needs privacy/data protection compliance guidance
|-- Which jurisdiction?
|   |-- EU/EEA residents --> GDPR Summary <-- YOU ARE HERE
|   |-- California residents --> CCPA/CPRA Summary
|   |-- Japan residents --> APPI Japan Summary
|   |-- Brazil residents --> LGPD Brazil Summary
|   +-- Multiple jurisdictions --> Cross-Border Data Transfers unit
|-- Does the organization process personal data of EU/EEA individuals?
|   |-- YES --> Apply GDPR: lawful basis, DPO, DPIA, breach notification
|   +-- NO --> GDPR does not apply; check other jurisdiction rules
+-- Is there an existing privacy program?
    |-- YES --> Audit against GDPR Articles 5-49
    +-- NO --> Start with data mapping and processing records (Article 30)

Application Checklist

Step 1: Determine applicability and role

Inputs needed: Organization location, whether it processes EU/EEA resident data, whether it offers goods/services to EU/EEA, or monitors EU/EEA behavior
Output: Confirmed GDPR applicability and classification as controller, processor, or both
Constraint: If no EU/EEA nexus exists, GDPR does not apply -- do not over-apply [src1]

Step 2: Establish lawful bases for all processing activities

Inputs needed: Complete data inventory, purposes of processing, data subject categories
Output: Documented lawful basis for each processing activity
Constraint: Consent must be freely given, specific, informed, and unambiguous; pre-ticked boxes and bundled consent are invalid [src2]

Step 3: Implement technical and organizational measures

Inputs needed: Risk assessment results, processing activity records, data flow maps
Output: Data protection by design and default controls, DPO appointment (if required), DPIA for high-risk processing
Constraint: DPO mandatory for public authorities, large-scale monitoring, or large-scale processing of special categories [src1]

Step 4: Establish data subject rights and breach response processes

Inputs needed: Communication channels, response workflows, incident detection systems
Output: Documented procedures for handling rights requests within 1 month; breach notification within 72 hours
Constraint: Escalate to legal counsel if breach involves special category data or large-scale exposure [src2]

Anti-Patterns

Wrong: Using "legitimate interest" as a catch-all without a Legitimate Interest Assessment

Organizations default to legitimate interest for all non-consent processing without documenting the three-part test. Meta was fined EUR 390 million for claiming behavioral advertising was "necessary" to provide social media services. [src2]

Correct: Conduct a documented LIA for each processing activity

Each legitimate interest claim must pass the three-part test: (1) identify the legitimate interest, (2) show processing is necessary, (3) balance against individual rights. Document and revisit when processing changes. [src1]

Wrong: Cookie consent dark patterns with pre-loaded trackers

Making "Reject All" harder to find than "Accept All," using pre-ticked boxes, or firing cookies before consent. EU DPAs issue per-session fines for each affected user. [src3]

Correct: Equal-friction consent with no pre-loading

Present Accept and Reject options with equal prominence on the first layer. No cookies fire before affirmative consent. Maintain timestamped consent logs. [src2]

Wrong: Deletion requests applied only to production databases

Shadow IT, exported CSVs, test environments, and backups retain personal data indefinitely after erasure requests, creating ongoing Article 17 violations. [src4]

Correct: Include all data stores in erasure workflows

Map all locations where personal data exists -- production, backups, analytics, exports, vendor systems. Implement systematic erasure with documented exception processes for legal holds. [src1]

Counter-Arguments

SMEs face disproportionate compliance costs relative to their risk profile; the European Commission's proposed 2025 amendments acknowledge this by expanding SME exemptions for record-keeping and DPO requirements. [src5]
The "legitimate interest" basis is interpreted inconsistently across member states, creating legal uncertainty for businesses operating in multiple EU jurisdictions. [src4]
Consent fatigue from cookie banners may undermine the regulation's intent; proposed amendments aim to simplify consent mechanisms. [src3]

Common Misconceptions

Misconception: GDPR only applies to companies headquartered in the EU.
Reality: GDPR applies to any organization worldwide that processes EU/EEA resident data, offers them goods/services, or monitors their behavior (Article 3). [src1]

Misconception: Pseudonymized data is exempt from GDPR.
Reality: Pseudonymized data remains personal data under GDPR because it can be re-identified. Only fully anonymized data (irreversible) falls outside scope. [src1]

Misconception: A DPO is required for every organization.
Reality: A DPO is mandatory only for public authorities, organizations conducting large-scale systematic monitoring, or those processing special category data at scale. [src2]

Misconception: GDPR compliance is a one-time project.
Reality: GDPR requires ongoing compliance: regular audits, updated DPIAs, continuous training, and monitoring of regulatory changes. The 2026 EDPB coordinated action focuses on transparency (Articles 12-14). [src3]

Comparison with Similar Rules

Rule/Framework	Key Difference	When to Use
GDPR (EU)	Opt-in model; 6 lawful bases; up to 4% global turnover penalty	Processing EU/EEA resident data
CCPA/CPRA (California)	Opt-out model; threshold-based; per-violation fines	Processing California resident data above thresholds
LGPD (Brazil)	10 legal bases; BRL 50M cap; ANPD enforcement	Processing Brazilian resident data
APPI (Japan)	No size threshold; criminal penalties; PPC enforcement	Processing Japanese resident data

GDPR Compliance Requirements for Businesses