Article 48 states that any judgement of a court or tribunal and any decision of an administrative authority of a third country requiring a controller or processor to transfer or disclose personal data may not be recognised or enforceable in any manner unless based on an international agreement, like a mutual legal assistance treaty in force between the requesting third (non-EU) country and the EU or a member state.
Each member state establishes an independent supervisory authority (SA) to hear and investigate complaints, sanction administrative offences, etc.[1]: Arts.
In addition, multiple types of processing may not be "bundled" together into a single affirmation prompt, as this is not specific to each use of data, and the individual permissions are not freely given.
A report[29] by the European Union Agency for Network and Information Security elaborates on what needs to be done to achieve privacy and data protection by default.
While the tokens have no extrinsic or exploitable meaning or value, they allow for specific data to be fully or partially visible for processing and analytics while sensitive information is kept hidden.
[31] According to Article 30 records of processing activities have to be maintained by each organisation matching one of following criteria: Such requirements may be modified by each EU country.
[34] Article 33 states the data controller is under a legal obligation to notify the supervisory authority without undue delay unless the breach is unlikely to result in a risk to the rights and freedoms of the individuals.
A designated DPO can be a current member of staff of a controller or processor, or the role can be outsourced to an external person or agency through a service contract.
The contact details for the DPO must be published by the processing organisation (for example, in a privacy notice) and registered with the supervisory authority.
[36] Organisations based outside the EU must also appoint an EU-based person as a representative and point of contact for their GDPR obligations.[1]: Art.
The EU Representative is the Controller's or Processor's contact person vis-à-vis European privacy supervisors and data subjects, in all matters relating to processing, to ensure compliance with this GDPR.
27(4) The non-EU establishment must issue a duly signed document (letter of accreditation) designating a given individual or company as its EU Representative.
27(1) An establishment's failure to designate an EU Representative is considered ignorance of the regulation and relevant obligations, which itself is a violation of the GDPR subject to fines of up to €10 million or up to 2% of the annual worldwide turnover of the preceding financial year in case of an enterprise, whichever is greater.
The intentional or negligent (willful blindness) character of the infringement (failure to designate an EU Representative) may rather constitute aggravating factors.[1]: Arts.
Although the United Kingdom formally withdrew from the European Union on 31 January 2020, it remained subject to EU law, including GDPR, until the end of the transition period on 31 December 2020.
[65] It has been argued that smaller businesses and startup companies might not have the financial resources to adequately comply with the GDPR, unlike the larger international technology firms (such as Facebook and Google) that the regulation is ostensibly meant to target first and foremost.
[69] The regulations, including whether an enterprise must have a data protection officer, have been criticized for potential administrative burden and unclear compliance requirements.
[83] Free software advocate Richard Stallman has praised some aspects of the GDPR but called for additional safeguards to prevent technology companies from "manufacturing consent".
[84] Academic experts who participated in the formulation of the GDPR wrote that the law "is the most consequential regulatory development in information policy in a generation.
[87][88] The deluge of GDPR-related notices also inspired memes, including those surrounding privacy policy notices being delivered by atypical means (such as a Ouija board or Star Wars opening crawl), suggesting that Santa Claus's "naughty or nice" list was a violation, and a recording of excerpts from the regulation by a former BBC Radio 4 Shipping Forecast announcer.
[99] On the effective date, some websites began to block visitors from EU countries entirely (including Instapaper,[100] Unroll.me,[101] and Tribune Publishing-owned newspapers, such as the Chicago Tribune and the Los Angeles Times) or redirect them to stripped-down versions of their services (in the case of National Public Radio and USA Today) with limited functionality and/or no advertising so that they will not be liable.
[111] Facebook and subsidiaries WhatsApp and Instagram, as well as Google LLC (targeting Android), were immediately sued by Max Schrems's non-profit NOYB just hours after midnight on 25 May 2018, for their use of "forced consent".
[113][114][115][116][117] On 21 January 2019, Google was fined €50 million by the French DPA for showing insufficient control, consent, and transparency over use of personal data for behavioural advertising.
[118][119] In November 2018, following a journalistic investigation into Liviu Dragnea, the Romanian DPA (ANSPDCP) used a GDPR request to demand information on the RISE Project's sources.
[122][123][124][125][126] British Airways was ultimately fined a reduced amount of £20m, with the ICO noting that they had "considered both representations from BA and the economic impact of COVID-19 on their business before setting a final penalty".
[128] In November 2021, Irish Council for Civil Liberties lodged a formal complaint of the Commission that it is in breach of its obligation under EU Law to carefully monitor how Ireland applies the GDPR.
[132] In March 2021, EU member states led by France were reported to be attempting to modify the impact of the privacy regulation in Europe by exempting national security agencies.
[134] On 12 February 2025,The European Commission has abandoned proposed regulations on technology patents, AI liability, and privacy for messaging apps due to strong lobbying and a lack of consensus among EU lawmakers, with major tech firms opposing the changes.
[135] Mass adoption of these new privacy standards by multinational companies has been cited as an example of the "Brussels effect", a phenomenon wherein European laws and regulations are used as a baseline due to their gravitas.
[141] The Republic of Turkey, a candidate for European Union membership, has adopted the Law on The Protection of Personal Data on 24 March 2016 in compliance with the EU acquis.