What Is GDPR?
The General Data Protection Regulation (GDPR) is the European Union\u2019s comprehensive data-protection law. It grants EU/EEA residents eight distinct rights over their personal data, applies extraterritorially to any business processing that data, and imposes fines up to €20 million or 4% of global annual revenue for violations.
At a glance
- Full name
- Regulation (EU) 2016/679
- Effective date
- May 25, 2018
- Jurisdiction
- 27 EU + 3 EEA member states
- Response deadline
- 30 days (extendable by 60 for complex)
- Enforcement
- National DPAs + European Data Protection Board
- Max penalty
- €20M or 4% global turnover (higher)
Core principles (Article 5)
Lawfulness, fairness, transparency
Processing must have a legal basis (consent, contract, legal obligation, vital interests, public interest, or legitimate interest) and be communicated clearly.
Purpose limitation
Data collected for one specified purpose cannot be further processed for incompatible purposes.
Data minimization
Only data necessary for the specified purpose may be collected. No speculative or "just in case" data.
Accuracy
Personal data must be accurate and kept up to date. Inaccurate data must be erased or rectified without delay.
Storage limitation
Data must not be kept longer than necessary for the purpose. Retention periods must be justified.
Integrity and confidentiality
Controllers must implement technical and organizational measures to protect data from unauthorized access, loss, or damage.
Accountability
Controllers must be able to demonstrate compliance with all above principles — documented policies, DPIAs, audit trails.
The 8 individual rights
1. Right to be informed
Arts. 13-14
Clear, concise notice of what data is processed, why, and how.
2. Right of access
Art. 15
Obtain a copy of personal data held about you.
3. Right to rectification
Art. 16
Correct inaccurate or incomplete personal data.
4. Right to erasure
Art. 17
The "right to be forgotten" — demand deletion under specified conditions.
5. Right to restrict processing
Art. 18
Limit how data is used pending resolution of a dispute.
6. Right to data portability
Art. 20
Receive data in structured, machine-readable format to transfer.
7. Right to object
Art. 21
Object to processing, including for direct marketing (always honored).
8. Rights re: automated decisions
Art. 22
Not be subject to solely automated decisions with significant effects, with exceptions.
Exercise your rights
GDPR-compliant erasure emails, $2 one-time
OfflistMe drafts GDPR Article 17 erasure requests for every major data broker. Proper legal citation, sent from your own inbox. No account, no ID upload.
Start for $2 →FAQ
What does GDPR stand for?+
GDPR stands for the General Data Protection Regulation, formally Regulation (EU) 2016/679. It is the European Union's comprehensive data protection law, effective May 25, 2018. It replaced the 1995 Data Protection Directive and applies uniformly across all 27 EU member states plus the 3 EEA states (Iceland, Liechtenstein, Norway).
Who does GDPR apply to?+
GDPR applies to any organization that processes the personal data of individuals in the EU or EEA, regardless of where the organization is located. This extraterritorial reach means US companies serving European users fall under GDPR if they target those users or monitor their behavior. The law also applies to processing of personal data by public authorities in the EU.
What is the "right to be forgotten"?+
The right to be forgotten is the informal name for the right to erasure under GDPR Article 17. It lets individuals demand that a controller erase personal data about them when: the data is no longer necessary for the original purpose, consent is withdrawn, the data has been unlawfully processed, or the individual objects and there is no overriding legitimate interest. Exceptions apply for freedom of expression, legal obligations, and public interest.
What are the 8 GDPR rights?+
GDPR grants: (1) right to be informed, (2) right of access, (3) right to rectification, (4) right to erasure, (5) right to restrict processing, (6) right to data portability, (7) right to object, and (8) rights related to automated decision-making and profiling (Article 22). Controllers must respond to requests within 30 days (extendable by two additional months for complex requests).
What are GDPR penalties?+
Administrative fines up to €20 million or 4% of total worldwide annual turnover of the preceding financial year, whichever is higher (Article 83). Lower-tier violations face up to €10 million or 2%. Major enforcement examples: Meta (€1.2B, 2023), Amazon (€746M, 2021), WhatsApp (€225M, 2021), Google (€50M, 2019).
How do I make a GDPR request?+
Contact the data controller directly — typically via a privacy email address, data protection officer, or web form listed in their privacy policy. Specify which right you are exercising (access, erasure, etc.), provide sufficient identification, and expect a response within 30 days. Controllers cannot charge for most requests. If denied, escalate to your national Data Protection Authority (ICO in UK, CNIL in France, AEPD in Spain, etc.).
Does GDPR apply to me if I am not in Europe?+
Not directly, but indirectly — yes. Most global data brokers operate GDPR-compliant infrastructure and honor erasure requests from any user because maintaining separate workflows per region is costly. US residents can sometimes leverage this by citing "compliance with applicable data protection laws" in their requests.
What is the difference between GDPR and CCPA?+
GDPR is opt-in by default (consent required before processing); CCPA is opt-out (processing permitted until consumer opts out). GDPR applies to all personal data; CCPA has business thresholds. GDPR penalties are far higher (4% global revenue vs $7,500/violation). GDPR covers all of Europe uniformly; CCPA covers only California. GDPR includes a dedicated supervisory authority per member state; CCPA has the CPPA plus AG.