Introduction
The General Data Protection Regulation (GDPR) (EU 2016/679) is a landmark regulation governing data protection and privacy, effective from May 25, 2018. It aims to protect the personal data of European Union (EU) and European Economic Area (EEA) residents by regulating how organizations collect, process, store, and share data. For CLAT UG 2026, GDPR is critical in the Legal Reasoning section (application of data protection principles) and Current Affairs section (global impact, comparison with India’s DPDPA). These notes provide a detailed overview, key provisions, enforcement mechanisms, and relevance to CLAT, tailored to the exam’s passage-based question format.

Overview of GDPR
Purpose
The GDPR seeks to:
- Protect the privacy and personal data of EU/EEA residents.
- Empower individuals with control over their data through defined rights.
- Standardize data protection laws across EU member states.
- Ensure organizations adopt robust data protection practices.
Scope
The GDPR has an extraterritorial scope, applying to:
- Organizations in the EU/EEA processing personal data.
- Non-EU organizations processing data of EU/EEA residents for offering goods/services or monitoring behavior.
- Data controllers and processors, regardless of location.
Enforcement
- Effective Date: May 25, 2018, replacing the 1995 Data Protection Directive.
- Enforcement Bodies: Data Protection Authorities (DPAs) in each EU member state, coordinated by the European Data Protection Board (EDPB).
- Mechanisms: Investigations, audits, fines, and corrective orders.
Key Definitions
- Personal Data: Any information relating to an identifiable person (e.g., name, email, IP address, health records).
- Data Subject: The individual whose data is processed (e.g., customers).
- Data Controller: Entity deciding the purpose and means of processing (e.g., an e-commerce platform).
- Data Processor: Entity processing data on behalf of the controller (e.g., cloud provider).
- Processing: Any operation on personal data (e.g., collection, storage, sharing).
Core Principles of Data Processing
GDPR outlines seven principles (Article 5):
- Lawfulness, Fairness, Transparency: Processing must have a legal basis and be transparent to data subjects.
- Purpose Limitation: Data collected for specific, legitimate purposes cannot be repurposed.
- Data Minimization: Collect only data necessary for the purpose.
- Accuracy: Ensure data is accurate and updated.
- Storage Limitation: Retain data only as long as necessary.
- Integrity and Confidentiality: Protect data with security measures (e.g., encryption).
- Accountability: Controllers must demonstrate compliance through policies and records.
Data Subject Rights
GDPR grants data subjects (Articles 15–22):
- Right to Access: View data held by controllers.
- Right to Rectification: Correct inaccurate data.
- Right to Erasure: Request data deletion (“Right to be Forgotten”).
- Right to Restrict Processing: Limit data use in specific cases.
- Right to Data Portability: Transfer data to another controller.
- Right to Object: Oppose processing (e.g., for marketing).
- Rights re Automated Decision-Making: Protection from solely automated decisions (e.g., AI profiling).
Legal Basis for Processing
Processing is lawful if based on (Article 6):
- Consent: Freely given, specific, informed, and unambiguous.
- Contract: Necessary to fulfill a contract with the data subject.
- Legal Obligation: Required to comply with law.
- Vital Interests: Protect someone’s life.
- Public Task: Perform tasks in public interest.
- Legitimate Interests: Controller’s interests, balanced against data subject rights.
Question for General Data Protection Regulation (GDPR)
Try yourself:
What is the effective date of the GDPR?Explanation
The effective date of the GDPR is May 25, 2018.This regulation was established to protect personal data and privacy in the EU and EEA.
Report a problem
Data Protection Officer (DPO)

- Role: Advise on GDPR compliance, monitor processing, liaise with DPAs.
- Appointment: Mandatory for public authorities or organizations with large-scale data processing.
- Qualifications: Expertise in data protection law and IT security.
Data Breach Notification
- Requirement: Notify DPA within 72 hours of a breach likely to risk data subjects’ rights (Article 33).
- Data Subject Notification: Inform data subjects if high risk (Article 34).
- Records: Maintain breach records for accountability.
Data Transfers Outside EU/EEA
- Restrictions: Transfers require safeguards (e.g., Standard Contractual Clauses, Binding Corporate Rules).
- Adequacy Decisions: EU recognizes certain countries’ laws as adequate (e.g., Canada, Japan).
- Key Case: Schrems II (2020) invalidated EU-US Privacy Shield, impacting data transfers.
Penalties and Enforcement
- Fines: Up to €20 million or 4% of annual global turnover for serious violations (Article 83).
- Other Measures: Orders to stop processing, compensate damages.
- Examples: Amazon (€746M, 2021), Google (€50M, 2019).
Key GDPR Concepts
Personal Data
Definition: Any information relating to an identified or identifiable individual (Article 4(1)). An identifiable individual is someone who can be directly or indirectly identified.
- Examples: Name, email address, phone number, location data, IP address, health records, biometric data, online identifiers.
- Scope: Broad, covering both direct (e.g., passport number) and indirect (e.g., browsing history linked to a user) data.
- GDPR Role: Personal data is the core of GDPR’s protections, requiring lawful processing, security, and data subject rights.
- Application: A company collecting customer names and addresses for deliveries must comply with GDPR if the customers are EU residents.
Data Subject
Definition: The individual whose personal data is processed, specifically EU/EEA residents under GDPR.
- Examples: Customers shopping online, employees providing HR data, website users sharing contact details.
- GDPR Role: Data subjects are granted rights (e.g., access, erasure) to control their data, central to GDPR’s privacy focus.
- Application: An EU resident using an Indian e-commerce platform is a data subject, entitled to GDPR protections if their data is processed.
Data Controller
Definition: The entity (individual or organization) determining the purposes and means of processing personal data (Article 4(7)).
- Examples: A company designing a marketing campaign using customer data, a hospital managing patient records.
- GDPR Role: Controllers are primarily responsible for GDPR compliance, including obtaining consent, ensuring security, and respecting data subject rights.
- Application: An Indian tech firm collecting EU users’ data for app analytics is a data controller, accountable for GDPR obligations.
Data Processor
Definition: The entity processing personal data on behalf of the data controller (Article 4(8)).
- Examples: Cloud service providers (e.g., AWS) storing data, third-party payroll firms processing employee data.
- GDPR Role: Processors act under the controller’s instructions, ensuring compliance with GDPR’s security and processing requirements.
- Application: A cloud provider hosting an EU company’s customer data is a processor, bound by GDPR but not deciding data use.
Consent
Definition: Freely given, specific, informed, and unambiguous permission from the data subject for processing their personal data (Article 4(11)).
- Requirements:
- Freely Given: No coercion or imbalance of power.
- Specific: Clear purpose of processing.
- Informed: Data subject understands what they consent to.
- Unambiguous: Clear affirmative action (e.g., ticking a box).
- GDPR Role: Consent is one of six legal bases for processing (Article 6), often required for marketing or sensitive data.
- Application: A website asking EU users to opt-in for targeted ads must obtain explicit consent, detailing the data use.
Data Breach
Definition: A security incident leading to unauthorized access, disclosure, alteration, or destruction of personal data (Article 4(12)).
- Examples: Hacking of customer databases, accidental email leaks, ransomware attacks.
- GDPR Role: Controllers must:
- Notify the Data Protection Authority (DPA) within 72 hours if the breach is likely to risk data subjects’ rights (Article 33).
- Inform data subjects if the breach poses a high risk (Article 34).
- Maintain breach records for accountability.
- Application: An Indian firm processing EU data must notify the DPA within 72 hours if hackers access customer emails.
Question for General Data Protection Regulation (GDPR)
Try yourself:
What is the role of a Data Protection Officer (DPO)?Explanation
Role of a Data Protection Officer (DPO):- Advise on GDPR compliance
- Monitor data processing
- Liaise with Data Protection Authorities (DPAs)
Report a problem
Core GDPR Provisions
Article 5: Principles of Data Processing
Overview: Article 5 outlines seven principles governing personal data processing, ensuring compliance and accountability.
- Lawfulness, Fairness, Transparency: Processing must have a legal basis (e.g., consent), be fair, and transparent to data subjects.
- Purpose Limitation: Data collected for specific, legitimate purposes cannot be used otherwise.
- Data Minimization: Collect only data necessary for the purpose.
- Accuracy: Ensure data is accurate and updated.
- Storage Limitation: Retain data only as long as necessary.
- Integrity and Confidentiality: Protect data with security measures (e.g., encryption).
- Accountability: Controllers must demonstrate compliance through policies and records.
Application: An e-commerce platform collecting EU customers’ emails for orders must not use them for unrelated marketing without consent (purpose limitation).
Article 6: Lawful Basis for Processing
Overview: Processing personal data is lawful only if based on one of six bases (Article 6(1)):
- Consent: Freely given, specific, informed, and unambiguous, revocable at any time.
- Contract: Necessary to fulfill a contract with the data subject (e.g., processing payment details).
- Legal Obligation: Required to comply with law (e.g., tax reporting).
- Vital Interests: Protect someone’s life (e.g., medical emergencies).
- Public Task: Perform tasks in public interest (e.g., government services).
- Legitimate Interests: Controller’s interests, balanced against data subject rights (e.g., fraud prevention).
Articles 12–23: Rights of Data Subjects
Overview: These articles grant data subjects control over their personal data, ensuring privacy and transparency.
- Right to Access (Article 15): Request access to data held, including purposes and recipients.
- Right to Rectification (Article 16): Correct inaccurate or incomplete data.
- Right to Erasure (Article 17): Request data deletion (“Right to be Forgotten”) if data is no longer needed or consent is withdrawn.
- Right to Restrict Processing (Article 18): Limit processing in cases like disputed accuracy.
- Right to Data Portability (Article 20): Transfer data to another controller in a structured format.
- Right to Object (Article 21): Oppose processing for marketing or legitimate interests.
- Rights re Automated Decision-Making (Article 22): Protection from solely automated decisions (e.g., AI profiling).
Article 25: Data Protection by Design and Default
Overview: Organizations must integrate privacy protections into systems and processes from the outset.
- By Design: Incorporate technical and organizational measures (e.g., pseudonymization) during system development.
- By Default: Ensure only necessary data is processed, with strict privacy settings as default.
Application: A social media platform must enable privacy settings (e.g., private profiles) by default for EU users.
Article 28: Data Processors
Overview: Data processors must comply with GDPR and process data only under the controller’s documented instructions.
- Obligations: Ensure security, assist with data subject rights, and notify controllers of breaches.
- Contracts: Controllers and processors must have binding agreements outlining GDPR compliance.
Application: A cloud provider (processor) storing EU customer data for an Indian firm (controller) must follow GDPR-compliant instructions.
Article 32: Security of Processing
Overview: Controllers and processors must implement technical and organizational measures to ensure data security.
- Measures: Encryption, access controls, regular security testing.
- Risk-Based Approach: Security measures depend on data sensitivity and processing risks.
Application: An Indian firm processing EU health data must encrypt it to prevent unauthorized access.
Articles 33–34: Data Breach Notification
Overview: Controllers must report data breaches promptly to ensure accountability and mitigate harm.
- Article 33: Notify the Data Protection Authority (DPA) within 72 hours of a breach likely to risk data subjects’ rights.
- Article 34: Inform data subjects if the breach poses a high risk to their rights and freedoms.
- Records: Maintain breach records for accountability.
Application: An Indian company detecting a hack of EU customer data must notify the DPA within 72 hours.
Articles 44–50: Cross-Border Data Transfers
Overview: Data transfers outside the EU/EEA require safeguards to ensure GDPR-level protection.
- Safeguards: Standard Contractual Clauses (SCCs), Binding Corporate Rules (BCRs).
- Adequacy Decisions: EU recognizes countries with equivalent laws (e.g., Canada, Japan).
- Key Case: Schrems II (2020) invalidated EU-US Privacy Shield, requiring stricter transfer assessments.
GDPR Penalties and Enforcement
Fines
Overview: GDPR imposes significant fines to deter non-compliance and ensure accountability (Article 83).
- Two Tiers of Fines:
- Lower Tier: Up to €10 million or 2% of annual global turnover (whichever is higher) for less severe violations, such as failing to maintain records or appoint a Data Protection Officer (DPO).
- Higher Tier: Up to €20 million or 4% of annual global turnover (whichever is higher) for serious violations, such as breaching core principles (Article 5), unlawful processing (Article 6), or ignoring data subject rights (Articles 12–22).
- Factors for Fines: Severity, duration, intent, number of affected data subjects, mitigation efforts, and prior violations.
- Application: An Indian company processing EU data without consent risks a €20 million fine or 4% of turnover for violating Article 6.
High-Profile Fine Examples
Overview: GDPR’s enforcement has led to significant fines, showcasing its global impact.
- Google (€50 million, 2019): Fined by France’s CNIL for consent violations (Article 6), as Google’s consent mechanism for personalized ads lacked transparency and clarity.
- Amazon (€746 million, 2021): Fined by Luxembourg’s DPA for non-compliance with data processing principles (Article 5), particularly for behavioral advertising without adequate legal basis.
- Meta (€405 million, 2022): Fined by Ireland’s DPC for mishandling children’s data on Instagram, violating data protection by design (Article 25).
- TikTok (€345 million, 2023): Fined for improper handling of children’s data, breaching data subject rights and processing principles.
Application: These cases highlight GDPR’s focus on consent, transparency, and vulnerable groups, relevant for Indian firms processing EU data.
Data Protection Authorities (DPAs)
Overview: Each EU member state has an independent DPA to enforce GDPR and protect data subjects (Articles 51–59).
- Roles:
- Investigate complaints and violations.
- Issue fines and corrective orders (e.g., halt processing).
- Advise organizations on GDPR compliance.
- Handle data subject complaints (e.g., right to erasure requests).
- Coordination: DPAs collaborate via the European Data Protection Board (EDPB) for cross-border cases.
- Examples:
- France’s CNIL (Google fine).
- Ireland’s DPC (Meta, major tech firms due to Ireland’s tech hub status).
- Luxembourg’s CNPD (Amazon fine).
- Application: An Indian firm facing a GDPR complaint for EU data misuse would deal with the DPA in the relevant EU state (e.g., Ireland for tech firms).
Other Enforcement Measures
Overview: Beyond fines, DPAs can impose corrective measures to ensure compliance (Article 58).
- Measures:
- Orders to comply with data subject rights (e.g., erase data).
- Bans on processing or data transfers.
- Mandates to rectify systems or appoint a DPO.
- Compensation to data subjects for damages (Article 82).
- Application: A company breaching GDPR may be ordered to stop processing EU data until compliance is ensured, alongside fines.
Comparison with India’s DPDPA
Overview: GDPR’s enforcement contrasts with DPDPA, offering a key comparison for CLAT.
Fines:
- GDPR: Up to €20 million or 4% of global turnover, significantly higher.
- DPDPA: Up to ₹250 crore (approx. €28 million), fixed and lower relative to global firms’ turnover.
Enforcement Bodies:
- GDPR: Independent DPAs in each EU state, coordinated by EDPB.
- DPDPA: Data Protection Board of India (DPBI), a single body, potentially less decentralized
Scope:
- GDPR: Extraterritorial, applies globally to EU data processing.
- DPDPA: Primarily India-focused, with limited extraterritorial reach.
- Context: India’s privacy framework, reinforced by the Puttaswamy case (2017), draws from GDPR but adapts to local needs.
Question for General Data Protection Regulation (GDPR)
Try yourself:
What is required for data processing to be considered lawful under GDPR?Explanation
GDPR requires that personal data processing is lawful only if based on one of six bases, including:- Consent: Freely given, specific, informed, and unambiguous.
- Other bases include contract necessity, legal obligation, vital interests, public task, and legitimate interests.
Report a problem
GDPR’s Global and Indian Relevance
Extraterritorial Application
Overview: GDPR applies to organizations worldwide processing personal data of EU/EEA residents, regardless of their location (Article 3).
- Scope:
- Organizations in the EU/EEA processing personal data.
- Non-EU organizations offering goods/services to EU residents or monitoring their behavior (e.g., tracking online activity).
- Impact on Global Businesses:
- Indian tech firms (e.g., Infosys, Zomato) serving EU clients must comply with GDPR, including consent (Article 6) and data subject rights (Articles 12–23).
- Non-compliance risks fines up to €20 million or 4% of global turnover (Article 83).
- Application: An Indian e-commerce platform targeting EU customers with personalized ads must obtain explicit consent and ensure data security under GDPR.
Influence on DPDPA, 2023
Overview: GDPR inspired key aspects of India’s DPDPA, 2023, but differences in enforcement and scope exist, reflecting India’s unique context.
Similarities:
- Consent: Both require informed, specific consent for data processing (GDPR Article 6; DPDPA Section 6).
- Data Subject Rights: Rights to access, rectification, erasure, and portability align (GDPR Articles 12–23; DPDPA Sections 11–13).
- Data Minimization: Collect only necessary data (GDPR Article 5; DPDPA Section 5).
Differences:
- Scope: GDPR applies to all personal data (digital and non-digital); DPDPA is limited to digital personal data.
- Enforcement: GDPR’s fines reach €20 million or 4% of global turnover; DPDPA’s cap at ₹250 crore (approx. €28 million) is lower.
- Government Exemptions: DPDPA allows exemptions for government entities (Section 17); GDPR applies uniformly, with limited exceptions.
- Extraterritoriality: GDPR’s global reach contrasts with DPDPA’s focus on data processed in India or by Indian entities.
Comparison with IT Rules, 2011
Overview: The IT (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011, were India’s pre-DPDPA data protection framework, with a narrower scope and weaker enforcement compared to GDPR.
Scope:
- IT Rules, 2011: Apply only to body corporates and intermediaries handling sensitive personal data or information (SPDI) (e.g., financial data, biometrics).
- GDPR: Comprehensive, covering all personal data (digital and non-digital) for EU residents, with extraterritorial reach.
Consent:
- IT Rules, 2011: Require informed consent for SPDI collection (Rule 5), but enforcement was weak.
- GDPR: Mandates explicit, revocable consent (Article 6), with strict compliance via Data Protection Authorities (DPAs).
Penalties:
- IT Rules, 2011: Compensation for negligence under Section 43A of the IT Act, 2000, with no fixed fines, leading to inconsistent enforcement.
- GDPR: Fines up to €20 million or 4% of global turnover, ensuring strong deterrence.
Security Practices:
- IT Rules, 2011: Mandate reasonable security practices (Rule 8), but lack detailed standards.
- GDPR: Requires robust measures like encryption and regular audits (Article 32).
- Gaps Highlighted by GDPR: IT Rules’ limited scope (excluding government entities), lack of a dedicated enforcement body, and weaker penalties underscored the need for DPDPA’s comprehensive framework.
GDPR Landmark Cases and Incidents
Schrems I and Schrems II Cases
The Schrems I and Schrems II cases are pivotal in the realm of data protection law, particularly concerning cross-border data transfers between the European Union (EU) and the United States (US). These cases, initiated by Austrian privacy activist Max Schrems, challenged the adequacy of US data protection frameworks, impacting global data transfer mechanisms.
Schrems I (2015)
- Background: Max Schrems filed a complaint against Facebook Ireland, alleging that the transfer of his personal data from the EU to the US under the Safe Harbour framework violated his privacy rights, especially in light of US surveillance programs revealed by Edward Snowden.
- Issue: The Safe Harbour agreement allowed companies to transfer data between the EU and US, but Schrems argued it failed to provide adequate protection against US government surveillance.
- Outcome: The European Court of Justice (ECJ) invalidated the Safe Harbour framework in 2015, ruling that it did not ensure an adequate level of protection for EU citizens' data as required by EU law.
- Impact: Companies had to rely on alternative mechanisms like Standard Contractual Clauses (SCCs) or Binding Corporate Rules (BCRs) for data transfers, prompting a reevaluation of transatlantic data flows.
Schrems II (2020)
- Background: Following Schrems I, the EU and US introduced the Privacy Shield framework to replace Safe Harbour. Schrems challenged this new framework, again targeting Facebook’s data transfers.
- Issue: Schrems argued that Privacy Shield, like Safe Harbour, failed to protect EU data from US surveillance, particularly under laws like Section 702 of the FISA Amendments Act.
- Outcome: The ECJ invalidated Privacy Shield in July 2020, citing inadequate protections. The court also upheld SCCs but required case-by-case assessments to ensure compliance with EU data protection standards.
- Impact: Businesses faced increased scrutiny over data transfers, necessitating robust compliance measures. The ruling emphasized the EU’s stringent approach to data protection and the need for equivalence in third-country laws.
Notable GDPR Fines
The General Data Protection Regulation (GDPR), implemented in 2018, empowers EU regulators to impose significant fines for non-compliance. The following cases illustrate GDPR’s enforcement rigor and serve as critical examples for CLAT preparation.
Amazon (€746 million, 2021)
- Violation: Luxembourg’s data protection authority (CNPD) fined Amazon for non-compliant data processing practices, specifically related to its use of personal data for targeted advertising without proper user consent.
- Details: The fine was one of the largest under GDPR, reflecting Amazon’s extensive data processing operations and the scale of the violation.
- Significance: This case underscores the importance of obtaining explicit, informed consent for data processing, particularly in industries reliant on user data for monetization.
Meta (€405 million, 2022)
- Violation: Ireland’s Data Protection Commission (DPC) fined Meta for mishandling children’s data on Instagram, including the public disclosure of minors’ email addresses and phone numbers.
- Details: The investigation revealed that Instagram’s default settings and data processing practices violated GDPR’s strict requirements for protecting vulnerable users, such as minors.
- Significance: This case highlights GDPR’s focus on safeguarding children’s data and the accountability of social media platforms in managing sensitive information.
Key for CLAT: Study these fines to grasp GDPR’s enforcement mechanisms. Focus on the principles of consent, transparency, and special protections for vulnerable groups (e.g., children). These cases demonstrate the financial and reputational risks of non-compliance.
Indian Context
While GDPR is an EU regulation, its extraterritorial scope affects Indian companies and data breaches involving EU residents. Understanding its relevance in India is crucial for CLAT aspirants, especially in the context of global business and data protection laws.
GDPR Compliance for Indian Companies
- Applicability: Indian IT firms like Tata Consultancy Services (TCS), Infosys, and Wipro, which serve EU clients, must comply with GDPR when processing personal data of EU residents.
- Requirements: These companies must implement GDPR-compliant measures, such as data minimization, lawful processing, and robust security protocols, to avoid penalties.
- Challenges: Compliance involves significant costs for updating systems, training staff, and appointing Data Protection Officers (DPOs). Non-compliance risks fines and loss of EU contracts.
Indian Data Breach Cases and GDPR Relevance
- Air India Data Breach (2021): A cyberattack exposed personal data of approximately 4.5 million passengers, including names, passport details, and credit card information.
- GDPR Implications: If EU residents were affected, Air India could face GDPR scrutiny for failing to implement adequate security measures, as required under Article 32 (security of processing).
- Lessons: Indian companies handling global data must adopt GDPR-like standards to mitigate risks, especially in light of India’s own evolving data protection laws (e.g., the Digital Personal Data Protection Act, 2023).
Example: An Indian BPO handling customer data for a German bank must ensure GDPR compliance by encrypting data, obtaining consent for processing, and reporting breaches within 72 hours. Failure to do so could result in fines up to €20 million or 4% of annual global turnover.