Data movement case study banner

GDPR - The General Data Protection Regulation

Protect the personal data of EU residents and citizens, both within and — under certain conditions — outside EU borders

IaaS Data residency GDPR Legal mechanisms
GDPR

GDPR - The General Data Protection Regulation

Came into force: May 2018
Jurisdiction: European Union (EU)
Purpose: Protect the personal data of EU residents and citizens, both within and — under certain conditions — outside EU borders.



What GDPR Protects

  • Personal Data – any information relating to an identified or identifiable natural person (name, ID number, location data, online identifier, or factors specific to their identity).
  • Special Categories of Data – sensitive data such as racial/ethnic origin, political opinions, religious beliefs, health information, biometric data, and sexual orientation.

Who GDPR Applies To

GDPR has a territorial scope that goes beyond the EU’s physical borders.

1. EU Residents

  • If a person is living in the EU, GDPR applies to the processing of their personal data — regardless of nationality.
  • Example: An Australian living in Paris is protected by GDPR.

2. EU Citizens

  • GDPR also protects EU citizens even when they are outside the EUif their personal data is processed in connection with:
    • An organization offering goods or services to individuals in the EU, or
    • Monitoring their behavior within the EU.
  • Example: A Spanish citizen living in Canada buys from an EU-based online store; GDPR applies to that transaction.

Key Principles

GDPR is built around seven core principles that guide all processing activities:
  1. Lawfulness, Fairness, Transparency – processing must have a legal basis, be fair, and clearly explain how data will be used.
  2. Purpose Limitation – collect data only for specific, legitimate purposes.
  3. Data Minimization – gather only the minimum data necessary for the purpose.
  4. Accuracy – keep personal data up-to-date and correct inaccuracies promptly.
  5. Storage Limitation – store data no longer than necessary.
  6. Integrity and Confidentiality – protect data with appropriate security measures.
  7. Accountability – be able to demonstrate GDPR compliance.

Data Subject Rights

GDPR grants individuals powerful rights over their personal data:
  • Right to Access – know what data is held about them.
  • Right to Rectification – correct inaccurate data.
  • Right to Erasure (“Right to be Forgotten”) – request deletion of their data.
  • Right to Restrict Processing – limit how data is used.
  • Right to Data Portability – obtain their data in a portable format.
  • Right to Object – stop processing based on certain grounds.
  • Rights related to Automated Decision-Making – safeguard against profiling without human intervention.

Obligations for Organizations

  • Lawful Basis for Processing – consent, contract, legal obligation, vital interest, public task, or legitimate interest.
  • Data Protection Officer (DPO) – mandatory for public authorities and certain high-risk processors.
  • Data Breach Notification – must notify supervisory authority within 72 hours of becoming aware of a breach.
  • Privacy by Design and Default – security and privacy must be built into systems from the start.

Penalties

  • Lower-tier: Up to €10 million or 2% of annual global turnover (whichever is higher).
  • Higher-tier: Up to €20 million or 4% of annual global turnover.

Neuromesh Example

Susan from HR sends Anya a product demo dataset containing real customer records.
  • Even though it’s “internal,” GDPR still applies — there’s no internal-use exemption.
  • Without anonymization, Neuromesh risks regulatory fines, breach notification obligations, and reputational damage.

Marcus reminds Anya: GDPR isn’t just about avoiding fines — it’s about earning and maintaining customer trust by respecting their privacy rights.

Back to Case Studies