Everything you need to know about the General Data Protection Regulation — the world's strongest data protection law, with fines up to €20M or 4% of global turnover.
The General Data Protection Regulation (GDPR) — EU Regulation 2016/679 — is the cornerstone of data protection in the European Union. Adopted on 27 April 2016 and enforceable since 25 May 2018, it contains 99 articles and 173 recitals governing how organisations collect, process, store, and transfer personal data of individuals located in the EU. The GDPR applies to any organisation — regardless of headquarters location — that offers goods or services to EU residents or monitors their behaviour. It grants data subjects specific rights including access, rectification, erasure ("right to be forgotten"), portability, and the right to object. Organisations must appoint a Data Protection Officer in certain cases, report breaches within 72 hours, and maintain detailed processing records.
Any organisation worldwide that processes personal data of EU residents — including SaaS platforms, e-commerce sites, mobile apps, healthcare providers, financial institutions, marketing agencies, and data brokers. Both data controllers and data processors have direct obligations.
Article 5
Article 6
Article 7
Article 15
Article 17
Article 25
Article 30
Article 32
Article 33
Article 35
Enforcement began
25 May 2018GDPR became fully applicable across all EU Member States.
Schrems II ruling
16 Jul 2020CJEU invalidated Privacy Shield, reshaping EU-US data transfers.
Ongoing
1 Jan 2024Continued enforcement with escalating fines across all Member States.
Up to €20 million or 4% of global annual turnover (whichever is higher) for the most serious violations. Since 2018, EU supervisory authorities have imposed over €4.5 billion in GDPR fines.
The GDPR is built on seven foundational principles that govern all processing of personal data. These principles appear in Article 5 and underpin every specific obligation in the regulation.
The GDPR grants EU residents eight fundamental rights regarding their personal data. Organisations must have processes in place to respond to these requests within one month.
Under Article 6, every processing activity must rest on at least one of six lawful bases. Choosing the correct basis is fundamental to GDPR compliance.
The GDPR restricts transfers of personal data outside the European Economic Area (EEA). Transfers are only permitted under specific mechanisms including adequacy decisions, Standard Contractual Clauses (SCCs), or Binding Corporate Rules (BCRs).
Law4Devs provides all 99 GDPR articles as structured, queryable JSON sourced verbatim from EUR-Lex. Engineering and legal teams can filter by obligation type, data subject right, controller or processor role, and sector relevance. Each response includes the full legal text, article number, amendment history, semantic tags, and cross-references to related articles in NIS2, the AI Act, and other frameworks. The API tracks EUR-Lex amendments automatically.
GET /v1/frameworks/gdpr/articles → 200 OK · structured JSON · official EUR-Lex source
The General Data Protection Regulation (GDPR) is EU Regulation 2016/679, widely regarded as the strongest data protection framework in the world. Adopted on 27 April 2016 and enforceable since 25 May 2018, it contains 99 articles and 173 recitals governing how organisations collect, process, store, and transfer personal data of individuals located in the European Union. The GDPR applies to any organisation — regardless of where it is headquartered — that offers goods or services to EU residents or monitors their behaviour. Core principles include lawfulness, purpose limitation, data minimisation, accuracy, storage limitation, integrity and confidentiality, and accountability. It grants data subjects specific rights including access, rectification, erasure, portability, and the right to object. Organisations must appoint a Data Protection Officer in certain cases and report personal data breaches to supervisory authorities within 72 hours. Law4Devs provides all 99 GDPR articles as structured, queryable JSON sourced verbatim from EUR-Lex.
GDPR compliance under EU 2016/679 is required of any organisation that processes personal data of individuals located in the European Union, regardless of where the organisation itself is based. This extraterritorial scope means a company in the United States, Japan, or Brazil must comply if it offers goods or services to EU residents or monitors their online behaviour. Covered entities include SaaS platforms, mobile apps, e-commerce websites, cloud service providers, data brokers, marketing agencies, healthcare providers, and financial institutions — essentially any business handling EU personal data. Both data controllers, who determine the purposes of processing, and data processors, who process data on behalf of controllers, bear direct obligations. Organisations with fewer than 250 employees are not exempt but may have reduced record-keeping duties. Non-compliance can result in fines up to €20 million or 4% of global annual turnover, whichever is higher. Law4Devs lets you query GDPR articles filtered by role, obligation type, and data subject right.
Under EU Regulation 2016/679, GDPR fines are structured into two tiers. The upper tier reaches up to €20 million or 4% of the organisation's total worldwide annual turnover of the preceding financial year, whichever amount is higher, and applies to violations of core data processing principles, data subject rights, and cross-border transfer rules. The lower tier reaches up to €10 million or 2% of global annual turnover and covers breaches of controller and processor obligations, certification body duties, and monitoring body requirements. Supervisory authorities across the 27 EU Member States and 3 EEA countries have collectively imposed over €4.5 billion in GDPR fines since enforcement began in May 2018. Notable penalties include a €1.2 billion fine against Meta in 2023 for unlawful data transfers. Fines must be effective, proportionate, and dissuasive, taking into account the nature, gravity, and duration of the infringement. Law4Devs structures all GDPR penalty provisions as queryable JSON, helping engineering teams identify which obligations carry the highest risk.
Law4Devs provides all 99 articles of EU Regulation 2016/679 as structured, machine-readable JSON via a REST API, sourced verbatim from EUR-Lex, the official publication repository of the European Union. Engineers and compliance teams can filter GDPR articles by obligation type, data subject right, controller or processor role, and sector relevance. Each article response includes the full legal text, article number, amendment history, semantic tags identifying whether the provision is an obligation, right, or definition, and cross-references to related articles within GDPR and other EU frameworks such as NIS2 and the AI Act. The API returns responses in an average of 34 milliseconds, making it suitable for real-time compliance checks in CI/CD pipelines, product dashboards, and legal-tech applications. Official SDKs are available for Python, TypeScript, Java, Rust, PHP, and Dart. Law4Devs tracks EUR-Lex amendments automatically, so your integration always reflects the latest consolidated version of the regulation.
All articles, recitals, and amendments — queryable, filterable, and always up to date.