Does the GDPR apply to companies outside the EU?

Yes, where they offer goods or services to, or monitor, individuals in the EU. Such organisations must comply and often appoint an EU representative.

What is the maximum GDPR fine?

Up to €20 million or 4% of total worldwide annual turnover, whichever is higher, for the most serious infringements.

What is the difference between a controller and a processor?

A controller determines the purposes and means of processing personal data. A processor processes data on behalf of and under the instructions of the controller. A DPA is required between them.

What lawful bases are available under the GDPR?

Six bases: consent, contract performance, legal obligation, vital interests, public task, and legitimate interests. The most commonly used in commercial contexts are consent, contract, and legitimate interests; each has different requirements and implications.

How does the GDPR affect AI and automated processing?

Article 22 GDPR gives individuals the right not to be subject to solely automated decisions with significant effects, including profiling. AI systems making such decisions must have a lawful basis and provide for human review on request.

GDPR

The EU regulation governing how personal data of individuals must be processed and protected.

Definition

The General Data Protection Regulation (GDPR) is the EU-wide law governing the processing of personal data, granting individuals rights of access, correction, and erasure and imposing principles such as lawfulness, purpose limitation, and data minimisation. It applies to controllers and processors, requires a lawful basis for processing, and backs compliance with fines up to €20 million or 4% of global turnover. In the Netherlands it is known as the AVG and supplemented by the Uitvoeringswet AVG.

Example

Before launching an email campaign, a marketer confirms a valid lawful basis (consent or legitimate interest) for processing the recipients' data under the GDPR.

Why this is a business risk

GDPR compliance is not only a legal obligation but a contractual one: customer and partner contracts increasingly require warranted compliance, and a breach can trigger indemnity obligations as well as regulatory fines. Companies that treat GDPR as a checkbox exercise, rather than an ongoing programme, often discover gaps only when a breach or regulator inspection occurs.

How to manage it

Maintain a Record of Processing Activities (ROPA) so you know what data you process, on what basis, and who handles it.
Ensure every supplier that processes personal data on your behalf has a signed DPA before processing begins.
Test your 72-hour breach-notification process before an incident happens: know who is responsible and what data the regulator needs.
Review contracts that include GDPR warranties periodically so the warranted standard keeps pace with regulatory guidance.

Legal references

Regulation (EU) 2016/679 General Data Protection Regulation

Unless marked otherwise, references are to Dutch law (Burgerlijk Wetboek, the Dutch Civil Code); EU instruments such as the GDPR apply across the EU. This is general information, not legal advice. Other jurisdictions treat these concepts differently. Verify the current text and your situation with a qualified lawyer.

Frequently asked questions

Common questions about this term.