GDPR
This article frames the regulation factually and does not replace legal advice in an individual case. Whether and how the GDPR covers a specific processing activity depends on the particular constellation and must be clarified against the text of the regulation and, where appropriate, professional advice.
The General Data Protection Regulation (Regulation (EU) 2016/679, "GDPR") is the core data protection law of the European Union. It governs the processing of personal data of natural persons, applies directly in all EU and EEA states since 25 May 2018, and reaches actors outside the EU through its territorial scope. It is not to be confused with the revised Swiss Data Protection Act, which is a separate, parallel regime.
GDPR and Swiss data protection: two regimes
This page describes EU law. The Swiss counterpart, the revised Data Protection Act (revFADP / nDSG), is a standalone law with its own page. The two converge in substance, but they are legally separate: the GDPR is a directly applicable EU regulation, the revised Swiss act is national Swiss law. For a Swiss company both can apply at once, one through its seat and processing in Switzerland, the other through the territorial scope of the GDPR. Where this page names articles, they are GDPR articles; the Swiss act's articles live on the revFADP page.
Scope: who the GDPR reaches
The reach of the GDPR does not stop at the EU's external border. What matters is not the seat alone, but the connection of the processing to the EU. Under its territorial scope (Art. 3) the regulation covers two core constellations:
- Establishment in the EU. A controller or processor with an establishment in the EU falls under the GDPR for processing carried out in that context, regardless of where the processing technically takes place.
- Marketplace principle. A controller or processor without an EU establishment is also caught when it offers goods or services to data subjects in the EU or monitors their behaviour, as far as that behaviour takes place in the EU.
This marketplace principle is the decisive mechanism for Swiss readers. A Swiss provider that deliberately targets customers in the EU can fall within scope without ever having an EU establishment. This page states only the criterion; whether it is met in a given case depends on the specific constellation. The logic resembles the extraterritorial trigger of the EU AI Act, which reaches via the place of effect; both regimes can apply side by side.
The processing principles
The GDPR places the processing of personal data under a set of principles (Art. 5). They are the yardstick against which every processing activity is measured:
- Lawfulness, fairness and transparency. Every processing needs a legal basis and must be intelligible to the data subject.
- Purpose limitation. Data is collected for specified, explicit and legitimate purposes and not further processed in a way incompatible with those.
- Data minimisation. Only what is necessary for the purpose is collected.
- Accuracy. Inaccurate data must be corrected or erased.
- Storage limitation. Data is not kept in identifiable form longer than the purpose requires.
- Integrity and confidentiality. Appropriate technical and organisational security against unauthorised processing, loss or damage.
Cutting across these is the accountability principle: the controller must not only ensure compliance with these principles but also be able to demonstrate it. This demonstrability is the point where data protection meets engineering, from the record of processing activities to the technical implementation in the Compliance architecture.
Legal bases instead of blanket consent
A common misconception equates lawful processing with consent. In fact the GDPR knows several equally ranked legal bases (Art. 6), among them consent, performance of a contract, a legal obligation and legitimate interest. Consent is only one of them and is tied to conditions: it must be freely given, informed and withdrawable. For special categories of personal data, such as health or biometric data, additional conditions apply (Art. 9). Which basis carries a given processing is a question of its concrete purpose, not a default assumption.
The rights of the data subject
The GDPR grants the data subject enforceable rights against the controller. The central ones are:
mindmap
root((Data subject rights))
Access
Which data
Which purpose
Rectification
Correct inaccurate data
Erasure
Right to be forgotten
Restriction
Pause processing
Portability
Take data along
Objection
Against specific processing
The diagram shows the core rights the GDPR assigns to the data subject. The right of access (Art. 15) is the entry point; rectification (Art. 16), erasure (Art. 17), restriction (Art. 18), portability (Art. 20) and objection (Art. 21) follow. The rights are not unlimited but apply under the conditions and exceptions named in the regulation.
Notable here is the difference from Swiss law: the Swiss act knows no comprehensive right to erasure equivalent to the GDPR's, and no standalone data portability in the same form. Anyone serving both regimes cannot rely on the lowest common denominator; that is one reason to treat the GDPR and the revised Swiss act separately.
Obligations of the controller
Concrete obligations follow from the principles. Among other things the GDPR requires data protection by design and by default (Privacy by Design and by Default), a record of processing activities, a data protection impact assessment in certain high-risk cases, and notification of personal data breaches to the supervisory authority, as a rule within 72 hours, and where applicable to the data subjects. Which of these obligations apply depends on the nature and risk of the processing; some are limited for smaller organisations under conditions. The technical side of these obligations, from erasure concepts to demonstrable control, is covered on the Compliance page and, for the Swiss equivalent, on the page on the revised Swiss act.
The fine framework
The GDPR gives supervisory authorities a tiered sanction instrument. Fines are meant to be effective, proportionate and dissuasive in each individual case and follow a two-tier framework (Art. 83):
- Up to 10 million euro or 2 percent of total worldwide annual turnover of the preceding financial year, whichever is higher, for infringements such as the obligations of controllers and processors.
- Up to 20 million euro or 4 percent of total worldwide annual turnover of the preceding financial year, whichever is higher, for infringements such as the processing principles, the rights of data subjects, or the rules on transfers of data to third countries.
The higher of the two values applies in each case. The actual amount in a given case is set against a catalogue of criteria, such as the nature, gravity and duration of the infringement and the degree of fault. This framework is set markedly higher than the fine range of the Swiss act, which applies in a different place and against different addressees; that is a further reason not to conflate the two regimes.
Control over data flows
Where personal data flows is a design decision for an organisation, not an accident. As soon as data leaves the EU, the GDPR ties the transfer to conditions: for countries outside the EU a suitable safeguard is required, such as an adequacy decision by the EU Commission or appropriate safeguards like standard contractual clauses. Deliberately steering data flows onto sovereign infrastructure defuses several of these questions at once and keeps control over who can reach the data. It becomes harder when data flows to US providers, where the access logic of the US Cloud Act additionally comes into play. For flows into Switzerland its adequacy decision also matters, easing the flow of data from the EU into Switzerland. The organisational task of binding these regulations into a single practice is the work of AI governance.
References
- European Commission Legal framework of EU data protection. Official explainer on Regulation (EU) 2016/679; in force since 24.05.2016, applicable since 25.05.2018. (25.05.2018). commission.europa.eu/law/law-topic/data-protection/legal-framework-eu-data-protection_en
- EUR-Lex Regulation (EU) 2016/679 (General Data Protection Regulation), full text. The authoritative legal text in the Official Journal of the EU, OJ L 119 of 04.05.2016. (04.05.2016). eur-lex.europa.eu/eli/reg/2016/679/oj
Related topics
- nFADP / revFADP, the standalone Swiss data protection regime, to be kept clearly distinct from the GDPR.
- EU AI Act, which reaches extraterritorially by a similar logic and can apply in parallel.
- Compliance, the technical view on evidence, erasure concepts and control.
- US Cloud Act, the second legal layer for data flows to US providers.
- Standards, the standards hub with ISO 27001, EU whistleblower and more.
Ask AI
These links open external AI services, the conversation and its content are sent to their providers.