GDPR Requirements: Complete Guide to EU Data Protection Regulation

All personal data processing must follow seven principles: lawfulness, fairness, and transparency; purpose limitation; data minimization; accuracy; storage limitation; integrity and confidentiality; and accountability. These principles are the foundation of everything else in GDPR.

You must have a valid legal basis for every instance of data processing. The six lawful bases are: consent, contractual necessity, legal obligation, vital interests, public interest, and legitimate interests. You must document which basis applies to each processing activity.

When consent is your legal basis, it must be freely given, specific, informed, and unambiguous. You must be able to demonstrate that consent was given. People must be able to withdraw consent as easily as they gave it.

Special categories of data (racial/ethnic origin, political opinions, religious beliefs, health data, biometric data, etc.) require extra protection. Processing is generally prohibited unless a specific exception applies, such as explicit consent or employment law requirements.

All information provided to data subjects must be in clear, plain language. When someone exercises their rights, you must respond within one month. Communications must be concise, transparent, and easily accessible.

When collecting personal data, you must tell people: who you are, why you are collecting data, the legal basis, who will receive the data, retention periods, their rights, and whether data will be transferred internationally. This applies whether data is collected directly (Art. 13) or indirectly (Art. 14).

People have the right to obtain confirmation of whether you process their data and, if so, access to that data plus information about how it is processed. You must provide a copy of the data free of charge within one month.

People can request deletion of their personal data when it is no longer necessary, they withdraw consent, they object to processing, or the data was unlawfully processed. You must also inform other recipients of the erasure request.

People have the right to receive their personal data in a structured, commonly used, machine-readable format. They can also request that you transfer their data directly to another organization where technically feasible.

You must build data protection into your systems and processes from the start, not bolt it on later. By default, only personal data necessary for each specific purpose should be processed. This applies to the amount of data, extent of processing, storage period, and accessibility.

When you use a third-party processor, you must have a written contract (Data Processing Agreement) that specifies the subject matter, duration, nature of processing, and obligations. The processor must only act on your documented instructions.

You must maintain detailed records of all data processing activities. These records must include purposes, data categories, recipients, transfers, retention periods, and security measures. This record must be available to supervisory authorities on request.

You must implement appropriate technical and organizational security measures. This includes encryption, pseudonymization, ability to ensure ongoing confidentiality, ability to restore data after incidents, and regular testing of security measures. The measures must be proportionate to the risk.

You must notify your supervisory authority within 72 hours of becoming aware of a personal data breach that poses a risk to individuals. If the breach poses a high risk, you must also notify the affected individuals directly without undue delay.

Before processing that is likely to result in high risk to individuals, you must conduct a Data Protection Impact Assessment. This is required for systematic monitoring, large-scale processing of special categories, or automated decision-making. The DPIA must describe the processing, assess necessity and proportionality, and identify risk mitigation measures.

You must appoint a Data Protection Officer if you are a public authority, your core activities involve regular systematic monitoring of individuals at large scale, or your core activities involve large-scale processing of special categories. The DPO must be independent and report to the highest management level.

Personal data can only be transferred outside the EEA if the destination country has adequate protection (adequacy decision), you use appropriate safeguards (Standard Contractual Clauses, Binding Corporate Rules), or a specific derogation applies. The Schrems II ruling requires additional assessment of destination country surveillance laws.