Skip to main content

What GDPR is

Type: ExplanationCreated: Team: Security
draft

Overview

The General Data Protection Regulation (GDPR) is a comprehensive European Union law designed to give individuals control over their personal data and to unify data privacy regulations across Europe. Enacted to protect fundamental privacy rights in the modern digital age, it applies to any organization worldwide that targets or collects data related to people in the EU.

How the regulation is structured

To navigate its requirements effectively, it helps to understand how the regulation itself is structured. Think of the GDPR like a comprehensive reference manual divided into three main layers:

  • The recitals (the context) — Before the actual laws begin, there is an introduction containing 173 recitals. These are not binding rules; they are explanations. They provide real-world context, legal intentions, and examples to help interpret what the lawmakers actually meant.
  • The chapters (the categories) — The framework is organized into 11 broad chapters. Think of these as high-level folders that group the law by major themes, such as "Rights of the Data Subject" or "Penalties".
  • The articles (the rules) — Inside the chapters are the 99 articles. These are the strict, legally binding laws that organizations must follow. When an organization is audited or fined, it is evaluated against these specific articles.

What each chapter covers

Here is a quick, high-level summary of what each of the 11 chapters actually covers:

ChapterArticlesWhat it covers
1. General Provisions1–4Sets the stage. Defines who the law applies to (any company handling EU citizens' data), what counts as "personal data", and the core goals of the regulation.
2. Principles5–11The foundational rules. Outlines the seven core principles of data processing (like accuracy and security) and sets the strict rules for how to legally obtain user consent.
3. Rights of the Data Subject12–23All about the individual. Grants people rights over their data, including the right to be forgotten, the right to access what a company holds on them, and the right to correct mistakes.
4. Controller and Processor24–43The rules for businesses. Outlines the legal obligations of the companies collecting data (controllers) and the vendors helping them process it (processors). Mandates data protection by design and security measures.
5. Transfers of Personal Data to Third Countries44–50Moving data across borders. Sets the strict rules for when personal data can legally leave the EU (for example, sending data to servers in the US or other non-EU countries).
6. Independent Supervisory Authorities51–59The watchdogs. Requires every EU member state to establish an independent data protection authority (like the CNIL in France) to monitor and enforce the law.
7. Cooperation and Consistency60–76Working together. Sets up rules for how the different European watchdog authorities must coordinate with each other so the law is applied the same way everywhere.
8. Remedies, Liability and Penalties77–84The teeth of the law. Gives individuals the right to lodge complaints and sue for damages, and outlines the massive multi-million-euro fines companies face for non-compliance.
9. Provisions Relating to Specific Processing Situations85–91The exceptions. Balances data privacy with other specific needs, creating special rules for things like journalism, freedom of expression, scientific research, and employment data.
10. Delegated Acts and Implementing Acts92–93The bureaucracy. Gives the European Commission the power to adopt minor legal updates to the regulation without needing to rewrite the whole law.
11. Final Provisions94–99The technical wrap-up. Details how the GDPR repeals older directives, how it interfaces with other laws, and the exact date it officially came into force.

Where to read the official text

While the EU's EUR-Lex portal holds the official legal record, most privacy professionals use GDPR-info.eu. It contains the exact official text, but organizes it into a highly searchable format that directly links the binding articles to their explanatory recitals.

  • GDPR for storage — the specific articles and principles that govern how personal data must be stored and kept secure.