GDPR (General Data Protection Regulation, EU 2016/679) is the European Union's comprehensive privacy law that took full effect on 25 May 2018. It governs how organisations collect, use, store and share personal data of EU residents — regardless of where the organisation is located. A US company processing data of EU customers must comply with GDPR. The regulation rests on a simple principle: personal data belongs to the individual, and organisations must have a clear legal basis to process it. GDPR is the global gold standard for privacy law and has inspired similar regulations in Brazil (LGPD), India (DPDP), South Korea (PIPA), and California (CCPA/CPRA).

Two penalty tiers (Article 83): (1) Up to €10 million or 2% of annual global turnover (whichever is higher) for administrative violations such as failure to maintain processing records or improper DPO appointment, (2) Up to €20 million or 4% of annual global turnover for fundamental violations of principles, lawful basis, data subject rights, or international transfer rules. Largest GDPR fines 2018-2025: Meta €1.2B (2023, US transfers), Amazon €746M (2021), Instagram €405M (2022), TikTok €345M (2023), Google €390M (cumulative). Fines are not the only consequence — supervisory authorities can also order processing to stop, block international transfers, and require corrective measures. Affected individuals can also sue for damages (statutes of limitation 3-6 years depending on country).

Article 5 establishes seven principles for processing personal data: (1) Lawfulness, fairness and transparency — clear legal basis (consent, contract, legal obligation, vital interests, public task, legitimate interests) and clear communication with the data subject, (2) Purpose limitation — collected for specified, explicit purposes; not processed further for incompatible purposes, (3) Data minimisation — only data necessary for the purpose, (4) Accuracy — data kept up to date, (5) Storage limitation — kept only as long as necessary, (6) Integrity and confidentiality — appropriate technical (encryption, pseudonymisation, access control) and organisational measures, (7) Accountability — the controller must be able to *demonstrate* compliance through documentation, records of processing, policies, and DPIAs.

Eight rights (Chapter III): (1) Right of access (Art. 15) — request a copy of personal data and processing details, (2) Right to rectification (Art. 16) — correct inaccurate data, (3) Right to erasure / 'right to be forgotten' (Art. 17), (4) Right to restriction of processing (Art. 18), (5) Right to data portability (Art. 20) — receive data in a structured, machine-readable format and transfer to another controller, (6) Right to object (Art. 21) — particularly for direct marketing, (7) Right not to be subject to automated decision-making and profiling (Art. 22), (8) Right to lodge a complaint with a supervisory authority. The controller must respond within one month (extendable to three for complex requests, Art. 12).

A DPO is mandatory when (Article 37): (1) the controller is a public authority or body, (2) core activities consist of regular and systematic monitoring of data subjects on a large scale (banks, telecoms, online media), (3) core activities involve large-scale processing of special categories of data (health, biometric, judicial). DPO duties: advising on GDPR compliance, monitoring adherence, contact point for the supervisory authority and data subjects, supporting DPIAs. The DPO must be independent and free from conflict of interest — a CIO might serve as DPO under specific conditions, but a marketing director cannot. Senior DPO compensation in EU: €70,000-€180,000/year depending on country and entity size.

Article 33-34 procedure: (1) Detect and triage — is this an actual breach involving personal data? (2) Risk classification — what is the likely impact on individuals (identity theft, financial loss, discrimination)? (3) Notify the supervisory authority within **72 hours** of awareness, if the breach is likely to result in risk to individuals; if delayed, include reasons for the delay, (4) Notify affected individuals **without undue delay** if the breach is likely to result in *high risk* (stolen credentials, exposed medical data, leaked documents); exceptions apply if the data was encrypted or the controller has already mitigated the risk, (5) Internal documentation — every breach must be logged in an internal register regardless of whether external notification is required, (6) Remediation and lessons learned. Failure to notify in time is itself a separate violation.

Three of the world's largest privacy regimes with different scopes: (1) **GDPR** (EU) — broadest scope, applies to all organisations processing EU residents' data, fines up to €20M / 4% turnover, strongest individual rights (right to be forgotten, data portability), (2) **HIPAA** (US) — sectoral, US healthcare only, protects PHI (protected health information), fines up to $1.5M/year per violation category, narrower individual rights, (3) **CCPA/CPRA** (California) — applies to all businesses meeting thresholds ($25M revenue, 100K consumers, or 50%+ revenue from data sales), protects California residents' data, fines $2.5-7.5K per violation + civil penalties ($100-750 per consumer per incident). For global organisations: GDPR usually establishes the baseline; meeting GDPR typically satisfies most other regimes. Brazil's LGPD and India's DPDP are explicitly modelled on GDPR.

Schrems II is the 2020 CJEU ruling that invalidated the EU-US Privacy Shield framework for transferring personal data to the United States. Background: Max Schrems argued that US surveillance programs (FISA 702, EO 12333) gave US authorities too-easy access to EU personal data. Result: organisations transferring EU data to the US (and many other non-EU countries) must use Standard Contractual Clauses (SCCs) plus a Transfer Impact Assessment (TIA), and may need supplementary measures (encryption, pseudonymisation, contractual safeguards). The EU-US Data Privacy Framework adopted in July 2023 partially replaces Privacy Shield but remains under legal challenge. Practical impact: every cloud provider, SaaS vendor, and analytics tool used to process EU data needs documented transfer safeguards.