Status
Enforced (May 2018)
Chapter II: Principles
Article 5: The 7 Principles
- 1. Lawfulness, Fairness, Transparency
- 2. Purpose Limitation
- 3. Data Minimization
- 4. Accuracy
- 5. Storage Limitation
- 6. Integrity & Confidentiality
- 7. Accountability (Controller must demonstrate compliance)
Article 6: Lawfulness of Processing
Consent
Contract
Legal Obligation
Vital Interests
Public Task
Legitimate Interests
Chapter III: Rights of Data Subject
15
Right of Access
Subject has right to know if data is being processed and access a copy.
17
Right to Erasure (Right to be Forgotten)
Obtain erasure of personal data without delay.
20
Right to Data Portability
Receive personal data in structured, machine-readable format.
22
Automated Decision Making
Right not to be subject to decisions based solely on automated processing.
Chapter V: International Transfers
Art. 45: Adequacy Decisions
Transfer allowed to countries with adequate protection level (e.g., Japan, UK, Argentina).
Art. 46: Standard Contractual Clauses
Commission-approved contracts for transfers without adequacy decision.
Art. 47: Binding Corporate Rules
Internal policies for intra-group transfers.
Art. 49: Derogations
Specific situations: explicit consent, contract necessity, legal claims.
Chapter VIII: Penalties
€20M
or 4% Global Turnover
For violations of basic principles, data subject rights, international transfers
€10M
or 2% Global Turnover
For technical and organizational measures, record-keeping failures