The GDPR (EU) 2016/679 is the cornerstone of data protection in the EU. It governs how organizations collect, process, and store personal data of EU residents, with fines up to €20M or 4% of global turnover.
Focus: Privacy, consent, data subject rights, cross-border data transfers
Article 5 — Principles
Article 6 — Lawfulness
Article 7 — Consent
Article 15 — Right of Access
Article 17 — Right to Erasure
Article 25 — Data Protection by Design
Article 30 — Records of Processing
Article 32 — Security of Processing
Article 33 — Breach Notification
Article 35 — DPIA
GET /v1/frameworks/gdpr/articles → 200 OK · structured JSON · official source
The General Data Protection Regulation (GDPR) is EU Regulation 2016/679, widely regarded as the strongest data protection framework in the world. Adopted on 27 April 2016 and enforceable since 25 May 2018, it contains 99 articles and 173 recitals governing how organisations collect, process, store, and transfer personal data of individuals located in the European Union. The GDPR applies to any organisation — regardless of where it is headquartered — that offers goods or services to EU residents or monitors their behaviour. Core principles include lawfulness, purpose limitation, data minimisation, accuracy, storage limitation, integrity and confidentiality, and accountability. It grants data subjects specific rights including access, rectification, erasure, portability, and the right to object. Organisations must appoint a Data Protection Officer in certain cases and report personal data breaches to supervisory authorities within 72 hours. Law4Devs provides all 99 GDPR articles as structured, queryable JSON sourced verbatim from EUR-Lex.
GDPR compliance under EU 2016/679 is required of any organisation that processes personal data of individuals located in the European Union, regardless of where the organisation itself is based. This extraterritorial scope means a company in the United States, Japan, or Brazil must comply if it offers goods or services to EU residents or monitors their online behaviour. Covered entities include SaaS platforms, mobile apps, e-commerce websites, cloud service providers, data brokers, marketing agencies, healthcare providers, and financial institutions — essentially any business handling EU personal data. Both data controllers, who determine the purposes of processing, and data processors, who process data on behalf of controllers, bear direct obligations. Organisations with fewer than 250 employees are not exempt but may have reduced record-keeping duties. Non-compliance can result in fines up to €20 million or 4% of global annual turnover, whichever is higher. Law4Devs lets you query GDPR articles filtered by role, obligation type, and data subject right.
Under EU Regulation 2016/679, GDPR fines are structured into two tiers. The upper tier reaches up to €20 million or 4% of the organisation's total worldwide annual turnover of the preceding financial year, whichever amount is higher, and applies to violations of core data processing principles, data subject rights, and cross-border transfer rules. The lower tier reaches up to €10 million or 2% of global annual turnover and covers breaches of controller and processor obligations, certification body duties, and monitoring body requirements. Supervisory authorities across the 27 EU Member States and 3 EEA countries have collectively imposed over €4.5 billion in GDPR fines since enforcement began in May 2018. Notable penalties include a €1.2 billion fine against Meta in 2023 for unlawful data transfers. Fines must be effective, proportionate, and dissuasive, taking into account the nature, gravity, and duration of the infringement. Law4Devs structures all GDPR penalty provisions as queryable JSON, helping engineering teams identify which obligations carry the highest risk.
Law4Devs provides all 99 articles of EU Regulation 2016/679 as structured, machine-readable JSON via a REST API, sourced verbatim from EUR-Lex, the official publication repository of the European Union. Engineers and compliance teams can filter GDPR articles by obligation type, data subject right, controller or processor role, and sector relevance. Each article response includes the full legal text, article number, amendment history, semantic tags identifying whether the provision is an obligation, right, or definition, and cross-references to related articles within GDPR and other EU frameworks such as NIS2 and the AI Act. The API returns responses in an average of 34 milliseconds, making it suitable for real-time compliance checks in CI/CD pipelines, product dashboards, and legal-tech applications. Official SDKs are available for Python, TypeScript, Java, Rust, PHP, and Dart. Law4Devs tracks EUR-Lex amendments automatically, so your integration always reflects the latest consolidated version of the regulation.