Global Privacy Laws: EU GDPR

Overview

The General Data Protection Regulation (GDPR) is a comprehensive data privacy law enacted by the European Union in 2018 to protect personal data and privacy. It governs how organizations collect, store, process, and share the personal information of individuals within the EU, regardless of where the organization is located. The GDPR emphasizes transparency, accountability, and user control, requiring clear consent for data use, the right to access and delete data, and strict data security measures. Non-compliance can result in substantial fines, making GDPR a key standard for data protection worldwide.

Key Dates

• Signed into law: April 27, 2016
• Effective date: May 25, 2018

Thresholds

The GDPR applies to any organization, regardless of size or location, if it meets at least one of the following thresholds:

• Established in the EU – The organization processes personal data in the context of activities of an establishment in the EU, regardless of where the data processing takes place.
• Offers goods or services to individuals in the EU – Even if the organization is not based in the EU, it falls under GDPR if it targets EU residents, e.g., by offering a website in an EU language, accepting EU currency, or marketing to the EU.
• Monitors behavior of individuals in the EU – This includes tracking individuals online (e.g., cookies, analytics, profiling) within the EU, regardless of where the company is based.

Consumer Rights

• Right to be Informed – Individuals must be clearly informed about how their data is collected, used, stored, and shared
• Right of Access – Individuals can request access to the personal data an organization holds about them
• Right to Rectification – Individuals can have inaccurate or incomplete personal data corrected
• Right to be Forgotten – Individuals can request the deletion of their personal data under certain conditions (e.g., no longer necessary, consent withdrawn)
• Right to Restrict Processing – Individuals can request that the processing of their data be limited while a dispute or correction is resolved
• Right to Data Portability – Individuals can obtain and reuse their personal data across different services in a commonly used, machine-readable format
• Right to Object – Individuals can object to the processing of their data for certain purposes, such as direct marketing or profiling
• Rights Related to Automated Decision-Making and Profiling – Individuals have the right not to be subject to decisions made solely by automated processes, including profiling, if those decisions have legal or significant effects

Sensitive Data

Under GDPR, sensitive data is also referred to as special category data. It includes personal data and therefore requires extra protection.

• Racial or ethnic origin
• Political opinions
• Religious or philosophical beliefs
• Trade union membership
• Genetic data
• Biometric data (when used to uniquely identify a person)
• Health data
• Sexual orientation

Penalties

• Up to €10 million, or 2% of the company’s global annual revenue (whichever is higher) – for violations such as improper record keeping, failing to notify authorities of a breach, or failures to conduct impact assessments.
• Up to €20 million, or 4% of the company’s global annual revenue (whichever is higher) – for serious violations, such as breaching core principles (like data minimization or lawfulness of processing), ignoring data subject rights, or transferring data unlawfully.
• In addition to financial penalties, regulators can impose other measures like warnings, bans on data processing, or orders to correct or delete data.

Configure Your Consent Banner for GDPR

Regions are used to customize the behavior and experience based on an individual user’s location. As an example, this allows you to provide different experiences to users based on regional differences (like GDPR in the EU vs. CCPA in California). When a user visits your site, we will automatically determine their location and will match them to the most granular region rule that you have set up in Concord. This can go down to the state/province level, which allows for different experiences for different laws (like CCPA in California).

Recommended Consent Settings

Based on the current laws, we recommend the following regional settings:

• Consent Mode: Express
• Blocking Mode: Strict
• **Google Consent Mode V2:** Basic
• Consent Duration: 12 months
• Enable Limit Sensitive Information: Off
• Enable Do Not Sell Consent: Off
• Enable Global Privacy Control: Off

Current GDPR requirements do not explicitly require Do Not Sell or Global Privacy Control, but you can enable these features if you choose to. This can be a good strategy if you want a single privacy-first configuration that you can use globally since regulations like CCPA/CPRA do require Do Not Sell and Global Privacy Control.

For step-by-step instruction on how to configure your consent banner for different geographical regions within the Concord app, see our help document Configure Your Consent Banner for Different Geographical Regions.