Gdpr
Everything you need to know about the General Data Protection Regulation — requirements, enforcement, consent rules, and how to achieve full compliance. Dive into lawful bases for processing, Data Protection Officer obligations, cross-border data transfers, data subject access requests, and the latest guidance from European supervisory authorities.
GDPR and Cookies: Special Categories of Data You Might Be Collecting Without Knowing
Article 9 of the General Data Protection Regulation (GDPR) places strict limits on collecting sensitive information like health data, political opinions, and sexual orientation. Many website owners accidentally process this special category data through standard analytics and marketing cookies.
Legitimate Interest as a Legal Basis: When Can You Skip Consent?
Legitimate interest is the most flexible of the six GDPR legal bases, but it is also the most misunderstood. This guide explains the three-part test you must pass, where legitimate interest works in practice, and why it rarely applies to cookies and tracking technologies.
Handling Data Breaches: The 72-Hour Notification Rule Under GDPR Article 33
GDPR Article 33 requires data controllers to notify their supervisory authority of a personal data breach within 72 hours of becoming aware of it. The clock starts ticking from awareness, not from when the breach occurred - and getting the notification wrong can be just as costly as missing the deadline entirely.
Do You Need a Data Protection Officer? GDPR Requirements Explained (Article 37)
Article 37 of the GDPR forces specific types of businesses to appoint a Data Protection Officer. Learn the strict legal triggers for this mandatory role, how to avoid massive fines, and whether your website tracking crosses the regulatory threshold.
Cross-Border Data Transfers After GDPR: Adequacy Decisions, Safeguards, and What They Mean for Your Website
GDPR restricts the transfer of personal data outside the EEA unless the receiving country offers equivalent protection or specific safeguards are in place. With record fines now reaching into the hundreds of millions, getting cross-border transfers right has become one of the most consequential compliance tasks for any website that uses third-party services hosted abroad.
When Do You Need a Data Protection Impact Assessment (DPIA)?
A Data Protection Impact Assessment is mandatory under GDPR whenever processing is likely to result in a high risk to individuals. Article 35 sets out three automatic triggers, and the EDPB has published nine criteria to help you decide whether your processing qualifies. Getting this wrong can lead to enforcement action and fines of up to 2% of global turnover.
Data Processors vs Data Controllers: Understanding Your Role Under GDPR
Every organisation handling personal data under the GDPR acts as either a controller or a processor. Learn how this legal distinction dictates your liability, contractual requirements, and compliance obligations.
GDPR Fines Explained: How Supervisory Authorities Calculate Penalties Under Article 83
GDPR fines are not arbitrary. Article 83 sets out a structured framework with two tiers of maximum penalties, ten assessment criteria, and a five-step calculation methodology developed by the EDPB. Understanding how authorities arrive at a specific figure helps you assess your own compliance risk.
The Right to Data Portability: What It Means for Your SaaS Product
Data portability gives users the right to take their personal data out of your SaaS product in a structured, machine-readable format. Under GDPR Article 20 and the 2025 EU Data Act, SaaS providers face concrete obligations around export formats, switching timelines, and interoperability that go far beyond a simple CSV download button.