GDPR Compliance Hub 2026

Key Facts

Jurisdiction

European Union + EEA

Authority

National Data Protection Authorities (DPAs)

Max Penalty

€20M or 4% of global annual turnover

Compliance Difficulty70/100

The General Data Protection Regulation (GDPR), Regulation (EU) 2016/679, has been fully applicable since 25 May 2018 and represents the world's most comprehensive data protection framework. With cumulative fines exceeding €4.5 billion by 2024, GDPR enforcement has significantly reshaped how organizations globally process personal data of EU/EEA residents — irrespective of the organisation's domicile.

What GDPR Covers

GDPR applies to any organisation that processes personal data of individuals located in the EU/EEA, regardless of where the organisation is established. Core obligations include: identifying a lawful basis for processing (Article 6), fulfilling data subject rights (Articles 15-22), implementing appropriate technical and organisational measures (Article 32), conducting Data Protection Impact Assessments for high-risk processing (Article 35), and appointing a Data Protection Officer where required (Article 37).

Who Must Comply

The following entities are subject to GDPR Compliance Hub obligations:

→Any organisation processing EU/EEA resident data
→Data processors acting on behalf of EU controllers
→Organisations monitoring EU resident behaviour online
→Businesses offering goods/services to EU residents
→Organisations transferring EU data to third countries
→Healthcare providers, financial institutions, and tech companies with EU users

Penalties and Enforcement History

GDPR penalties operate on two tracks under Article 83. Lower-tier violations (Art. 83.4) — including security breach notification failures and processor obligations — carry fines up to €10M or 2% of global annual turnover. Upper-tier violations (Art. 83.5) — including unlawful processing and data subject rights infringements — carry fines up to €20M or 4% of global turnover.

Enforcement Timeline

Jul 2021

Luxembourg: Amazon €746M

Luxembourg DPA imposed €746M fine on Amazon for behavioural advertising without adequate consent. Largest GDPR fine at time of issuance.

Sep 2021

Ireland: WhatsApp €225M

Irish DPC imposed €225M fine on WhatsApp for transparency failures regarding data sharing with Meta companies.

Jan 2023

France: TikTok €5M

CNIL imposed €5M fine on TikTok for cookie consent failures and inadequate user opt-out mechanisms.

May 2023

Ireland: Meta €1.2B

Irish DPC imposed record €1.2B fine on Meta Platforms for unlawful EU-U.S. data transfers without adequate safeguards.

Nov 2023

Netherlands: Uber €290M

Dutch DPA imposed €290M fine on Uber for transferring EU driver data to the U.S. without standard contractual clauses.

Regulatory Comparison

Dimension	GDPR	CCPA (US)	PDPA (Thailand)
Applicability	EU/EEA data subjects globally	California residents	Thailand data subjects
Max Fine	€20M or 4% turnover	$7,500 per intentional violation	THB 5M (~€140K)
Enforcement Body	National DPAs + EDPB	California AG + CPPA	Office of PDPC
Compliance Timeline	Since May 2018	Since Jan 2020	Since Jun 2022
DPO Requirement	Mandatory in 3 scenarios	No equivalent	No equivalent

Mitigation Strategy

Conduct a Data Processing Audit

Map all personal data flows and document processing activities in your Article 30 Record of Processing Activities (RoPA). Identify the lawful basis for each processing purpose. Review existing consent mechanisms for compliance with Article 7 requirements.

Appoint a Data Protection Officer

Assess whether your organisation meets any of the three DPO mandate triggers under Article 37. If required, appoint a qualified DPO and register their contact details with the lead supervisory authority. Ensure operational independence under Article 38.

Implement Cross-Border Transfer Mechanisms

For transfers to non-adequate third countries (including the U.S. absent Privacy Shield successor), implement Standard Contractual Clauses (SCCs) with Transfer Impact Assessments (TIAs). Document supplementary measures where required by Schrems II analysis.

Data Protection Commissioner v. Facebook Ireland (Meta Platforms) — Irish DPC Decision IN-18-5-7 (May 2023): "The DPC finds that Meta Platforms Ireland Limited's transfers of personal data to the United States of America... lack a valid legal basis under Chapter V GDPR. The unlawful transfers were carried out on a massive scale over a period of years."Enforcement Precedent

Frequently Asked Questions

Q: Does GDPR apply to U.S. companies without EU offices?

A: Yes. Article 3(2) GDPR applies to controllers and processors not established in the EU where processing activities relate to offering goods or services to EU/EEA data subjects, or monitoring their behaviour. U.S. companies serving EU customers are subject to full GDPR compliance obligations and must appoint an EU representative under Article 27.

Q: What constitutes a GDPR data breach requiring notification?

A: Article 33 requires notification to the competent supervisory authority within 72 hours of becoming aware of a personal data breach that is likely to result in a risk to the rights and freedoms of individuals. Higher-risk breaches additionally require notification to affected data subjects under Article 34. Not all breaches require notification — low-risk incidents may be documented internally only.

Q: Can consent be withdrawn after being given?

A: Yes. Article 7(3) GDPR provides that data subjects may withdraw consent at any time, and withdrawal must be as easy as giving consent. Processing carried out before withdrawal remains lawful, but processing on the basis of withdrawn consent must cease. Organisations relying solely on consent as the lawful basis must implement robust withdrawal mechanisms.