General Data Protection Regulation (GDPR)

KEY POINTS

Individuals’ rights

The GDPR strengthens existing rights, provides for new rights and gives individuals more control over their personal data. It includes the following.

• Easier access to an individual’s own data. This includes providing more information on how that data is processed and ensuring that that information is available in a clear and understandable way.
• A right to data portability. This makes it easier to transmit personal data between service providers.
• A right to erasure (right to be forgotten). When an individual no longer wants their data to be processed and there is no legitimate reason to keep it, the data will be deleted.
• The right to know when their personal data has been breached. Companies and organisations have to notify the relevant data protection supervisory authority and, in cases of serious data breaches, also the individuals affected.

Rules for businesses

The GDPR creates a level playing field for all companies operating in the EU internal market, adopts a technology-neutral approach and stimulates innovation through a number of steps, which include the following.

• A single set of EU-wide rules. A single EU-wide law for data protection increases legal certainty and reduces administrative burdens.
• A data protection officer. A person responsible for data protection has to be designated by public authorities and by businesses that process data on a large scale, or whose core activity is the processing of special categories of data, such as health-related data.
• One-stop shop. Businesses only have to deal with one single supervisory authority (in the EU Member State in which they have their main establishment); the relevant supervisory authorities cooperate within the framework of the European Data Protection Board for cross-border cases, with additional procedural rules for cross-border enforcement laid down in Regulation (EU) 2025/2518.
• EU rules for non-EU companies. Companies based outside the EU must apply the same rules when offering services or goods to, or when monitoring the behaviours of, individuals within the EU.
• Innovation-friendly rules. A guarantee that data protection safeguards are built into products and services from the earliest stage of development (data protection by design and by default).
• Privacy-friendly techniques. Pseudonymisation (when identifying fields within a data record are replaced by one or more artificial identifiers) and encryption (when data is coded in such a way that only authorised parties can read it), for example, are encouraged, in order to limit the intrusiveness of processing.
• Removal of notifications. The GDPR scrapped most notification obligations and the costs associated with these. One of its aims is to remove obstacles that affect the free flow of personal data within the EU. This will make it easier for businesses to expand in the digital single market.
• Data protection impact assessments. Organisations will have to carry out impact assessments when data processing may result in a high risk for the rights and freedoms of individuals.
• Record keeping. Small and medium-sized enterprises are not required to keep records of processing activities – unless the processing is regular or likely to result in a risk to the rights and freedoms of the person whose data is being processed, or includes sensitive categories of data.
• A modern toolbox for international data transfers. The GDPR offers various instruments to transfer data outside the EU, including adequacy decisions adopted by the European Commission where the non-EU country offers an adequate level of protection, pre-approved (standard) contractual clauses, binding corporate rules, codes of conduct and certification.

Enforcement of the GDPR in cross-border cases

Regulation (EU) 2025/2518 (adopted on 26 November 2025 and published in the Official Journal on 12 December 2025) sets procedural rules for enforcing the GDPR in cross-border cases (where more than one EU / European Economic Area authority is involved). The goal is to make investigations and complaint-handling faster and more consistent across Member States.

The regulation strengthens and standardises processes such as how complaints are lodged and assessed, cooperation between the lead supervisory authority and other concerned authorities, and clearer procedural rights for key parties (complainants and parties under investigation). It is intended to improve efficiency and legal certainty in cross-border GDPR enforcement while supporting smoother coordination between regulators.

Review

The Commission published the first report on the evaluation and review of the regulation in June 2020. A second report was published in July 2024, and the next report is due in 2028.