Skip to content
BastionSec
Contact us
Standard · GDPR

GDPR: principles, rights and fines

What Regulation (EU) 2016/679 is, who it applies to (including outside the EU), the principles and legal bases, data subject rights, fines and how to comply. An informational guide.

  • It's law, not a certification: there's no official “GDPR certificate”.
  • It has extraterritorial reach: what matters is where the data subjects are.
  • Fines up to €20M or 4% of worldwide turnover for the most serious breaches.

What GDPR is

GDPR (General Data Protection Regulation) is Regulation (EU) 2016/679, the EU's data protection law, applicable since 25 May 2018. It's not a voluntary standard and not a certification: it's law. You don't “obtain” GDPR and there's no official “GDPR certificate”; you become compliant by meeting its requirements.

In Italy it's complemented by the Privacy Code (Legislative Decree 196/2003 as amended by 101/2018), with the Garante as supervisory authority.

Who it applies to (including outside the EU)

GDPR governs the processing of personal data (any information about an identified or identifiable natural person) and has extraterritorial reach: it applies to organisations established outside the EU when they offer goods or services to people in the EU (even for free) or monitor their behaviour.

This is why a US, Gulf or Asian company selling to European customers (or expanding into Italy/the EU) must comply, often appointing an EU representative. For an inbound foreign company, GDPR is almost always the first box to tick.

Controller, processor, data subject

Controller decides the purposes and means of processing: primarily responsible for compliance. Processor processes data on behalf of the controller (e.g. a SaaS vendor), governed by a DPA (Art. 28). Data subject is the individual the data relates to.

Knowing which role you hold in each processing activity is the starting point: it changes your obligations.

Processing principles (Art. 5)

  • Lawfulness, fairness and transparency.
  • Purpose limitation.
  • Data minimisation.
  • Accuracy.
  • Storage limitation.
  • Integrity and confidentiality (security).
  • Accountability: the controller must demonstrate compliance, not just assert it.

Legal bases (Art. 6)

Every processing needs a legal basis (Art. 6): consent; performance of a contract; legal obligation; vital interests; public interest or official authority; legitimate interests (with a documented balancing test).

Special categories (health, biometrics, etc., Art. 9) need stricter conditions. Choosing, and documenting, the right basis is a frequent failure point.

Data subject rights (Arts. 15-22)

  • Access to your data.
  • Rectification of inaccurate data.
  • Erasure (“right to be forgotten”).
  • Restriction of processing.
  • Data portability.
  • Objection to processing.
  • Rights regarding automated decision-making and profiling.

Practical obligations (records, DPIA, DPO, breaches)

What you actually need: a record of processing activities (Art. 30); clear privacy notices; DPAs with processors (Art. 28); a DPIA (Art. 35) for high-risk processing; a DPO (Art. 37) where required (e.g. large-scale systematic monitoring, large-scale special-category processing).

Also: appropriate security measures (Art. 32, where ISO 27001 helps); data breach handling, notifying the authority within 72 hours where required, and data subjects if high risk; and governed non-EU transfers (SCCs, adequacy decisions). You need processes to receive and respond to data subject requests within the deadlines (generally one month): failure to handle requests is a classic complaint trigger.

Fines (Art. 83)

Two tiers: up to €10 million or 2% of total worldwide annual turnover (whichever is higher) for “organisational” obligations (records, DPO, Art. 32 security); up to €20 million or 4% of total worldwide annual turnover (whichever is higher) for the most serious breaches (principles, legal bases, data subject rights, transfers).

The higher of the fixed amount and the percentage applies, plus reputational damage and possible compensation claims.

How to comply, step by step

1) Map processing activities (data, purposes, legal bases, data flows). 2) Define roles and sign DPAs with vendors. 3) Record of processing, notices, consent management. 4) Risk assessment and DPIA where needed. 5) Security measures (Art. 32, where ISO 27001 accelerates this). 6) Processes for data subject rights and breaches (incl. the 72 hours). 7) Ongoing governance: GDPR is permanent accountability, not a one-off project.

Firm boundary: GDPR isn't “issued” or “certified”. We guide you to compliance (with legal support where needed). For strictly legal aspects (opinions, contracts) we rely on qualified professionals, and we say so plainly.

GDPR, NIS2 and DORA: different things, different scopes

Often heard together, but not the same and not to be sold as one block. GDPR = personal data protection, extraterritorial, for anyone processing EU residents' data (this page's scope).

NIS2 = EU cybersecurity directive for “essential” and “important” entities; in Italy transposed by Legislative Decree 138/2024 (in force October 2024), authority ACN, with staggered registration and measures/reporting; it's about network and system security, not privacy, and only for in-scope entities.

DORA = EU digital operational resilience regulation for the financial sector (banks, insurers, fintechs and their ICT providers), applicable since January 2025, a sectoral scope. They can overlap (Art. 32 security vs NIS2 measures) but each has its own scope. Knowing which actually apply to you is the first, and only honest, step.

Common mistakes

  • “I'm not in the EU, so it doesn't apply”: wrong, it's about where the data subjects are, not where you are.
  • Confusing consent with legitimate interest: not everything needs consent, but the basis must be chosen and documented.
  • Treating GDPR as “the cookie banner”: it's full-spectrum data governance, not a banner.
  • Claiming to be “GDPR certified”: no such thing. Supporting certifications like ISO 27701 exist, but they aren't GDPR.
  • Ignoring the 72-hour breach window: a late notification is itself a violation.
  • Lumping GDPR, NIS2 and DORA into one bucket: their scopes differ; some may not apply to you at all.

GDPR: frequently asked

Does GDPR apply to companies outside the EU?

Yes. It has extraterritorial reach: it applies to controllers and processors established outside the EU when they offer goods or services to people in the EU or monitor their behaviour.

How high can fines go?

Up to €20 million or 4% of worldwide annual turnover (whichever is higher) for the most serious breaches; €10 million or 2% for other violations (Art. 83).

Is GDPR a certification?

No. It's a law: you don't “obtain” it and there's no official “GDPR certificate”. You become compliant by meeting its requirements.

When is a DPO required?

In Art. 37 cases (e.g. large-scale systematic monitoring, large-scale special-category processing, public authorities).

Does ISO 27001 make me GDPR-compliant?

No, but it strongly helps with security measures (Art. 32). They're distinct.

How BastionSec supports you. GDPR is law: not “issued” or “certified”. We guide you to compliance: processing mapping, records, legal bases, notices, DPAs, DPIA, Art. 32 security measures (where our security expertise really shows), and processes for rights and breaches. And we tell you honestly whether NIS2 or DORA also apply to you, or don't at all. For strictly legal opinions we rely on qualified professionals.

Want support reaching EU compliance?

See our EU Compliance service (GDPR · NIS2 · DORA): each with its own scope, no one-size-fits-all bucket.

See the EU Compliance service