DOMAIN:PRIVACY:GDPR_IMPLEMENTATION¶
OWNER: julian
ALSO_USED_BY: aimee, eric, victoria
UPDATED: 2026-03-26
SCOPE: practical GDPR implementation for all client projects
OVERVIEW¶
GDPR (Regulation (EU) 2016/679) is the foundation of EU data protection.
It applies to virtually every GE client project that processes personal data.
This page covers implementation details beyond the index page's Art. 25/32/35 coverage.
ENFORCEMENT_SCALE: EUR 5.88 billion cumulative fines since 2018.
2024_ALONE: EUR 1.2 billion in fines issued.
PROPOSED_REFORM: EU Digital Omnibus (Q4 2025) proposes first GDPR amendments.
TIMELINE: formal proposals 2027-2028, implementation 2031+.
CHANGES: RoPA exemption raised to <750 employees, cookie consent standardisation, AI processing clarification.
LAWFUL BASES FOR PROCESSING (Art. 6)¶
Every processing activity MUST have exactly one lawful basis.
Choosing the wrong basis has cascading consequences for data subject rights.
(a) CONSENT¶
REQUIREMENTS:
- freely given (no imbalance of power, no bundling with service)
- specific (per purpose, not blanket)
- informed (clear explanation of what and why)
- unambiguous (affirmative action, no pre-ticked boxes)
- withdrawable (as easy to withdraw as to give)
- documented (evidence of when, how, what consented to)
USE_FOR: marketing emails, analytics cookies, optional features, newsletter
DO_NOT_USE_FOR: processing necessary for contract performance (use Art. 6(1)(b) instead)
TRAP: using consent when legitimate interest applies — consent can be withdrawn, destabilising processing.
TRAP: bundling consent with T&C acceptance — not freely given.
(b) CONTRACT PERFORMANCE¶
REQUIREMENTS: processing genuinely necessary to perform a contract with the data subject
USE_FOR: delivering the purchased service, account management, billing, support
SCOPE: strictly what is necessary — not "nice to have" features
TRAP: stretching "contract performance" to cover analytics or marketing — DPAs reject this.
(c) LEGAL OBLIGATION¶
REQUIREMENTS: processing required by EU or Member State law
USE_FOR: tax record retention, AML/KYC obligations, employment law requirements
MUST: identify the specific legal provision requiring the processing
(d) VITAL INTERESTS¶
REQUIREMENTS: necessary to protect life of data subject or another person
USE_FOR: emergency situations only — extremely narrow application
NOT_FOR: general health monitoring or wellness features
(e) PUBLIC INTEREST / OFFICIAL AUTHORITY¶
REQUIREMENTS: processing necessary for task in public interest or exercise of official authority
USE_FOR: government services, public health, research in public interest
REQUIRES: basis in EU or Member State law
(f) LEGITIMATE INTEREST¶
REQUIREMENTS: three-part balancing test
1. LEGITIMATE: identify specific legitimate interest (must be real, not hypothetical)
2. NECESSARY: processing must be necessary for that interest (not just useful)
3. BALANCING: interest does not override fundamental rights of data subject
USE_FOR: fraud prevention, network security, direct marketing (existing customers), internal analytics
MUST: document the balancing test (LIA — Legitimate Interest Assessment)
EDPB_GUIDANCE (Opinion 28/2024): legitimate interest CAN be basis for AI training but requires full three-step assessment.
TRAP: using legitimate interest as default without documenting LIA.
TRAP: legitimate interest is NOT valid for cookie-based marketing (EDPB Guidelines 1/2024).
DATA SUBJECT RIGHTS¶
All rights must be responded to within 1 month (extendable by 2 months for complex requests).
Free of charge (unless manifestly unfounded or excessive).
Must verify identity of requester before fulfilling.
RIGHT OF ACCESS (Art. 15)¶
WHAT: confirmation of processing + copy of personal data + supplementary information
SUPPLEMENTARY: purposes, categories, recipients, retention period, source, existence of automated decisions
FORMAT: commonly used electronic format if requested electronically
VOLUME: must provide ALL personal data (not just a summary)
IMPLEMENTATION:
CHECK: data export functionality in all systems
CHECK: ability to compile data across multiple databases/services
CHECK: response template with all required supplementary information
CHECK: identity verification before disclosure
RIGHT TO RECTIFICATION (Art. 16)¶
WHAT: correction of inaccurate data + completion of incomplete data
TIMELINE: without undue delay
MUST: notify each recipient of rectification (unless disproportionate effort)
RIGHT TO ERASURE / RIGHT TO BE FORGOTTEN (Art. 17)¶
WHEN_APPLICABLE:
- data no longer necessary for original purpose
- consent withdrawn (and no other legal basis exists)
- data subject objects (Art. 21) and no overriding legitimate grounds
- data processed unlawfully
- legal obligation to erase
- child's data collected for information society service
EXCEPTIONS: legal obligation, public interest archiving, legal claims, public health
MUST: erase from all systems including backups (within reasonable time for backups)
MUST: inform other controllers who received the data
IMPLEMENTATION:
CHECK: deletion mechanism in all databases
CHECK: backup deletion or cryptographic erasure strategy
CHECK: propagation to processors and sub-processors
CHECK: search engine de-indexing request capability
RIGHT TO DATA PORTABILITY (Art. 20)¶
WHEN: processing based on consent or contract AND carried out by automated means
FORMAT: structured, commonly used, machine-readable (JSON, CSV, XML)
INCLUDES: right to transmit directly to another controller where technically feasible
IMPLEMENTATION:
CHECK: data export in machine-readable format
CHECK: API or direct transfer mechanism where feasible
CHECK: export includes only data provided by data subject (not derived data)
RIGHT TO RESTRICTION OF PROCESSING (Art. 18)¶
WHEN: accuracy contested, processing unlawful but subject opposes erasure,
controller no longer needs data but subject needs it for legal claims,
subject has objected (pending verification)
EFFECT: data stored only — not processed until restriction lifted
RIGHT TO OBJECT (Art. 21)¶
SCOPE: processing based on legitimate interest or public interest
DIRECT_MARKETING: absolute right — must cease immediately upon objection
OTHER_PROCESSING: controller must demonstrate compelling legitimate grounds
MUST: inform of this right explicitly at time of first communication
RIGHT NOT TO BE SUBJECT TO AUTOMATED DECISION-MAKING (Art. 22)¶
SCOPE: decisions based solely on automated processing producing legal or similarly significant effects
EXCEPTIONS: necessary for contract, authorised by law, explicit consent
IF EXCEPTION APPLIES: must implement safeguards (human intervention, express point of view, contest)
EDPB (Apr 2025): LLMs rarely achieve anonymisation standards — deployers of third-party LLMs must conduct comprehensive assessments.
DPIA PROCESS (Art. 35)¶
WHEN REQUIRED¶
MANDATORY when processing "likely to result in high risk to rights and freedoms."
ALWAYS_REQUIRED:
- systematic/extensive automated evaluation with legal/similar effects (profiling)
- large-scale processing of special category data (Art. 9) or criminal data (Art. 10)
- systematic large-scale monitoring of publicly accessible area
- AI/ML processing personal data (practical consensus among DPAs)
- new technology deployment with personal data
- cross-matching or combining datasets
- data concerning vulnerable individuals (children, employees, patients)
DUTCH_DPA_MANDATORY_LIST:
- large-scale monitoring of employee activities
- profiling/forecasting based on personal characteristics
- website visitor tracking used to create profiles
DPIA METHODOLOGY¶
- DESCRIPTION: systematic description of processing operations and purposes
- NECESSITY: assessment of necessity and proportionality
- RISK_ASSESSMENT: assessment of risks to rights and freedoms
- MITIGATION: measures to address risks (safeguards, security, mechanisms for rights)
DPIA TIMING¶
DISCOVERY: run trigger checklist as ideas enter roadmap
DESIGN: launch full DPIA while architecture remains flexible
BUILD: track mitigation items as engineering tasks
PRE-LAUNCH: confirm controls exist, reassess residual risk
POST-LAUNCH: revisit when scope, technology, or data inputs change
PROPOSED REFORM (EU Digital Omnibus)¶
EDPB to prepare EU-level DPIA lists (replacing fragmented national lists).
Commission to adopt common DPIA template and methodology via implementing acts.
TIMELINE: 2027-2028 proposal, 2031+ implementation.
RECORDS OF PROCESSING ACTIVITIES (Art. 30)¶
CONTROLLER RECORDS MUST CONTAIN¶
CHECK: name and contact details of controller (and DPO if applicable)
CHECK: purposes of processing
CHECK: categories of data subjects
CHECK: categories of personal data
CHECK: categories of recipients
CHECK: transfers to third countries (including safeguards)
CHECK: envisaged time limits for erasure (retention periods)
CHECK: general description of technical and organisational security measures
PROCESSOR RECORDS MUST CONTAIN¶
CHECK: name and contact of processor and each controller on whose behalf processing occurs
CHECK: categories of processing carried out on behalf of each controller
CHECK: transfers to third countries
CHECK: general description of security measures
EXEMPTION¶
CURRENT: organisations with <250 employees exempt UNLESS processing is not occasional,
or includes special categories, or criminal data, or risk to rights and freedoms
PROPOSED (Digital Omnibus): raised to <750 employees with risk threshold raised to "high risk"
IMPLEMENTATION¶
TOOL: maintain RoPA in structured format (spreadsheet minimum, GRC tool preferred)
FREQUENCY: update when new processing activity added or existing one changes
AUDIT: review completeness at least annually
LINK: each RoPA entry should reference applicable DPIA (if any) and DPA (if processor involved)
DPO REQUIREMENTS (Art. 37-39)¶
WHEN DPO IS MANDATORY¶
- public authority or body (except courts)
- core activities require regular, systematic, large-scale monitoring of data subjects
- core activities involve large-scale processing of special category data or criminal data
DPO RESPONSIBILITIES¶
- inform and advise controller/processor on GDPR obligations
- monitor compliance
- advise on and monitor DPIAs
- cooperate with supervisory authority
- act as contact point for supervisory authority and data subjects
DPO INDEPENDENCE¶
MUST: report to highest management level
MUST NOT: receive instructions regarding exercise of tasks
MUST NOT: be dismissed or penalised for performing tasks
MAY: fulfil other tasks (if no conflict of interest)
MAY: be external (contracted DPO)
GE_APPROACH: external DPO recommended for GE and most SME clients.
COST: EUR 5,000-15,000/year for external DPO service (NL market).
SPECIAL CATEGORY DATA (Art. 9)¶
CATEGORIES: racial/ethnic origin, political opinions, religious/philosophical beliefs,
trade union membership, genetic data, biometric data (for identification),
health data, sex life or sexual orientation
GENERAL_RULE: processing prohibited
EXCEPTIONS: explicit consent, employment law, vital interests, legitimate activities of bodies,
manifestly public data, legal claims, substantial public interest, healthcare,
public health, archiving/research/statistics
IF client project processes special category data: DPIA mandatory, DPO likely required,
enhanced security measures, explicit consent or narrow exception needed.
CHILDREN'S DATA¶
AGE OF CONSENT FOR ISS (Art. 8)¶
EU_DEFAULT: 16 years
MEMBER_STATE_VARIATION: may lower to 13 years
NETHERLANDS: 16 years (no lowering)
GERMANY: 16 years
FRANCE: 15 years
BELGIUM: 13 years
REQUIREMENTS¶
BELOW_CONSENT_AGE: parental/guardian consent required
VERIFICATION: reasonable efforts to verify parental consent (age-appropriate)
PRIVACY_NOTICE: must be in clear, plain language understandable by children
PROFILING: generally prohibited for marketing to children (also DSA Art. 28)
ENFORCEMENT PRIORITIES (2025-2026)¶
DUTCH_DPA (AP):
1. algorithms / AI
2. Big Tech
3. data trading / brokering
4. digital government
5. unlawful online tracking
HEALTHCARE: average penalties jumped to EUR 203,000/violation (from EUR 17,500) — driven by ransomware incidents linked to missing DPIAs.
READ_ALSO: domains/privacy/index.md, domains/privacy/privacy-by-design.md, domains/privacy/data-processing-agreements.md