Loading…
Regulation (EU) 2016/679 — the General Data Protection Regulation — has applied since 25 May 2018 across all 27 EU Member States plus the EEA (Iceland, Liechtenstein, Norway). It governs the processing of personal data of individuals in the EU regardless of where the controller or processor is established.
Enforcement sits with each Member State's Supervisory Authority (e.g., CNIL, BfDI, Garante, AEPD, Ireland DPC), coordinated by the European Data Protection Board (EDPB) via the one-stop-shop mechanism.
Article 5(1)(a) — processing must have a lawful basis and be transparent to the data subject.
Article 5(1)(b) — collected for specified, explicit, and legitimate purposes only.
Article 5(1)(c) — adequate, relevant, and limited to what is necessary.
Article 5(1)(d) — accurate and, where necessary, kept up to date.
Article 5(1)(e) — kept no longer than necessary for the purpose.
Article 5(1)(f) — appropriate security including encryption and access control.
Freely given, specific, informed, unambiguous — and as easy to withdraw as to give.
Necessary for the performance of a contract with the data subject.
Required to comply with a legal obligation in EU or Member State law.
Necessary to protect the life of the data subject or another natural person.
Carrying out a task in the public interest or exercise of official authority.
Pursued by the controller or third party, balanced against the rights of the data subject.
Offering goods or services to people in the EU (Art. 3 extraterritorial scope) — must appoint an Art. 27 EU Representative.
Profiling, retargeting, programmatic — primary enforcement focus of CNIL, AEPD, and Garante.
Article 9 special category data with heightened safeguards and explicit consent requirements.
GDPR Article 22 plus the new EU AI Act — high-risk systems require DPIA, FRIA, and conformity assessment.
Appointed in-EU representative for non-EU controllers and processors, as a single point of contact for Supervisory Authorities and data subjects.
Certified Data Protection Officer (Art. 37) advising on compliance, training, and Supervisory Authority cooperation.
Art. 30 records of processing activities — maintained, kept current, and produced on regulator request within hours.
Data Protection Impact Assessments (Art. 35) and Legitimate Interest Assessments for high-risk processing and new product launches.
Triage, classification, Supervisory Authority notification (Art. 33) and data-subject communication (Art. 34) — handled end-to-end.
Standard Contractual Clauses, Binding Corporate Rules, adequacy assessments, and Schrems II Transfer Impact Assessments.
We act as your Article 27 Representative across all 27 EU Member States — single point of contact, multilingual support, full Supervisory Authority cover.