GDPR

The GDPR is the EU data protection law that governs personal data processing. This page is a compact reference: when it applies, what tends to fail in audits, and which themes frequently show up in enforcement.

When does GDPR apply?

• You process personal data of individuals (EU context).
• You act as a controller or processor.
• It can apply outside the EU when offering services to EU data subjects or monitoring their behaviour.

Core principles (common audit failure points)

• Purpose limitation and data minimisation.
• Transparency (clear, accessible information).
• Security (appropriate technical and organisational measures).
• Accountability: being able to demonstrate compliance.

Data subject rights (operational view)

• Access, rectification, erasure, restriction.
• Objection (incl. direct marketing) and portability.
• Limits on solely automated decision-making (context-dependent).

Obligations that typically require evidence

• A lawful basis per purpose (incl. consent where relevant).
• Processor agreements and sub-processor governance.
• DPIAs for high-risk processing.
• Personal data breach handling: detection, assessment, notifications and records.
• Retention controls and deletion mechanisms.

Enforcement and fines (high-level)

GDPR contains a tiered fine regime (notably Art. 83). In practice, the maximum is only part of the story; factors like gravity, duration, culpability, cooperation and repetition matter.

Sources

• EUR-Lex — Regulation (EU) 2016/679 (GDPR)
• Dutch DPA (Autoriteit Persoonsgegevens)
• European Data Protection Board (EDPB)

For related primary sources (NL cookies, enforcement, datasets): see Sources.