GDPR（通用数据保护条例）

通用数据保护条例（EU）2016/679

apartment发布组织:欧盟

标准简介

《通用数据保护条例》（GDPR）是欧盟于 2018 年 5 月 25 日生效的全面数据隐私法。它规范组织如何收集、使用、存储、共享和保护欧盟和欧洲经济区（EEA）内个人的个人数据。尽管是欧盟法规，GDPR 具有域外效力——全球任何处理欧盟居民个人数据的组织都必须遵守。该法规从根本上改变了全球数据隐私方法，赋予个人对其个人信息前所未有的控制权，并对数据控制者和处理者施加严格的问责要求。

GDPR 建立在七项核心原则之上：合法性、公平性和透明度；目的限制；数据最小化；准确性；存储限制；完整性和保密性；以及问责制。组织必须有合法的处理依据（如同意、合同、法律义务或合法利益），实施适当的技术和组织措施以确保数据安全，对高风险处理进行数据保护影响评估（DPIA），在需要时任命数据保护官，并在 72 小时内向监管机构报告数据泄露事件。不合规可能导致最高 2000 万欧元或全球年营业额 4% 的罚款，以较高者为准。该法规还赋予个人权利，包括访问权、更正权、删除权（被遗忘权）、数据可携带权以及反对处理权。

public

Extraterritorial Reach

Applies to any organization worldwide that processes personal data of EU/EEA residents, regardless of where the company is based.

person

Data Subject Rights

Grants individuals rights to access, rectify, erase, port, and restrict processing of their personal data.

gavel

Enforcement & Fines

Supervisory authorities can impose fines up to 4% of global annual turnover or EUR 20 million, whichever is higher.

list_alt Core Principles

Lawfulness, fairness, and transparency
Purpose limitation
Data minimization
Accuracy
Storage limitation
Integrity and confidentiality
Accountability

Who Needs to Comply?

groups

Any organization worldwide that collects, processes, or stores personal data of EU/EEA residents — including companies with no physical presence in Europe.

Key Requirements

Lawful Basis for Processing

Organizations must establish a valid legal basis (consent, contract, legal obligation, vital interests, public task, or legitimate interests) before processing any personal data.

Data Protection Impact Assessments

Required for high-risk processing activities. Organizations must assess risks to individuals and implement measures to mitigate them before processing begins.

Breach Notification

Data breaches must be reported to the supervisory authority within 72 hours. Affected individuals must also be notified if the breach poses a high risk.

Data Protection Officer (DPO)

Mandatory for public authorities and organizations conducting large-scale systematic monitoring or processing special category data.

International Data Transfers

Transfers outside the EEA require adequate safeguards such as Standard Contractual Clauses (SCCs), Binding Corporate Rules, or adequacy decisions.

Penalties & Enforcement

warning

Fines up to EUR 20 million or 4% of global annual turnover (whichever is higher). Supervisory authorities can also order processing bans and data erasure.