Does the GDPR apply to companies outside the EU?

Yes, where they offer goods or services to, or monitor, individuals in the EU. Such organisations must comply and often appoint an EU representative.

What is the maximum GDPR fine?

Up to €20 million or 4% of total worldwide annual turnover, whichever is higher, for the most serious infringements.

What is the difference between a controller and a processor?

A controller determines the purposes and means of processing personal data. A processor processes data on behalf of and under the instructions of the controller. A DPA is required between them.

What lawful bases are available under the GDPR?

Six bases: consent, contract performance, legal obligation, vital interests, public task, and legitimate interests. The most commonly used in commercial contexts are consent, contract, and legitimate interests; each has different requirements and implications.

How does the GDPR affect AI and automated processing?

Article 22 GDPR gives individuals the right not to be subject to solely automated decisions with significant effects, including profiling. AI systems making such decisions must have a lawful basis and provide for human review on request.

GDPR

The EU regulation governing how personal data of individuals must be processed and protected.

Definición

The General Data Protection Regulation (GDPR) is the EU-wide law governing the processing of personal data, granting individuals rights of access, correction, and erasure and imposing principles such as lawfulness, purpose limitation, and data minimisation. It applies to controllers and processors, requires a lawful basis for processing, and backs compliance with fines up to €20 million or 4% of global turnover. In the Netherlands it is known as the AVG and supplemented by the Uitvoeringswet AVG.

Ejemplo

Before launching an email campaign, a marketer confirms a valid lawful basis (consent or legitimate interest) for processing the recipients' data under the GDPR.

Por qué es un riesgo para la empresa

GDPR compliance is not only a legal obligation but a contractual one: customer and partner contracts increasingly require warranted compliance, and a breach can trigger indemnity obligations as well as regulatory fines. Companies that treat GDPR as a checkbox exercise, rather than an ongoing programme, often discover gaps only when a breach or regulator inspection occurs.

Cómo gestionarlo

Maintain a Record of Processing Activities (ROPA) so you know what data you process, on what basis, and who handles it.
Ensure every supplier that processes personal data on your behalf has a signed DPA before processing begins.
Test your 72-hour breach-notification process before an incident happens: know who is responsible and what data the regulator needs.
Review contracts that include GDPR warranties periodically so the warranted standard keeps pace with regulatory guidance.

Referencias legales

Regulation (EU) 2016/679 General Data Protection Regulation

Salvo indicación en contrario, las referencias remiten al derecho neerlandés (Burgerlijk Wetboek, el Código Civil neerlandés); los instrumentos de la UE como el RGPD se aplican en toda la UE. Se trata de información general, no de asesoramiento legal. Otras jurisdicciones tratan estos conceptos de forma distinta. Verifique el texto vigente y su situación con un abogado cualificado.

Preguntas frecuentes

Preguntas comunes sobre este término.