What is the GDPR and when does it apply?

The GDPR is Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC. It entered into force on 24 May 2016 and has applied directly in every Member State from 25 May 2018 (Article 99). As a Regulation, GDPR does not require national transposition; the national law of each Member State complements but does not replace it (e.g. exemptions under Articles 23 and 85–91, age limits for child consent under Article 8).

Who must comply with GDPR?

Article 3 fixes territorial scope. Article 3(1) covers any controller or processor established in the Union, regardless of whether the processing itself takes place in the Union. Article 3(2) covers controllers and processors not established in the Union, where their processing activities relate to (a) the offering of goods or services to data subjects in the Union, irrespective of whether a payment is required, or (b) the monitoring of behaviour of data subjects in so far as that behaviour takes place within the Union. Article 3(3) covers processing where Member State law applies by virtue of public international law (e.g. diplomatic missions). Article 2 then carves out specific cases — purely personal or household activities, law-enforcement processing covered by Directive (EU) 2016/680, and processing for activities outside the scope of Union law.

What are the GDPR principles?

Article 5(1) sets out six principles for the processing of personal data — (a) lawfulness, fairness and transparency; (b) purpose limitation; (c) data minimisation; (d) accuracy; (e) storage limitation; (f) integrity and confidentiality. Article 5(2) adds the accountability principle: the controller is responsible for, and shall be able to demonstrate compliance with, paragraph 1. Accountability is the operative bridge — it is the principle that turns the other six into evidence-able controls.

What does Article 22 say about AI and automated decisions?

Article 22(1) gives the data subject the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning him or her or similarly significantly affects him or her. Article 22(2) carves out three exceptions: (a) where the decision is necessary for entering into, or performance of, a contract between the data subject and a data controller; (b) where it is authorised by Union or Member State law to which the controller is subject; (c) where it is based on the data subject's explicit consent. Article 22(3) requires suitable safeguards including the right to obtain human intervention, to express the data subject's point of view, and to contest the decision. Article 22(4) imposes additional restrictions on automated decisions based on special categories of personal data under Article 9.

When does GDPR require a DPIA?

Article 35(1) requires a data protection impact assessment (DPIA) where a type of processing, in particular using new technologies, is likely to result in a high risk to the rights and freedoms of natural persons. Article 35(3) enumerates three cases in which a DPIA is required: (a) a systematic and extensive evaluation of personal aspects relating to natural persons which is based on automated processing, including profiling, and on which decisions are based that produce legal effects concerning the natural person or similarly significantly affect the natural person; (b) processing on a large scale of special categories of data referred to in Article 9(1), or of personal data relating to criminal convictions and offences referred to in Article 10; (c) a systematic monitoring of a publicly accessible area on a large scale. Many AI systems trigger the Article 35(3)(a) systematic-evaluation category.

What are the GDPR breach notification timelines?

Article 33(1) requires the controller to notify the personal data breach to the competent supervisory authority without undue delay and, where feasible, not later than 72 hours after having become aware of it. Where the notification is not made within 72 hours, it must be accompanied by reasons for the delay. Article 33(2) requires the processor to notify the controller without undue delay after becoming aware of a personal data breach. Article 34 separately requires the controller to communicate a personal data breach to the data subject without undue delay where the breach is likely to result in a high risk to the rights and freedoms of natural persons.

How does GDPR interact with the EU AI Act?

The two Regulations apply concurrently to AI systems that process personal data. GDPR governs the lawfulness of the data processing itself; the EU AI Act governs the AI system as a product or service. Important distinctions to preserve: Article 22 GDPR (the data subject's right not to be subject to a decision based solely on automated processing) is distinct from Article 14 EU AI Act (the high-risk-provider design obligation to enable human oversight) — the two duties do not overlap and one does not satisfy the other. Article 73 EU AI Act (serious-incident reporting for high-risk AI) is also distinct from Article 33 GDPR (personal-data-breach notification); both may apply to the same event. See [EU AI Act vs GDPR](/frameworks/comparison/eu-ai-act-vs-gdpr) for the structured pairwise treatment.

GDPR — Regulation (EU) 2016/679 — Modulos Compliance Guide

The General Data Protection Regulation (GDPR) — Regulation (EU) 2016/679 — governs the processing of personal data in the European Union. It is the most widely cited EU regulation for AI systems because most AI systems process personal data somewhere in their lifecycle (training data, inference inputs, operational logs, downstream decisions about people, or vendor flows).

This page is a Modulos compliance guide for AI use cases. Article references and key dates are drawn from the published OJ text; the platform mapping references real Modulos surfaces.

Quick decision

Processing in the context of activities of an establishment in the Union, OR non-EU processing related to offering goods/services to data subjects in the Union or monitoring their behaviour in the Union → GDPR applies under Article 3. Determine your role (controller vs joint controller vs processor — Article 4(7)–(8); Article 26 joint controllers) before scoping obligations. Read Scope and applicability first.
Decision-making AI affecting natural persons (credit, hiring, insurance, eligibility, monitoring) → Article 22 is the central provision. Read Key principles and obligations for the verbatim Article 22 wording, the three Article 22(2) exceptions, and the Article 22(3) safeguards.
High-risk processing (new technology, profiling with significant effects, large-scale special categories, systematic monitoring) → Article 35 DPIA is required. The Article 35(3)(a)–(c) trigger list is the operative test; supervisory authorities also publish "mandatory DPIA" lists under Article 35(4). Read Controller obligations and breach notification.
Subject to the EU AI Act in addition to GDPR → both apply concurrently. See EU AI Act vs GDPR; the Article 22 GDPR / Article 14 EU AI Act distinction is the most common point of confusion.
Detected a personal-data breach → Article 33 sets the 72-hour controller notification window; Article 34 sets the data-subject communication trigger (high risk to rights and freedoms). Both run independently of any AI-Act Article 73 serious-incident reporting.

TL;DR

GDPR = Regulation (EU) 2016/679, published in OJ L 119, 4.5.2016, pp. 1–88. Adopted 27 April 2016, applies from 25 May 2018 (Article 99). Corrigenda in OJ L 127, 23.5.2018.
Scope — Article 2 material scope (excluding activities outside the scope of Union law; Member State activities under Chapter 2 of Title V TEU / CFSP; purely personal/household processing; and competent-authority law-enforcement processing covered by Directive (EU) 2016/680); Article 3 territorial scope (establishment + offering goods/services + behaviour monitoring).
Principles — Article 5(1)(a)–(f) six principles + Article 5(2) accountability; Article 6(1)(a)–(f) lawful basis; Article 9 special categories.
Rights — Articles 12–22, with Article 22 (automated individual decision-making, including profiling) the most consequential provision for AI use cases.
Controller and processor obligations — Articles 24–32, including Article 25 data protection by design and by default, Article 28 processor contracts, Article 30 records of processing activities, Article 32 security.
Breach + DPIA — Article 33 (72-hour controller notification) + Article 34 (data subject communication where high risk); Article 35 DPIA + Article 36 prior consultation.
Transfers — Articles 44–50 (transfers to third countries; reference in cross-framework table).
Enforcement — Article 83(5) sets maximum administrative fines at EUR 20 million or 4% of total worldwide annual turnover, whichever is higher.

Primary source

Regulation (EU) 2016/679 on EUR-Lex (CELEX 32016R0679) · OJ L 119, 4.5.2016, pp. 1–88 · Corrigendum: OJ L 127, 23.5.2018, pp. 2–5

Article 1 — subject matter

Article 1(1) defines the subject matter:

This Regulation lays down rules relating to the protection of natural persons with regard to the processing of personal data and rules relating to the free movement of personal data.

Article 1(2) protects fundamental rights and freedoms — in particular the right to the protection of personal data. Article 1(3) prohibits the restriction or prohibition of free movement of personal data within the Union for reasons connected with the protection of natural persons with regard to the processing of personal data.

Regulation (EU) 2016/679 (GDPR)

Chapter I — General provisionsArticles 1–4: subject matter, material scope, territorial scope, definitions

Chapter II — PrinciplesArticles 5–11: principles relating to processing, lawful basis, conditions for consent, special categories

Chapter III — Rights of the data subjectArticles 12–23: transparency, information, access, rectification, erasure, restriction, portability, objection, automated decisions, restrictions

Chapter IV — Controller and processorArticles 24–43: general obligations, data protection by design, joint controllers, processors, RoPA, security, breach notification, DPIA, DPO, codes of conduct, certification

Chapter V — Transfers to third countriesArticles 44–50: adequacy decisions, appropriate safeguards, derogations, international cooperation

Chapter VI — Independent supervisory authoritiesArticles 51–59: status, competence, tasks, powers

Chapter VII — Cooperation and consistencyArticles 60–76: one-stop-shop, mutual assistance, European Data Protection Board

Chapter VIII — Remedies, liability, penaltiesArticles 77–84: rights to complain and to effective remedy, liability, administrative fines (Art 83 fines)

Chapter IX — Specific processing situationsArticles 85–91: freedom of expression, public access, national identification, employment, archiving, churches

Chapter X — Delegated and implementing actsArticles 92–93

Chapter XI — Final provisionsArticles 94–99: repeal of Directive 95/46/EC, application from 25 May 2018

For AI use cases, the four operationally dense chapters are II (principles), III (rights — especially Article 22), IV (controller / processor obligations — especially Articles 25, 30, 32, 33, 35), and VIII (penalties).

Modulos models GDPR through two complementary framework templates:

Framework	Project type	Focus	Requirement count
OFF-11 (`GDPR (org)`)	Organisation	Article-by-article organisational obligations across the 99 articles	31 (`ORF-225` to `ORF-255`)
MFF-12 (`GDPR (app)`)	AI application	Per-AI-system technical and operational obligations	10 (`MRF-233` to `MRF-242`)

The split mirrors the controller (organisation) / processing-activity (per-AI-system) distinction in GDPR itself: the controller-level obligations (RoPA, DPO, breach-notification process, supervisory cooperation) sit on the organisation project; the activity-level obligations (lawful basis decision, transparency notice content, data subject rights workflow, technical security measures) sit on each AI-system project.

A typical setup:

Requirements — each GDPR obligation is recorded as a requirement on the relevant project (OFF-11 organisation or MFF-12 AI service). Fulfilment tracks through Not fulfilled → Fulfilled (with optional Out of scope).
Controls — implemented measures (lawful-basis assessment, transparency notice template, data subject rights workflow, processor due-diligence policy, Article 30 RoPA, Article 32 security measures, breach-handling SOP) are documented as named controls and mapped to one or more requirements.
Evidence — Article 30 records, DPIA reports, prior-consultation submissions to the supervisory authority, breach-notification artefacts, processor contracts (Article 28 clauses), training records are recorded once and linked to multiple controls.
Readiness + fulfilment attestation — a requirement becomes ready for review once linked controls are in a final state; the requirement owner attests fulfilment for the project scope.
Modulos does not provide dedicated UI surfaces for the Article 30 RoPA, the DPIA workflow, or the Article 33–34 breach notification — these are tracked as evidence linked to the relevant requirement on OFF-11 / MFF-12.

See Operationalizing GDPR in Modulos for the practical rollout sequence.

Cross-framework mapping (preview)

GDPR area	EU AI Act (Regulation (EU) 2024/1689)	ISO/IEC 27701:2025	NIS2 (Directive (EU) 2022/2555)
Article 5 principles	Article 10 data governance (data quality, training-set governance)	Privacy information management system, Annex A / B PII controls	(no direct equivalent)
Article 6 lawful basis	Article 10 (training data lawfulness for high-risk AI)	(no direct equivalent — ISO 27701 doesn't decide lawful basis)	(no direct equivalent)
Article 22 automated decisions	Article 14 human oversight design (provider obligation) — distinct duty; do not conflate	(no direct equivalent)	(no direct equivalent)
Articles 12–20 transparency + rights	Article 13 transparency to deployers + Article 50 transparency to natural persons	Annex A / B disclosure and access controls	(no direct equivalent)
Articles 25 + 32 security	Article 15 cybersecurity for high-risk AI	Information security baseline (via ISO 27001)	Article 21(2)(a)–(j) cybersecurity measures
Article 30 RoPA	Article 11 + Annex IV technical documentation	Annex A / B record-keeping controls	(no direct equivalent)
Article 33–34 breach notification	Article 73 serious incidents (high-risk AI)	(no direct equivalent for breach notification timelines)	Article 23 incident reporting (24h / 72h / final)
Article 35 DPIA	Article 27 fundamental rights impact assessment (FRIA — narrow trigger, distinct duty)	(no direct equivalent)	(no direct equivalent)
Article 83 administrative fines	Article 99 administrative fines (up to EUR 35M / 7% turnover for Art 5)	(no direct equivalent)	Article 34 administrative fines (min maxima EUR 10M / 2% for essential entities)

For the pairwise comparison with the EU AI Act see EU AI Act vs GDPR; for the full hub see framework comparison.

Scope and applicability

Article 2 material scope, Article 3 territorial scope, Article 4 key definitions

Key principles and obligations

Article 5 principles, Article 6 lawful basis, Article 9 special categories, Articles 12–22 rights (including Article 22 automated decisions)

Controller obligations and breach notification

Articles 24–32 obligations, Article 33–34 breach notification, Article 35 DPIA, Article 37 DPO

Operationalizing in Modulos

Practical rollout sequence for OFF-11 and MFF-12

EU AI Act vs GDPR

How the two binding EU Regulations interact for AI systems that process personal data

Source attribution

Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (GDPR) is published in the Official Journal of the European Union L 119, 4.5.2016, pp. 1–88. A corrigendum is published in OJ L 127, 23.5.2018, pp. 2–5. References on this page are descriptive references to the published text.

Disclaimer

This page is for general informational purposes and does not constitute legal advice.

Comparison

EU AI Act

Commission guidance

ISO Standards

ISO/IEC 42001

ISO/IEC 27001

ISO/IEC 27701

NIST AI RMF

GDPR (EU)

NIS2 (EU)

DORA (EU)

OWASP for AI Security

UAE AI Ethics

MAS FEAT

Microsoft Supplier DPR

Quick decision

TL;DR

Article 1 — subject matter

Cross-framework mapping (preview)

Source attribution

Commission guidance

ISO/IEC 42001

ISO/IEC 27001

ISO/IEC 27701

GDPR — Regulation (EU) 2016/679 ​

Quick decision ​

TL;DR ​

Article 1 — subject matter ​

GDPR structure ​

How to operationalize GDPR in Modulos ​

Cross-framework mapping (preview) ​

Related pages ​

Source attribution ​

GDPR — Regulation (EU) 2016/679

Quick decision

TL;DR

Article 1 — subject matter

GDPR structure

How to operationalize GDPR in Modulos

Cross-framework mapping (preview)

Related pages

Source attribution