SOLUTIONS
Deliver Superior Online Experiences
Mitigate DDoS AttacksStop Malicious Bot AbuseAccelerate Internet ApplicationsEnsure Application AvailabilityOptimize Web ExperiencesStream Videos On-Demand
Secure Employee Applications and Devices
Deliver Zero Trust Access to ApplicationsImplement Secure Access Service Edge (SASE)Protect Users Accessing the InternetProtect Corporate NetworksManage Secure Contractor AccessReplace Virtual Private Networks (VPNs)Secure Your Remote WorkforceStop Zero Day Attacks with Browser Isolation
 
Protect and Accelerate Networks
Mitigate L3 DDoS AttacksConnect network infrastructure with CloudflareTransform Corporate Networks
Code on the Network Edge
Build a Serverless ApplicationDeploy a Static WebsiteConfigure a CDNDefine Conditional Request Routing
Manage a Secure Cloud
Secure Hybrid, Cloud, & SaaS PlatformsEnable SSL for SaaS ApplicationsReduce Cloud Data Transfer Costs
Register a Website
Register or Transfer a Website
INDUSTRIES
eCommerceFinancial ServicesGamingHealthcare and Life SciencesMedia and EntertainmentPublic SectorSaaS
PUBLIC INTEREST
Election CampaignsAthenian ProjectProject GalileoProject Fair Shot
FOR INFRASTRUCTURE
Application & Network Security
DDoS ProtectionWAFBot ManagementMagic TransitMagic WANRate LimitingSSL / TLSSSL/TLS for SaaS ProvidersCloudflare SpectrumNetwork InterconnectCDNDNSArgo Smart RoutingLoad BalancingStream DeliveryChina NetworkWaiting Room
FOR TEAMS
Cloudflare for TeamsAccessGatewayBrowser Isolation
FOR DEVELOPERS
Serverless Applications
Cloudflare WorkersCloudflare Workers KV
Domain Registration
Cloudflare Registrar
Website Development
Cloudflare PagesCloudflare Stream
SaaS Developers
Cloudflare for SaaS
FOR EVERYONE
1.1.1.11.1.1.1 with WARP (App)1.1.1.1 for Families
INSIGHTS
AnalyticsCloudflare LogsWeb AnalyticsCloudflare Radar
PRIVACY
Data LocalizationCompliance
FOR INFRASTRUCTURE
Advanced Security
Bot ManagementFirewall rulesMagic TransitSpectrum (TCP/UDP)SSLWAFCDNDNSImage ResizingLoad BalancingStream (Video)
 
Insights
Analytics
Domain Registration
Registrar
FOR SERVERLESS APPLICATIONS
Workers Quick StartCloudflare PagesSample Workers ProjectsWorkers TutorialsCommand-line (Wrangler)Runtime
FOR TEAMS
Cloudflare for Teams
EXPLORE CLOUDFLARE API
Cloudflare APIAPI Authentication
DOCUMENTATION HUB
Dev Documentation Hub
RESOURCES
Resource HubWhitepapersWebinarsSolutions & Product GuidesCase StudiesAnalysts
EXPLORE
What's New?Network MapCloudflare in ChinaGDPR
GET STARTED
Register Your WebsiteWelcome CenterGet Help
LEARN
Learning CenterSecurityDDoSBot ManagementSSLIdentity and Access ManagementPerformanceCDNDNSCloudServerlessNetwork Layer
CONNECT
BlogCommunity
COMPLIANCE
GDPRTransparency ReportCompliance
CONTACT
+1 650 319 8930
CHANNEL & ALLIANCE PARTNERS
Partner NetworkPartner Portal
TECHNOLOGY PARTNERS
OverviewAnalytics PartnersBandwidth AllianceEndpoint Security PartnershipsInterconnect PartnershipsNetwork On-ramp PartnershipsPeering Portal
PRICING BY PLAN
FreeProBusinessEnterprise
COMPARE AND EXPLORE
Need Help Choosing a Plan?Add OnsCompare All Plans

What is the General Data Protection Regulation (GDPR)?

The General Data Protection Regulation (GDPR) is a comprehensive data protection law passed by the European Union (EU).

Learning Objectives

After reading this article you will be able to:

  • Explain the main requirements of the General Data Protection Regulation (GDPR)
  • Describe the rights that individuals have under the GDPR
  • Understand the GDPR's importance for data privacy

Related Content

Data privacy

Right to be forgotten

CCPA

ePrivacy Directive

Fair Information Practices

Copy article link

What is the General Data Protection Regulation (GDPR)?

The General Data Protection Regulation (GDPR), which went into effect on May 25, 2018, is a comprehensive data privacy law that establishes a framework for the collection, processing, storage, and transfer of personal data. It requires that all personal data be processed in a secure fashion, and it includes fines and penalties for businesses that do not comply with these requirements. It also provides individuals with a number of rights regarding their personal data.

As technology advances and data collection grows more prevalent, data privacy has been put in the spotlight. At the time of its passage, the GDPR was the most comprehensive data privacy regulation. It harmonized separate data protection regulations from across the European Union (EU). It also extended the reach of those regulations to apply to non-EU organizations if they process personal data collected in the EU.

The GDPR applies to any company or organization regardless of geographical location if the company or organization offers goods and services to people in the EU or monitors their behavior within the EU.

How does the GDPR define 'personal data'?

The GDPR broadened the scope of what was considered personal data to include any information related to a natural identifiable person. This includes details that are obviously personal, such as someone's name and address, but also any other information that could be used to identify someone, including their IP address and certain cookie identifiers associated with a web browsing session.

What are the GDPR requirements for data controllers and data processors?

The GDPR defines data controllers as entities that make decisions about the means and purposes for which personal data is collected and processed, and it defines data processors as entities that process personal data, typically on behalf of a data controller.

The GDPR also lays out seven key principles for how data controllers and processors should handle personal data:

  • Lawfulness, fairness, and transparency
  • Purpose limitation
  • Data minimization
  • Accuracy
  • Storage limitation
  • Integrity and confidentiality (security)
  • Accountability

In addition to describing these principles in detail, the GDPR requires several specific actions that data controllers and processors need to take. Some of these include:

  • Record keeping: Data processors must keep records of their processing activities.
  • Security measures: Data controllers and processors must regularly use and test appropriate security measures to protect the data they collect and process.
  • Data breach notification: Data controllers that suffer a personal data breach have to notify appropriate authorities within 72 hours, with some exceptions. Usually, they also have to notify the individuals whose personal data was affected by the breach.
  • Data Protection Officer (DPO): Companies that process data may need to hire a Data Protection Officer (DPO). The DPO leads and oversees all GDPR compliance efforts.

The full requirements for data controllers and processors are described in the GDPR.

What rights do data subjects have under the GDPR?

The GDPR defines a data subject as "an identified or identifiable natural person." Data subjects have the following rights:

  • Right to be informed: Data subjects must be given easy-to-understand information about how their personal data is collected and processed
  • Right to data portability: Data subjects can transfer their data from one data controller to another
  • Right of access: Data subjects have the right to obtain a copy of collected personal data
  • Right to rectification: Data subjects can correct inaccurate data about themselves
  • Right to erasure: Data subjects can request that their data be deleted (also called the right to be forgotten)
  • Right to restrict processing: Under certain circumstances, data subjects can limit the way their personal data is being processed
  • Right to object: Data subjects have the right to object to the processing of their personal data, and under certain circumstances the data controller or data processor will be obligated to comply with the data subject's objection
  • Right to object to automated processing: Data subjects can object to a decision that legally affects them that is based solely on automated data processing

What are the penalties for violating the GDPR?

The GDPR describes the fines that are to be imposed on businesses that violate its policies.

There are two tiers of fines under the GDPR, with each tier corresponding to a different category of violation:

  • First tier: A violation results in a maximum fine of either €10 million or 2% of the business's worldwide annual revenue, whichever is higher.
  • Second tier: A violation results in a maximum fine of either €20 million or 4% of the business's worldwide annual revenue, whichever is higher.

In addition to these fines, data subjects can seek compensation for damages when a business violates the GDPR.

Cloudflare and data privacy

The Cloudflare mission is to help build a better Internet, and data privacy is core to that mission. Cloudflare builds its products with a "privacy by design" mindset and has released a number of services to increase user privacy (including the Cloudflare Data Localization Suite). Learn about Cloudflare and the GDPR.

Sales

About privacy

Other privacy topics

Privacy and compliance

Glossary

Learning Center Navigation

© 2021 Cloudflare, Inc.Privacy PolicyTerms of UseDisclosureCookie PreferencesTrademark