GDPR Requirements: Complete Overview

The GDPR at a Glance

The General Data Protection Regulation (GDPR) is the central European data protection regulation (EU Regulation 2016/679). It has been directly applicable in all EU member states since 25 May 2018 and governs the protection of personal data of natural persons. With 99 articles and 173 recitals, it is the most comprehensive data protection law in the world.

The GDPR also has significant extraterritorial reach: it applies to any organisation worldwide that processes personal data of individuals located in the EU, regardless of where the organisation itself is based. This means companies in the United States, the United Kingdom, and beyond must comply if they offer goods or services to EU residents or monitor their behaviour.

The 7 Principles of Data Processing (Art. 5)

Every processing of personal data must comply with the seven principles of Article 5. These principles form the foundation of the GDPR and are the starting point for any compliance assessment.

• Lawfulness, Fairness, and Transparency — Data may only be processed on a legal basis and in a transparent manner.
• Purpose Limitation — Data may only be collected for specified, explicit, and legitimate purposes.
• Data Minimisation — Only data that is adequate, relevant, and necessary for the purpose may be collected.
• Accuracy — Personal data must be accurate and kept up to date.
• Storage Limitation — Data may only be stored for as long as necessary for the purpose.
• Integrity and Confidentiality — Appropriate technical and organisational measures must protect data against unauthorised access, loss, or destruction.
• Accountability — The controller must be able to demonstrate compliance with all principles.

The 6 Legal Bases (Art. 6)

Every processing of personal data requires a legal basis under Article 6 GDPR. Without a valid legal basis, the processing is unlawful.

• Consent (Art. 6(1)(a)) — Freely given, specific, informed, and unambiguous consent of the data subject.
• Contract (Art. 6(1)(b)) — Processing necessary for the performance of a contract with the data subject.
• Legal Obligation (Art. 6(1)(c)) — Processing necessary to comply with a legal obligation.
• Vital Interests (Art. 6(1)(d)) — Processing necessary to protect the vital interests of the data subject or another natural person.
• Public Interest (Art. 6(1)(e)) — Processing necessary for the performance of a task carried out in the public interest.
• Legitimate Interests (Art. 6(1)(f)) — Processing necessary for the legitimate interests of the controller, unless overridden by the interests or fundamental rights of the data subject.

Chapter Structure of the GDPR

The GDPR is divided into eleven chapters covering the entire regulatory framework:

• Chapter I (Art. 1-4) — General provisions, scope, and definitions.
• Chapter II (Art. 5-11) — Principles of processing and legal bases.
• Chapter III (Art. 12-23) — Rights of the data subject.
• Chapter IV (Art. 24-43) — Obligations of controllers and processors.
• Chapter V (Art. 44-49) — Transfers to third countries and international organisations.
• Chapter VI (Art. 51-59) — Independent supervisory authorities.
• Chapter VII (Art. 60-76) — Cooperation and consistency.
• Chapter VIII (Art. 77-84) — Remedies, liability, and penalties.
• Chapter IX (Art. 85-91) — Provisions relating to specific processing situations.
• Chapter X (Art. 92-93) — Delegated and implementing acts.
• Chapter XI (Art. 94-99) — Final provisions.

Key Areas of the GDPR

The GDPR covers several key areas that every organisation must implement:

Data Subject Rights (Art. 15-22)

The GDPR grants data subjects extensive rights: access, rectification, erasure, restriction, data portability, objection, and protection against automated decision-making. Organisations must establish processes to fulfil these rights within the required timeframes.

All data subject rights in detail

Records of Processing Activities (Art. 30)

Every controller and processor must maintain a record of all processing activities. It documents the purpose, legal basis, data categories, recipients, and retention periods.

Creating records of processing activities

Technical and Organisational Measures (Art. 32)

Appropriate TOMs for the protection of personal data: encryption, pseudonymisation, access controls, backup, and regular review.

TOMs in detail

Data Processing Agreements (Art. 28)

When service providers process personal data on behalf of a controller, a Data Processing Agreement (DPA) is mandatory. It regulates the purpose, scope, instructions, and technical measures.

Data processing in detail

Data Protection Officer (Art. 37-39)

Under certain conditions, appointing a Data Protection Officer is mandatory. Under German law (BDSG), this applies when 20 or more persons are regularly engaged in automated processing of personal data.

Check DPO requirements

Further Key Areas

• Data Protection Impact Assessment (DPIA, Art. 35)
• Breach Notification (Art. 33-34)
• Fines and Penalties (Art. 83-84)
• International Data Transfers (Art. 44-49)

Obligations for Organisations

Organisations that process personal data must fulfil numerous obligations. The most important areas of action include:

• Information Obligations — Data subjects must be comprehensively informed when data is collected (Art. 13-14).
• Data Protection by Design — Privacy by Design and Privacy by Default (Art. 25).
• Breach Notification — Data breaches must be reported within 72 hours (Art. 33).
• Data Protection Impact Assessment — Required when processing poses a high risk to data subjects (Art. 35).
• Documentation — Comprehensive accountability obligations under the accountability principle.

GDPR and National Implementing Laws

While the GDPR applies directly across the EU, member states may adopt national provisions in certain areas. In Germany, the Federal Data Protection Act (BDSG) supplements the GDPR with national specifications, including rules on employee data processing (Section 26 BDSG), video surveillance (Section 4 BDSG), and the obligation to appoint a Data Protection Officer (Section 38 BDSG). Organisations operating in Germany must therefore always consider both sets of rules.

Similarly, other EU member states have their own supplementary laws, and the UK has adopted the UK GDPR post-Brexit. The core principles remain aligned across all jurisdictions.