The European Union regulation governing processing of personal data of EU and EEA data subjects, with extraterritorial reach over non-EU controllers and processors targeting the EU market.
GDPR.
The General Data Protection Regulation, Regulation (EU) 2016/679, was adopted April 27, 2016 and entered into force May 24, 2016, with full applicability from May 25, 2018. It replaced the 1995 Data Protection Directive 95/46/EC and brought direct effect across the 27 EU Member States plus the European Economic Area (Iceland, Liechtenstein, Norway). The regulation is administered nationally by Member State Data Protection Authorities, with a one-stop-shop mechanism for cross-border cases and the European Data Protection Board (EDPB) providing consistency and guidance.
The substantive framework rests on six lawful bases for processing under Article 6 (consent, contract, legal obligation, vital interests, public interest, legitimate interests) plus Article 9 conditions for special-category data (health, biometric, genetic, racial or ethnic origin, political opinions, religious beliefs, trade union membership, sex life or sexual orientation). Data subject rights under Articles 15-22 include access, rectification, erasure (right to be forgotten), restriction, portability, objection, and rights related to automated decision-making and profiling. Controllers must conduct Data Protection Impact Assessments under Article 35 for processing likely to result in a high risk, appoint a Data Protection Officer under Article 37 in defined circumstances, and maintain records of processing activities under Article 30.
Cross-border data transfers are governed by Chapter V. Transfers to third countries are permitted to countries with European Commission adequacy decisions (UK, Switzerland, Canada commercial sector, Japan, Korea, New Zealand, Israel, others) without additional safeguards. Transfers to non-adequate third countries (including most of the US under the prior Schrems II framework) require Article 46 safeguards, typically the EU Standard Contractual Clauses adopted by Commission Implementing Decision 2021/914, supplemented by a Transfer Impact Assessment under EDPB Recommendations 01/2020. The EU-US Data Privacy Framework adopted in 2023 provides an adequacy basis for transfers to US recipients self-certified to the DPF.
For US firms with EU customers, EU employees, EU subsidiaries, or EU-targeted marketing, GDPR reaches the firm under Article 3 even without an EU establishment. The compliance build includes Article 27 EU representative appointment for non-EU controllers and processors offering goods or services to EU data subjects, controller-to-processor and joint-controller agreements aligned to Article 28, lawful-basis analysis and consent management, data-subject-rights handling procedures, breach-notification procedures aligned to Articles 33-34, transfer mechanisms for personal data flowing back to the US (DPF self-certification or SCCs plus Transfer Impact Assessment), and DPO appointment where required. US-listed firms with EU operations typically integrate GDPR controls into the existing SOX, HIPAA, or sector-specific compliance frameworks.
For EU firms with US operations, GDPR continues to apply to processing of EU data subjects regardless of where the data is processed. A German Mittelstand with US subsidiaries operates GDPR at the parent and any US-side processing of EU personal data, alongside US sectoral laws (HIPAA, GLBA, COPPA, CCPA/CPRA, and other state privacy statutes).
GDPR sits across the Operators entering the US book on EU-headquartered firms with EU data subjects, on the Answers hub for cross-border data-flow architecture, on the HIPAA related entry for health-data firms, and on the Knowledge pillar on cross-border SaaS and data-handling commercialization. The presentation work covers how the firm names its GDPR posture, its DPF status, its SCC framework, and its DPO on US-facing surfaces. The compliance program belongs with EU and US privacy counsel.
Global Marketing Agency does not provide GDPR compliance program design, Data Protection Officer services, DPIA preparation, SCC negotiation, or DPA investigation defense. Those activities belong to EU and US privacy counsel and the firm's compliance function. GMA works on how the firm's GDPR posture is presented, sequenced, and read on US-facing surfaces.