Jump to Section
General Data Protection Regulation Obligations Overview
The General Data Protection Regulation establishes comprehensive requirements across 99 articles. Below are the key obligations extracted directly from the legislative text.
Key Obligations
Organizations must follow GDPR rules when processing personal data of natural persons
Respect fundamental rights and freedoms regarding personal data protection
Ensure free movement of personal data within the EU is not restricted
Must comply with GDPR when processing personal data through automated means
Must comply with GDPR when manually processing personal data that is part of a filing system
Cannot claim exemption unless activity falls under specific exclusions (personal use, law enforcement, outside EU scope)
Organizations established in the EU must comply with GDPR for all personal data processing activities
Non-EU organizations must comply when offering goods/services to EU residents
Non-EU organizations must comply when monitoring behavior of individuals within the EU
Organizations must determine if they fall under GDPR's territorial scope and comply accordingly
Understand and correctly identify when information qualifies as 'personal data' under GDPR
Recognize when any activity with personal data constitutes 'processing' requiring compliance
Essential Requirements
Subject-matter and objectives
GDPR sets EU-wide rules for protecting personal data while ensuring data can flow freely between EU countries. It establishes that protecting people's personal data is a fundamental right that must be balanced with legitimate business needs.
Key Requirements:
- Organizations must follow GDPR rules when processing personal data of natural persons
- Respect fundamental rights and freedoms regarding personal data protection
- Ensure free movement of personal data within the EU is not restricted
Applies to:
All organizations processing personal data of natural persons within the EU
Material scope
GDPR applies to any automated processing of personal data and to manual processing if the data is stored in a structured filing system. However, it doesn't apply to personal/household activities, law enforcement activities, or matters outside EU law.
Key Requirements:
- Must comply with GDPR when processing personal data through automated means
- Must comply with GDPR when manually processing personal data that is part of a filing system
- Cannot claim exemption unless activity falls under specific exclusions (personal use, law enforcement, outside EU scope)
Applies to:
All organizations and individuals processing personal data in the EU, except for purely personal/household use, law enforcement authorities, and activities outside EU jurisdiction
Territorial scope
GDPR applies to any organization processing personal data if they're established in the EU (regardless of where processing happens), or if they're outside the EU but offer goods/services to EU residents or monitor their behavior within the EU. It also covers organizations in territories where EU member state law applies through international law.
Key Requirements:
- Organizations established in the EU must comply with GDPR for all personal data processing activities
- Non-EU organizations must comply when offering goods/services to EU residents
- Non-EU organizations must comply when monitoring behavior of individuals within the EU
- Organizations must determine if they fall under GDPR's territorial scope and comply accordingly
Applies to:
Controllers and processors established in the EU, non-EU organizations targeting EU residents with goods/services, non-EU organizations monitoring EU residents' behavior, organizations in territories where EU law applies via international law
Definitions
Article 4 defines all the key terms used throughout GDPR, like what personal data is (any info that can identify a person), what processing means (anything you do with that data), and who the main players are (controllers who decide what to do with data, processors who handle it on their behalf). These definitions are essential because they determine when GDPR applies to your business and what rules you must follow.
Key Requirements:
- Understand and correctly identify when information qualifies as 'personal data' under GDPR
- Recognize when any activity with personal data constitutes 'processing' requiring compliance
- Correctly determine your role as either a 'controller' or 'processor' to understand your specific obligations
- Ensure 'consent' meets the strict requirements of being freely given, specific, informed and unambiguous
- Implement proper 'pseudonymisation' techniques when used as a data protection measure
- Establish appropriate technical and organizational measures for any 'filing systems' containing personal data
- Properly identify and document your 'main establishment' if operating across multiple EU Member States
- Understand when processing qualifies as 'profiling' which triggers additional requirements
Applies to:
Any organization (controller or processor) that handles information relating to identified or identifiable individuals (personal data), including businesses, public authorities, agencies, and any other entities processing personal data in the EU
Conditions for consent
Organizations must be able to prove users gave clear permission to process their data, and users must be able to withdraw that permission just as easily as they gave it. Consent cannot be hidden in terms and conditions, and you can't force users to agree to unnecessary data processing to access your service.
Key Requirements:
- Maintain documented proof that consent was obtained from data subjects
- Present consent requests clearly and separately from other terms/matters
- Use clear, plain language that is intelligible and easily accessible
- Enable withdrawal of consent at any time through an equally simple process
- Inform users about their right to withdraw consent before they give it
- Ensure consent is freely given without making services conditional on unnecessary data processing
Applies to:
Data controllers (any organization that determines the purposes and means of processing personal data)
Conditions applicable to child's consent in relation to information society services
If you offer online services directly to children under 16, you need parental consent to process their personal data (countries can lower this to 13). You must make reasonable efforts to verify that parents actually gave this consent.
Key Requirements:
- Obtain parental consent for processing data of children under 16 (or lower age if set by Member State, minimum 13)
- Make reasonable efforts to verify parental consent using available technology
- Ensure processing is lawful only with valid parental authorization for children below the age threshold
- Comply with any Member State specific age requirements between 13-16 years
Applies to:
Controllers offering information society services (online services, apps, websites) directly to children
Operator Obligations
Notification obligation regarding rectification or erasure of personal data or restriction of processing
When you correct, delete, or limit someone's personal data, you must notify everyone you previously shared that data with, unless it's impossible or requires excessive effort. If the person whose data it is asks, you must tell them who you notified.
- • Notify all recipients when personal data is rectified (corrected)
- • Notify all recipients when personal data is erased (deleted)
- • Notify all recipients when processing is restricted
Obligations of secrecy
Member States can create special rules that limit supervisory authorities' access to information from organizations bound by professional secrecy (like lawyers or doctors). These rules only apply to personal data received through activities covered by that professional secrecy obligation.
- • Member States must ensure any secrecy rules are necessary and proportionate
- • Rules must specifically reconcile data protection rights with professional secrecy obligations
- • Member States must notify the European Commission of any rules adopted under this article
Processes & Procedures
Principles relating to processing of personal data
GDPR Article 5 establishes six fundamental principles for handling personal data: process it legally and transparently, use it only for stated purposes, minimize data collection, keep it accurate, delete it when no longer needed, and protect it properly. Data controllers must prove they follow all these principles.
Lawfulness of processing
Personal data can only be processed if you have a valid legal reason, such as getting consent from the person, fulfilling a contract with them, complying with laws, protecting someone's life, performing public tasks, or having legitimate business interests that don't harm the individual's rights. Organizations must pick at least one of these six legal bases before processing any personal data.
Processing of special categories of personal data
Article 9 generally prohibits processing sensitive personal data (like health, race, political opinions, or biometric data) unless you have a specific legal basis. The most common exceptions are explicit consent from the person, legal obligations, vital interests, healthcare purposes, or substantial public interest.
Processing of personal data relating to criminal convictions and offences
You can only process data about criminal convictions and offenses if you have official government authority to do so, or if specific laws explicitly allow it with proper safeguards. Regular businesses cannot maintain criminal records databases - only official authorities can.
Conformity & Enforcement
Data protection impact assessment
Organizations must conduct a formal assessment before starting any data processing activities that could pose high risks to people's privacy rights, especially when using new technologies or automated decision-making. This assessment must document the risks and protective measures, and the data protection officer must be consulted if one is appointed.
Next Steps
These requirements are extracted from the official legislative text. For detailed implementation guidance: