Does the GDPR apply to companies outside the EU?

Yes, where they offer goods or services to, or monitor, individuals in the EU. Such organisations must comply and often appoint an EU representative.

What is the maximum GDPR fine?

Up to €20 million or 4% of total worldwide annual turnover, whichever is higher, for the most serious infringements.

What is the difference between a controller and a processor?

A controller determines the purposes and means of processing personal data. A processor processes data on behalf of and under the instructions of the controller. A DPA is required between them.

What lawful bases are available under the GDPR?

Six bases: consent, contract performance, legal obligation, vital interests, public task, and legitimate interests. The most commonly used in commercial contexts are consent, contract, and legitimate interests; each has different requirements and implications.

How does the GDPR affect AI and automated processing?

Article 22 GDPR gives individuals the right not to be subject to solely automated decisions with significant effects, including profiling. AI systems making such decisions must have a lawful basis and provide for human review on request.

GDPR

The EU regulation governing how personal data of individuals must be processed and protected.

Définition

The General Data Protection Regulation (GDPR) is the EU-wide law governing the processing of personal data, granting individuals rights of access, correction, and erasure and imposing principles such as lawfulness, purpose limitation, and data minimisation. It applies to controllers and processors, requires a lawful basis for processing, and backs compliance with fines up to €20 million or 4% of global turnover. In the Netherlands it is known as the AVG and supplemented by the Uitvoeringswet AVG.

Exemple

Before launching an email campaign, a marketer confirms a valid lawful basis (consent or legitimate interest) for processing the recipients' data under the GDPR.

Pourquoi c'est un risque pour l'entreprise

GDPR compliance is not only a legal obligation but a contractual one: customer and partner contracts increasingly require warranted compliance, and a breach can trigger indemnity obligations as well as regulatory fines. Companies that treat GDPR as a checkbox exercise, rather than an ongoing programme, often discover gaps only when a breach or regulator inspection occurs.

Comment le gérer

Maintain a Record of Processing Activities (ROPA) so you know what data you process, on what basis, and who handles it.
Ensure every supplier that processes personal data on your behalf has a signed DPA before processing begins.
Test your 72-hour breach-notification process before an incident happens: know who is responsible and what data the regulator needs.
Review contracts that include GDPR warranties periodically so the warranted standard keeps pace with regulatory guidance.

Références juridiques

Regulation (EU) 2016/679 General Data Protection Regulation

Sauf mention contraire, les références renvoient au droit néerlandais (Burgerlijk Wetboek, le Code civil néerlandais) ; les instruments de l'UE tels que le RGPD s'appliquent dans toute l'UE. Il s'agit d'informations générales, pas de conseils juridiques. D'autres juridictions traitent ces concepts différemment. Vérifiez le texte en vigueur et votre situation avec un avocat qualifié.

Foire aux questions

Questions courantes sur ce terme.