Skip to main content
Regulome
Search regulations…⌘K
For ProvidersFree Checker
EU GDPREnforcedEuropean Union

General Data Protection Regulation.

The EU's comprehensive data protection framework governing the processing of personal data, including biometric and AI-processed data, with extraterritorial reach and significant penalties.

Last updated:

Effective
May 25, 2018
Enforcement
May 25, 2018
Max Penalty
€20 million or 4% of global annual turnover
Jurisdiction
European Union
§ Timeline
Apr 2016May 2018
AdoptedEnforceable

Overview

The General Data Protection Regulation (GDPR), Regulation (EU) 2016/679, is the European Union's comprehensive data protection framework. Adopted on April 27, 2016 and enforceable from May 25, 2018, GDPR governs the processing of personal data of individuals within the EU and the European Economic Area (EEA).

GDPR is foundational to AI compliance because virtually every AI system that processes information about people involves personal data. GDPR's requirements for lawful processing, data minimization, transparency, and automated decision-making directly shape how AI systems must be designed, trained, and deployed.

Key principles:

  1. Lawfulness, fairness, and transparency in data processing
  2. Purpose limitation — data collected for specified, explicit, and legitimate purposes
  3. Data minimization — adequate, relevant, and limited to what is necessary
  4. Accuracy — personal data must be kept accurate and up to date
  5. Storage limitation — kept no longer than necessary
  6. Integrity and confidentiality — appropriate security measures
  7. Accountability — the controller must demonstrate compliance

Who It Applies To

Material Scope

GDPR applies to the processing of personal data wholly or partly by automated means, and to non-automated processing of personal data that forms part of a filing system.

Territorial Scope (Article 3)

GDPR applies to:

  • Establishments in the EU — any controller or processor with an establishment in the EU, regardless of whether processing takes place in the EU
  • Targeting EU residents — controllers or processors outside the EU that offer goods or services to individuals in the EU, or monitor their behavior within the EU

Who Must Comply

EntityObligation
Data controllersOrganizations that determine the purposes and means of processing
Data processorsOrganizations that process data on behalf of controllers
Sub-processorsMust be bound by equivalent data protection obligations

Key Principles

Article 5 — Principles

  1. Lawfulness, fairness, transparency — Processing must have a lawful basis, be fair to the data subject, and be transparent about how data is used.

  2. Purpose limitation — Data must be collected for specified, explicit, and legitimate purposes and not further processed in a manner incompatible with those purposes.

  3. Data minimization — Only data that is adequate, relevant, and limited to what is necessary for the stated purpose may be collected.

  4. Accuracy — Personal data must be accurate and, where necessary, kept up to date. Inaccurate data must be erased or rectified without delay.

  5. Storage limitation — Data must be kept in a form that permits identification of data subjects for no longer than necessary for the purposes of processing.

  6. Integrity and confidentiality — Data must be processed in a manner that ensures appropriate security, including protection against unauthorized processing, accidental loss, destruction, or damage.

  7. Accountability — The controller must be able to demonstrate compliance with all of the above principles.


Lawful Bases for Processing

Article 6 establishes six lawful bases for processing personal data:

BasisDescription
ConsentFreely given, specific, informed, and unambiguous indication of agreement
ContractNecessary for performing or entering into a contract with the data subject
Legal obligationNecessary to comply with a legal obligation of the controller
Vital interestsNecessary to protect someone's life
Public interestNecessary for a task carried out in the public interest
Legitimate interestsNecessary for the legitimate interests of the controller or a third party, balanced against the data subject's rights

For AI systems, the most common bases are consent, contract, and legitimate interests. Each has specific requirements and limitations that affect how AI training data is collected and how inference results are used.


Data Subject Rights

GDPR establishes comprehensive rights for individuals:

RightArticleDescription
Information13–14Right to be informed about how data is processed
Access15Right to obtain a copy of personal data being processed
Rectification16Right to correct inaccurate personal data
Erasure17Right to have personal data deleted ("right to be forgotten")
Restriction18Right to limit processing in certain circumstances
Portability20Right to receive data in a structured, machine-readable format
Object21Right to object to processing based on legitimate interests or public interest
Automated decisions22Right not to be subject to solely automated decisions with significant effects

Note: The Articles 13/14/15 information and access rights described above are the rights in force today. The Commission's proposed Digital Omnibus would narrow some of them (see Recent & Pending Developments). Those proposed limitations are not yet law.


AI & Automated Decision-Making

Article 22 — Automated Individual Decision-Making

Article 22 is GDPR's most AI-relevant provision. It provides that individuals have the right not to be subject to a decision based solely on automated processing — including profiling — which produces legal effects or similarly significant effects.

When Article 22 Applies

The prohibition applies when:

  • The decision is based solely on automated processing (no meaningful human involvement)
  • The decision produces legal effects (e.g., contract denial, employment termination) or similarly significant effects (e.g., credit scoring, insurance pricing, targeted advertising)

Exceptions

Automated decisions are permitted when:

  • Necessary for entering into or performing a contract
  • Authorized by EU or member state law
  • Based on the individual's explicit consent

Even when an exception applies, the controller must implement suitable safeguards, including the right to obtain human intervention, express a point of view, and contest the decision.

Data Protection Impact Assessment (Article 35)

A DPIA is mandatory for:

  • Systematic and extensive profiling with significant effects
  • Large-scale processing of special category data
  • Large-scale systematic monitoring of publicly accessible areas

Most AI deployments that make decisions about individuals trigger the DPIA requirement.


Special Categories (Art. 9)

Article 9 imposes heightened protections on special categories of personal data:

  • Racial or ethnic origin
  • Political opinions
  • Religious or philosophical beliefs
  • Trade union membership
  • Genetic data
  • Biometric data (when processed for identification purposes)
  • Health data
  • Data concerning sex life or sexual orientation

Processing Restrictions

Processing special category data is prohibited unless one of the Article 9(2) exemptions applies:

  • Explicit consent
  • Employment and social security obligations
  • Vital interests
  • Legitimate activities of non-profit bodies
  • Data manifestly made public
  • Legal claims
  • Substantial public interest
  • Health purposes
  • Public health
  • Archiving, research, or statistical purposes

AI Implications

AI systems frequently process or infer special category data — for example, facial recognition (biometric data), health prediction models (health data), or sentiment analysis that may reveal political opinions. Organizations must ensure they have a valid Article 9 exemption before using AI to process or derive any of these categories.


Penalties & Enforcement

Two-Tier Penalty Structure

TierMaximum FineViolations
Lower tier€10 million or 2% of global annual turnoverController/processor obligations, certification bodies, monitoring bodies
Upper tier€20 million or 4% of global annual turnoverData processing principles, lawful bases, consent, data subject rights, international transfers

Enforcement Authorities

Each EU member state has an independent Data Protection Authority (DPA) responsible for enforcement. For cross-border processing, a lead supervisory authority — determined by where the controller has its main establishment — coordinates enforcement through the GDPR's "one-stop-shop" mechanism, with cooperation and consistency overseen by the European Data Protection Board (EDPB).

The one-stop-shop has become a decisive factor in AI enforcement. As the OpenAI case below shows, the timing of when an AI provider establishes an EU main establishment — and which authority becomes its lead supervisor — can determine whether a national DPA's action survives appeal. From April 2, 2027, the new GDPR Procedural Regulation (see Recent & Pending Developments) will harmonize how cross-border complaints are handled and impose binding investigation deadlines.

EntityOutcomeYearIssue
Clearview AI€30.5M (Netherlands, 2024); €20M (France, 2022); €20M (Italy, 2022); €20M (Greece, 2022) — roughly €100M cumulative2022–2024Scraping facial images to build a biometric database for facial recognition without a lawful basis
Meta€1.2B (Ireland)2023Unlawful EU–US data transfers via SCCs (affecting data used for AI and ad systems)
OpenAI€15M fine imposed by Italy's Garante (Dec 2024) — annulled by the Court of Rome (judgment Mar 2026) on jurisdictional grounds2024–2026ChatGPT training data, transparency, age verification, and an unreported 2023 data breach

Clearview AI — incomplete picture corrected. Clearview's largest single GDPR penalty is the Dutch DPA's €30.5 million fine of September 3, 2024 (with an additional non-compliance penalty of up to €5.1 million for failing to stop). It joins €20 million fines from France, Italy, and Greece (all 2022), bringing cumulative EU penalties to roughly €100 million. The UK ICO separately issued a ~£7.5 million penalty in 2022; a First-tier Tribunal overturned it on jurisdictional grounds in October 2023, but in October 2025 the UK Upper Tribunal allowed most of the ICO's appeal, held that the ICO did have jurisdiction, and remitted the case for a substantive hearing — so the UK matter is back in active litigation rather than a settled €9M fine.

OpenAI — fine imposed, then annulled. Italy's Garante did not merely "investigate" — it concluded its inquiry and, in a decision adopted in late 2024 (provvedimento n. 755, announced December 20, 2024), fined OpenAI €15 million and ordered a mandatory six-month public information campaign for unlawful processing of training data, transparency failures, inadequate age verification, and an unreported March 2023 data breach. OpenAI appealed. The Court of Rome (Tribunale Ordinario di Roma) annulled the fine — judgment of March 18, 2026, with full reasoning published in May 2026 — finding the Garante lacked jurisdiction to issue a final decision because the Irish Data Protection Commission had become OpenAI's lead supervisory authority on February 15, 2024, triggering the one-stop-shop. The court did not rule on the substance of the alleged violations, which may yet be pursued by the Irish DPC.


Recent & Pending Developments

The core text of Regulation (EU) 2016/679 remains in force and unamended in substance. Two 2025–2026 developments, however, change how GDPR is enforced and signal possible amendments to the law itself.

GDPR Procedural Regulation (EU) 2025/2518 — adopted, now in force

The Council adopted the GDPR Procedural Regulation on November 17, 2025 (the regulation is dated November 26, 2025), and it was published in the Official Journal on December 12, 2025. It entered into force 20 days after publication (early January 2026) and applies from April 2, 2027.

This is a procedural instrument that sits alongside the GDPR rather than amending its substantive rights. It:

  • Harmonizes the admissibility of cross-border complaints — the same information requirements apply wherever in the EU a complaint is filed.
  • Imposes binding investigation deadlines — cross-border investigations should conclude within 15 months, extendable by up to 12 months for the most complex cases; simpler cooperation procedures should finish within 12 months.
  • Strengthens procedural rights — both complainants and parties under investigation gain rights to be heard and to access the administrative file (excluding confidential information).

For AI providers facing complaints across multiple member states, this should make cross-border enforcement faster and more predictable from 2027 onward.

Digital Omnibus — proposed GDPR amendments (not yet law)

On November 19, 2025, the European Commission published the Digital Omnibus package, a set of proposals to simplify EU digital law. Unlike the Procedural Regulation, the Digital Omnibus would amend the GDPR itself. Key proposals include:

  • Limits on the Articles 13/14/15 information and access rights, including measures aimed at curbing abusive or disproportionate access requests.
  • A consolidated breach-notification regime with a single reporting entry point and the deadline to notify the supervisory authority potentially extended from 72 to 96 hours, alongside a higher risk threshold for when notification is required.
  • Relief for SMEs and small mid-cap companies, and common templates for breach notifications and DPIAs.

This is a proposal only. The EDPB and EDPS issued Joint Opinion 2/2026 (adopted February 10, 2026) broadly supporting simplification — including the breach-notification changes — while warning against weakening core data-subject protections. Adoption is not expected before roughly mid-2027, and the text may change significantly. Organizations should treat the current Articles 13/14/15 rights and the 72-hour breach window as the law in force today, while tracking the proposal.


Compliance Steps

  1. Map your data processing activities. Create a Record of Processing Activities (Article 30) covering every AI system that processes personal data — inputs, training data, outputs, and downstream uses.

  2. Identify lawful bases. For each AI processing activity, document which Article 6 lawful basis applies. For special category data, identify the applicable Article 9 exemption.

  3. Conduct DPIAs for AI systems. Perform Data Protection Impact Assessments for any AI system that profiles individuals, processes special category data at scale, or makes automated decisions with significant effects.

  4. Implement transparency. Provide clear privacy notices explaining how AI systems process personal data, including the logic involved in automated decision-making and its significance.

  5. Build data subject rights workflows. Implement processes for access requests, erasure requests, and objections that account for data held within AI training sets and model outputs.

  6. Review Article 22 compliance. For any AI system making automated decisions with significant effects, ensure meaningful human oversight is in place or that a valid exception and suitable safeguards exist.

  7. Establish data processing agreements. Ensure contracts with AI vendors (processors) include Article 28-compliant terms covering data protection obligations, sub-processing, security measures, and audit rights.

  8. Appoint a DPO if required. Organizations whose core activities involve large-scale processing of special category data or systematic monitoring must appoint a Data Protection Officer.

  9. Confirm your EU main establishment and lead authority. Determine which DPA is your lead supervisory authority under the one-stop-shop, and track the new cross-border procedural timelines that apply from April 2, 2027.


Frequently Asked Questions

Does GDPR apply to AI systems? Yes. Any AI system processing personal data must comply with GDPR, covering training data, inference inputs, and AI-generated outputs about identified or identifiable individuals.

What is Article 22's impact on AI? Article 22 gives individuals the right not to be subject to solely automated decisions with legal or significant effects — directly applicable to AI-driven hiring, credit scoring, insurance pricing, and benefits determinations.

What are special categories under Article 9? Biometric data, health data, racial or ethnic origin, political opinions, religious beliefs, genetic data, trade union membership, and data concerning sex life or sexual orientation.

Does GDPR apply outside the EU? Yes. GDPR applies to any organization processing EU residents' personal data when offering goods/services to them or monitoring their behavior.

When is a DPIA required for AI? When AI processing is likely to result in high risk — including systematic profiling, large-scale special category processing, or large-scale public monitoring.

How does GDPR interact with the EU AI Act? They are complementary. The EU AI Act regulates AI systems by risk level; GDPR regulates the personal data those systems process. Organizations deploying AI in the EU must comply with both simultaneously.

Is the GDPR changing in 2026–2027? The substantive Regulation is unchanged, but two developments matter. The GDPR Procedural Regulation (EU) 2025/2518 — in force since early 2026, applying from April 2, 2027 — harmonizes cross-border complaint handling and sets binding investigation deadlines. Separately, the Commission's Digital Omnibus (proposed November 19, 2025) would amend the GDPR's information/access rights and breach-notification rules, but it is not yet law and is unlikely to be adopted before mid-2027.


Official Sources

§ Penalties
Lower tier
€10M / 2%
controller/processor obligations
Upper tier
€20M / 4%
principles, rights, transfers
§ Source documents
§ Also in The Ledger
Stay ahead of AI compliance changes

Get weekly regulation updates, enforcement news, and compliance deadlines — free.