General Data Protection Regulation (GDPR)
EU-GDPR-2016 · EU
General Data Protection Regulation (GDPR) is a Binding regulation from EU, adopted on 2016-04-27 and effective 2018-05-25. Current status: In force. Foundational EU personal-data protection regulation. Most-cited European instrument PW catalogues at the AI-governance boundary — every CNIL / Garante / AEPD / BfDI / DPC enforcement action against an AI system (Clearview, ChatGPT, Replika, automated-hiring complaints) invokes GDPR Arts. 5/6/9/22/35. Art. 22 (automated individual decision-making + profiling) is the load-bearing provision that interacts with EU AIA Art. 26(11) deployer use of AI-system output for decisions concerning natural persons. Art. 35 (DPIA) partially overlaps EU AIA Art. 27 FRIA; the EDPB is finalising a joint EDPB-AI-Office guideline on the AIA-FRIA / GDPR-DPIA interplay through 2026. Art. 9 (special-category processing) interacts with EU AIA Art. 5(1)(c)(d)(g) prohibitions on social scoring + emotion recognition in workplace + untargeted facial-image scraping. Enforced by national Data Protection Authorities; the European Data Protection Board (EDPB, formerly Art. 29 Working Party) coordinates one-stop-shop + Article 65 binding-decision procedures across DPAs.
Scope and obligations
Foundational EU personal-data protection regulation. Most-cited European instrument PW catalogues at the AI-governance boundary — every CNIL / Garante / AEPD / BfDI / DPC enforcement action against an AI system (Clearview, ChatGPT, Replika, automated-hiring complaints) invokes GDPR Arts. 5/6/9/22/35. Art. 22 (automated individual decision-making + profiling) is the load-bearing provision that interacts with EU AIA Art. 26(11) deployer use of AI-system output for decisions concerning natural persons. Art. 35 (DPIA) partially overlaps EU AIA Art. 27 FRIA; the EDPB is finalising a joint EDPB-AI-Office guideline on the AIA-FRIA / GDPR-DPIA interplay through 2026. Art. 9 (special-category processing) interacts with EU AIA Art. 5(1)(c)(d)(g) prohibitions on social scoring + emotion recognition in workplace + untargeted facial-image scraping. Enforced by national Data Protection Authorities; the European Data Protection Board (EDPB, formerly Art. 29 Working Party) coordinates one-stop-shop + Article 65 binding-decision procedures across DPAs.
General Data Protection Regulation (GDPR) addresses 4 contested AI-governance topics explicitly,.
Topics governed
- governsBiometric Identification— Art. 9 special-category processing (biometric data for unique identification); Art. 22 ADM with safeguards
- governsTransparency Obligations— Arts. 12-14 (information to data subjects); Art. 13(2)(f) + 14(2)(g) meaningful information about ADM logic; Art. 22(3) suitable safeguards
- governsIndividual Redress— Art. 77 DPA complaint; Art. 79 effective judicial remedy; Art. 80 collective representation by NGOs; Art. 82 right to compensation; Art. 83 administrative fines
- governsTraining-Data Rights— Art. 5(1)(b) purpose limitation; Art. 6 lawful basis; Art. 9 special-category overlay for sensitive training data; Art. 5(1)(c) data minimisation
Cross-jurisdiction comparison
How peer instruments treat the topics General Data Protection Regulation (GDPR) governs.
| Topic | EU-AIA-2024 | US-EO-14110 | US-EO-14179 | UK-WHITEPAPER-2023 | CN-GENAI-2023 | G7-HIROSHIMA | OECD-AI-PRIN | COE-AI-CONV | UN-RES-2024 | NIST-AI-RMF | BLETCHLEY-2023 | SEOUL-2024 | NIST-AI-RMF-GENAI | CA-SB-1047 | IN-DPDP-2023 | BR-AIBILL-2024 | ASEAN-AI-GUIDE-2024 | AU-AI-STRATEGY-2024 | ANTHROPIC-RSP-2024° | OPENAI-PREPAREDNESS-2023° | DEEPMIND-FSF-2024° | META-FRONTIER-2024° | UK-US-AISI-MOU-2024 | WH-VOLUNTARY-2023 | SG-MODEL-AI-2024 | JP-METI-AI-2024 | NYC-LL-144-2021 | CO-SB-24-205 | IL-HB-3773-2024 | EU-GPAI-COP-2025 |
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| Biometric Identification | governs | implicit | silent | implicit | silent | silent | silent | implicit | silent | silent | silent | silent | silent | silent | silent | silent | silent | silent | silent | silent | silent | silent | silent | silent | silent | silent | silent | silent | silent | silent |
| Transparency Obligations | governs | implicit | silent | implicit | conflicts | governs | governs | governs | implicit | governs | implicit | governs | governs | implicit | implicit | governs | governs | silent | governs | implicit | implicit | governs | implicit | governs | governs | governs | silent | silent | silent | governs |
| Individual Redress | governs | silent | silent | implicit | governs | silent | governs | governs | silent | implicit | silent | silent | implicit | implicit | governs | governs | silent | silent | silent | silent | silent | silent | silent | silent | implicit | implicit | silent | silent | silent | silent |
| Training-Data Rights | implicit | silent | silent | silent | governs | silent | silent | implicit | silent | implicit | silent | silent | governs | silent | governs | implicit | silent | implicit | silent | silent | silent | implicit | silent | silent | silent | implicit | silent | silent | silent | governs |
°= industry self-imposed voluntary framework. Comparing a voluntary code's "governs" tint with a binding regulation's "governs" tint flattens the legal-force distinction; use the instrument-page banner for the operative status of each.
How to cite this article
APA 7
Policy Window. (2016). General Data Protection Regulation (GDPR) [Wiki article — Instrument]. https://policywindow.org/wiki/gdpr
Chicago 17
Policy Window. 2016. "General Data Protection Regulation (GDPR)." Wiki article (Instrument). https://policywindow.org/wiki/gdpr.
BibTeX
@misc{policywindow-gdpr,
title = {General Data Protection Regulation (GDPR)},
author = {Policy Window},
year = {2016},
howpublished = {Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation), OJ L 119, 4.5.2016, p. 1-88 (CELEX:32016R0679; ELI:http://data.europa.eu/eli/reg/2016/679/oj); applied from 25 May 2018.},
url = {https://policywindow.org/wiki/gdpr},
note = {Primary source: https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX%3A02016R0679}
}References
- Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation), OJ L 119, 4.5.2016, p. 1-88 (CELEX:32016R0679; ELI:http://data.europa.eu/eli/reg/2016/679/oj); applied from 25 May 2018.
- Art. 9 special-category processing (biometric data for unique identification); Art. 22 ADM with safeguards
- Arts. 12-14 (information to data subjects); Art. 13(2)(f) + 14(2)(g) meaningful information about ADM logic; Art. 22(3) suitable safeguards
- Art. 77 DPA complaint; Art. 79 effective judicial remedy; Art. 80 collective representation by NGOs; Art. 82 right to compensation; Art. 83 administrative fines
- Art. 5(1)(b) purpose limitation; Art. 6 lawful basis; Art. 9 special-category overlay for sensitive training data; Art. 5(1)(c) data minimisation
Cite this article
6 formats · 1-click copyPersistent identifier: https://policywindow.org/wiki/gdpr — committed-stable URL with content-versioning via ?asOf= (rollout pending per methodology §7). DOIs via Zenodo are on the roadmap.
Track this article
Save General Data Protection Regulation (GDPR) to your local reading list, follow the RSS changelog for any catalog change, or compare with a peer article. All three work without signup.