What does GDPR mean?
The GDPR (General Data Protection Regulation – EU Regulation 2016/679) is the European regulation that governs how personal data must be collected, used, stored, protected, and processed lawfully.
It officially came into force on May 25, 2018, replacing the 1995 Data Protection Directive and significantly strengthening individuals’ rights, giving them greater control over their personal information.
Today, the GDPR represents the most comprehensive regulatory framework for privacy and data protection at the European level.
Practical example
If an online company collects user data through its website and stores it on a third-party cloud service, the company is the data controller, while the cloud provider is the data processor.
The GDPR was created to strengthen the protection of personal data for all individuals and to restore full control over personal information to users.
What is recognized as personal data?
Under the GDPR, personal data means any information relating to an identified or identifiable natural person, directly or indirectly. Data that can identify a person when combined with other information also falls under this definition.
Pseudonymized or encrypted data is still considered personal data if it can be re-associated with an individual. In such cases, decryption keys must be stored separately from the protected data.
It is important to define these two key concepts:
Data controller: the natural or legal person who determines the purposes and means of processing personal data.
Data processor: the natural or legal person who processes personal data on behalf of the controller.
Examples of personal data:
Basic identifying data such as first and last name
Health, genetic, and biometric data
Online data such as IP addresses
Personal email addresses
Political opinions
Data concerning sexual orientation
Examples of non-personal data:
Company registration numbers
Generic email addresses such as info@company.com
Fully anonymized data
Who does it apply to?
The GDPR applies to:
Any organization established in the European Union, regardless of where data processing takes place.
Any organization outside the EU that offers goods or services (including free ones) to individuals located in the EU.
Any non-EU organization that monitors the behavior of individuals within the EU, provided such monitoring takes place within EU territory.
This includes public authorities, private companies, non-profit organizations, and individuals.
Where does it apply?
Thanks to its broad territorial scope, the GDPR affects most companies worldwide, not just European ones. A PwC study found that up to 92% of U.S. companies consider GDPR compliance an absolute priority.
A common mistake is to believe that the GDPR only protects users residing in the EU. In reality:
If a company is established in the EU, the GDPR applies to all of its users worldwide.
This means an EU-based controller must apply GDPR standards to all users, without geographical distinction.
When does it not apply?
Non-applicability conditions are defined by Articles 2 and 3 of the GDPR and must be assessed under two profiles:
Material scope (subject matter of processing)
Territorial scope
Material scope
The GDPR applies exclusively to the processing of personal data. It does not apply to purely corporate data (such as a company’s name or address).
However, caution is required: since companies involve natural persons, any data referring to them is considered personal data, even in B2B contexts.
The GDPR also does not apply when personal data is processed:
By Member States in the context of common foreign and security policy
By competent authorities for purposes of:
Crime prevention
Investigation and prosecution of criminal offenses
Execution of penalties
Safeguarding public security
By EU institutions, bodies, offices, and agencies
By a natural person for purely personal or household activities (e.g., a personal contact list)
Territorial scope
From a territorial perspective, the GDPR does not apply only if all of the following conditions are met:
The controller or processor is not established in the EU
(Note: even a simple EU branch of a non-EU company, without separate legal personality, is fully subject to the GDPR.)The processing does not involve:
Offering goods or services (even free) to individuals in the EU
Monitoring the behavior of individuals in the EU
The controller is not located in a non-EU country where EU law applies by virtue of public international law
Legal bases for data processing
Under the GDPR, personal data may be processed only if at least one valid legal basis exists.
Recognized legal bases include:
The user has given consent for one or more specific purposes.
Processing is necessary for the performance of a contract to which the user is a party, or for pre-contractual measures requested by the user.
Processing is necessary to comply with a legal obligation.
Processing is necessary to protect the vital interests of the user or another person.
Processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority.
Processing is necessary for the legitimate interests of the controller or third parties, provided such interests do not override the user’s fundamental rights and freedoms, especially if the user is a minor.
Important note
Consent is the most commonly used legal basis, but it is not the only one. In many cases, other legal grounds may apply. Determining the correct legal basis requires a legal assessment. That said, there are situations where consent is the only possible, safest, or most appropriate option.
Consent under the GDPR
When data processing is based on consent, organizations must obtain verifiable consent from users.
Consent must be requested using clear, simple language, avoiding unnecessary technical jargon and complex legal wording. Privacy notices and consent forms must be easily readable and understandable so users fully comprehend what they are agreeing to and the consequences.
Organizations must be transparent about processing purposes, and consent must be:
Explicit
Freely given
Unambiguous
Consent mechanisms must require an active opt-in action. The GDPR expressly prohibits pre-ticked boxes and opt-out systems.
Users also have the right to withdraw consent, and withdrawal must be as easy as giving it.
When processing involves minors, verifiable consent from a parent or legal guardian is required, except for preventive or counseling services. Organizations must adopt reasonable measures, including technical ones, to verify parental responsibility.
Cookies
Another important European regulation is the ePrivacy Directive, also known as the Cookie Law. It is still in force and has not been repealed by the GDPR. In the future, it will be replaced by the ePrivacy Regulation, which will operate alongside the GDPR while maintaining the same protection principles.
The Cookie Law requires obtaining informed user consent before storing cookies on a user’s device or carrying out tracking activities.
Data transfers outside the EU
The GDPR allows personal data transfers outside the European Economic Area (EEA) only if specific legal safeguards are in place.
Transfers are permitted when:
The destination country ensures an adequate level of protection according to the European Commission, or
Standard Contractual Clauses (SCCs) or Binding Corporate Rules (BCRs) are adopted.
These mechanisms ensure that data retains an equivalent level of protection to that provided within the EU, even when processed abroad.
Privacy by design & Privacy by default
Data protection must be integrated from the earliest stages of system design, business processes, and infrastructure. Privacy settings must be set to the highest level by default, and appropriate measures must be adopted to ensure that the entire data processing lifecycle fully complies with GDPR requirements.
Data breach notification
In the event of a personal data breach, the controller must notify the competent supervisory authority within 72 hours of becoming aware of the incident. If the breach occurs at a processor, the processor must immediately inform the controller.
Affected users must also be informed within the same timeframe, unless:
The compromised data was protected by effective encryption rendering it unreadable to unauthorized parties, or
The breach is unlikely to result in a risk to individuals’ rights and freedoms.
In all cases, the controller must keep an internal record of all breaches to demonstrate compliance to the supervisory authority.
User rights
The GDPR significantly strengthened user rights, ensuring greater control, transparency, and protection. These include rights of access, rectification, erasure, portability, and more.
A user (or data subject) is any natural person whose personal data is processed by a controller or processor.
Right to information
Organizations must inform users about data processing activities at the time of collection, typically through a privacy notice. Information must be:
Clear
Transparent
Understandable
Easily accessible
Written in plain language (especially for minors)
Provided free of charge
Right of access
Users have the right to know whether and how their data is processed. Upon request, the controller must provide:
A copy of the personal data
Categories of data processed
Processing purposes
Collection methods
Recipients of the data
This right is distinct from, though related to, data portability and must be clearly differentiated in the privacy notice.
Right to rectification
Users have the right to correct inaccurate data or complete incomplete data. Corrections must be communicated to all data recipients unless impossible or excessively burdensome. Upon request, users may be informed of those recipients.
Right to object
Users may object to processing in certain circumstances:
For direct marketing purposes, objection is always possible without justification.
In other cases, a valid reason must be provided.
Right to data portability
Users have the right to receive their personal data in a structured, commonly used, machine-readable format and to transfer it to another controller without hindrance. This applies only to personal data, not fully anonymized data.
Right to erasure
Users may request deletion when:
Data is no longer necessary for original purposes
Consent has been withdrawn
Data has been unlawfully processed
In some legally defined cases, this right may be lawfully denied.
Right to restriction of processing
Users may restrict processing when:
They contest data accuracy
They have objected and verification is pending
Processing is unlawful but restriction is requested instead of deletion
Data is no longer needed by the controller but required for legal claims
Restrictions must be communicated to all recipients unless impossible or excessively burdensome.
Rights related to automated decision-making and profiling
Users have the right not to be subject to decisions based solely on automated processing or profiling that produce legal effects or significantly affect them.
Automated decisions are allowed only if:
Necessary for contract performance
Authorized by EU or national law
They do not produce legal or significant effects
Based on explicit user consent
Decisions based on special categories of data are permitted only with explicit consent or for substantial public interest reasons.
Data Protection Officer (DPO)
The DPO is a professional with specialized expertise in data protection. Their role is to support controllers and processors in monitoring GDPR compliance, overseeing data protection strategies, and supervising implementation.
Required expertise includes:
IT process management
Cybersecurity
Processing of personal and sensitive data
When Is a DPO mandatory?
A DPO must be appointed when:
There is systematic, regular, and large-scale monitoring of users
Processing is carried out by a public authority (except courts)
The organization carries out complex processing activities, especially involving sensitive data
The obligation depends on the nature of processing, not the number of employees.
Records of processing activities
The GDPR requires controllers and processors to maintain complete, up-to-date records of processing activities. Records must be in writing, preferably electronic.
Records are mandatory when processing:
Is not occasional
May pose a risk to rights and freedoms
Involves special categories of data
Is carried out by organizations with more than 250 employees
In practice, these criteria apply to almost all organizations.
Important note
Even if processing theoretically falls outside these cases, Articles 13 and 14 GDPR require basic records, including:
What data is collected
Processing purposes
Parties involved
Data retention periods
This obligation applies to everyone.
Regular data audits not only ensure compliance but also improve internal processes and overall security.
Data Protection Impact Assessment (DPIA)
A DPIA helps organizations assess risks associated with data processing in advance, ensuring accountability, privacy by design, and privacy by default.
A DPIA must be documented in writing. While publication is not mandatory, it is recommended to demonstrate transparency and accountability.
An effective DPIA helps identify and resolve issues early, reducing:
Risks to data subjects
Risk of sanctions
Reputational damage
A DPIA is mandatory when processing poses a high risk to users’ rights and freedoms. When in doubt, conducting one is strongly recommended.
Sanctions: consequences of non-compliance
Non-compliance with the GDPR may result in administrative fines of up to €20 million or 4% of global annual turnover, whichever is higher.
In addition to fines, organizations may face:
Official warnings
Inspections and audits
Civil liability for damages
Data subjects also have the right to:
Lodge a complaint with a supervisory authority
Seek compensation for damages
This exposes non-compliant organizations to significant legal risks and litigation.
The 7 fundamental principles of the GDPR
Lawfulness, fairness, and transparency
Purpose limitation
Data minimization
Accuracy
Storage limitation
Integrity and confidentiality
Accountability
What does it mean to be compliant?
GDPR compliance means respecting all rules governing personal data processing, including:
Lawful data collection and processing
Ensuring security and protection
Obtaining clear, informed consent
Transparency in data usage
Appointing a DPO when required
Properly managing data breaches
Minimum compliance requirements:
Define a valid legal basis
Clearly describe collected data in privacy and cookie policies
Enable easy user access requests
Implement data breach detection and management systems
Maintain detailed processing records
How to check if you are GDPR-Compliant
If your company is based in the EU (or UK) or targets users in the EU (or UK), GDPR applies. The ePrivacy Directive also applies to most EU-accessible websites using cookies or trackers.
Quick Self-Assessment Checklist:
Transparency & privacy notice
Consent management
Cookie and tracking policies
User rights management
Data governance and security
Our Ethical Analytics Solution
Using tools like Litlyx helps you stay GDPR-compliant from day one.
Litlyx uses proprietary, anonymous, cookieless tracking technologies designed by default to comply with the strictest European privacy regulations.
You can analyze user behavior without compromising user rights, avoiding legal risks, technical complexity, and operational overhead.
With Litlyx, your business adopts an ethical and responsible analytics approach, turning regulatory compliance into a competitive advantage.
Learn more about how Litlyx tracks data here.
Less noise, more value.
Sources
Learn more about GDPR from an european website. Here.
