What is the GDPR, in plain language?
The GDPR is the EU privacy law in force since 25 May 2018. One law, directly applicable in every EU/EEA country, governing what anyone may do with your personal data.
The GDPR (General Data Protection Regulation, 2016/679) is the EU’s privacy law, in force since 25 May 2018. It is a regulation, not a directive — it applies directly and identically in every EU country, plus Norway, Iceland and Liechtenstein via the EEA. The UK kept its own near-identical copy (“UK GDPR”); Switzerland’s revised FADP and Albania’s data-protection law are closely modelled on it. What does it govern? Everything organisations do with your personal data: collecting, storing, using, sharing, selling. Who must comply? Every organisation in Europe — and every organisation anywhere in the world that offers goods or services to people in the EU or monitors their behaviour (Art. 3). US big tech and Chinese webshops included. The six principles (Art. 5): lawfulness, purpose limitation, data minimisation, accuracy, storage limitation, and integrity/confidentiality. Behind them: accountability — the organisation must be able to prove it complies. Your rights: access, rectification, erasure, restriction, portability, objection, protection against purely automated decisions, and the right to complain to a supervisory authority — each explained in our Your rights section. Teeth: fines up to €20 million or 4% of global annual turnover, whichever is higher (Art. 83). Meta, Amazon, TikTok and Google have all received nine-figure GDPR fines.
Verified against the sources above on 18 July 2026. Information, not legal advice.