5.1 GDPR Basics — Scope & Principles

In May 2018, the General Data Protection Regulation (GDPR) came into force across the European Union. It quickly became the most inflüntial privacy law ever enacted — not just for EU residents, but for organisations and individuals worldwide. Understanding its fundamentals is essential for anyone operating in today's digital environment.

What is the GDPR?

The GDPR (Regulation (EU) 2016/679) replaced the 1995 Data Protection Directive and created a single, binding legal framework for data protection across all EU and EEA member states. Unlike its predecessor, it carries significant enforcement powers and applies far beyond European borders.

Who dös it apply to?

This is where the GDPR's global reach becomes clear. Under Art. 3, the GDPR applies to:

• Any organisation established in the EU or EEA, regardless of where processing happens
• Any organisation outside the EU that processes personal data of individuals located in the EU, if that processing relates to offering them goods or services, or monitoring their behaviour

This extraterritorial scope means a company based in California, Tokyo, or São Paulo must comply with the GDPR if it serves EU residents — a revolutionary shift in the global data protection landscape.

The seven principles of the GDPR (Art. 5)

At the heart of the GDPR are seven core principles that govern how personal data must be handled. Every data protection rule flows from these:

1. Lawfulness, fairness, and transparency — Data must be processed on a valid legal basis, treated fairly, and with clear information given to individuals about what is done with their data.
2. Purpose limitation — Data collected for one specified, explicit purpose must not then be used for something incompatible with that purpose.
3. Data minimisation — Only the data that is actually necessary for the stated purpose may be collected — no more.
4. Accuracy — Personal data must be kept accurate and up to date; inaccurate data must be corrected or deleted.
5. Storage limitation — Data must not be kept longer than necessary for its purpose. Retention periods must be justifiable.
6. Integrity and confidentiality (security) — Data must be protected against unauthorised access, accidental loss, or destruction using appropriate technical and organisational measures.
7. Accountability — The data controller is responsible for demonstrating compliance with all of the above principles, not just following them in practice.

Why these principles matter

The seven principles act as a checklist for any data processing activity. Before collecting a single piece of personal data, an organisation should be able to answer: What is our legal basis? Why do we need this specific data? How long will we keep it? How will we secure it? If those questions have no clear answers, the processing likely violates the GDPR.

Your takeaway

The GDPR's scope is global, its principles are concrete, and its accountability requirement means organisations cannot simply claim compliance — they must be able to prove it. As a data subject, these principles are the foundation of every right you hold under EU law.