July 17 2025

GDPR — A Comprehensive Guide to the General Data Protection Regulation

The General Data Protection Regulation (GDPR) is the most important piece of legislation governing personal data protection in Europe. It has been in force since 25 May 2018 and applies to virtually every company, institution, and organisation that processes the personal data of individuals in the European Union.

This guide explains the key aspects of the GDPR in practical terms — with references to specific articles of the Regulation, decisions of the Polish Data Protection Authority (UODO), and guidelines issued by the European Data Protection Board (EDPB). It is intended both for business owners and DPOs who want to understand their obligations, and for legal professionals interested in specialising in data protection.

What Is the GDPR and Who Does It Apply To?

The GDPR (Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016) is an EU regulation that applies directly in all EU Member States — it does not require transposition into national law, although individual countries may supplement certain provisions (in Poland, this is done by the Act of 10 May 2018 on the Protection of Personal Data).

The GDPR applies to your organisation if you meet at least one of the following conditions:

You are established in the EU and process personal data — regardless of whether the data concerns individuals in the EU or elsewhere (Article 3(1) GDPR).

You are not established in the EU but offer goods or services to individuals in the EU, or monitor their behaviour within the EU (Article 3(2) GDPR). This applies, for example, to online shops based outside the EU that sell to customers in Poland.

In practice, this means the GDPR applies to nearly every business operating in Poland — from sole traders to multinational corporations.

Personal Data — What Does It Actually Mean?

Personal data means any information relating to an identified or identifiable natural person (Article 4(1) GDPR). While this may sound abstract, the scope is very broad in practice.

Personal data includes, among other things: first and last name, email address, national identification number (PESEL in Poland), home address, phone number, IP address, location data, cookies that identify a user, biometric data (fingerprints, facial recognition), health data, and even an employee number if it allows identification of a specific person in a given context.

The GDPR also distinguishes special categories of personal data (Article 9 GDPR), which are subject to stricter processing rules. These include data revealing racial or ethnic origin, political opinions, religious beliefs, trade union membership, genetic data, biometric data, health data, and data concerning sex life or sexual orientation.

Key GDPR Concepts You Need to Know

To properly understand the GDPR, it is essential to be familiar with several fundamental concepts defined in Article 4 of the Regulation:

Data controller — the entity that alone or jointly with others determines the purposes and means of processing personal data. If you run a business and collect customer data, you are a controller.

Data processor — the entity that processes personal data on behalf of the controller. Typical examples include: an accounting firm handling your company’s bookkeeping, a hosting provider storing data on its servers, or a CRM system provider.

Processing — any operation performed on personal data — collection, recording, storage, modification, consultation, disclosure, erasure. Even the mere storage of data constitutes processing.

Data subject — the natural person whose personal data is being processed. The GDPR protects only natural persons — it does not apply to data about companies or institutions (although the personal data of contact persons at companies is covered).

7 Principles of Data Processing (Article 5 GDPR)

Article 5 of the GDPR sets out seven fundamental principles that must be observed whenever personal data is processed. A breach of any of these principles may result in a fine.

1. Lawfulness, fairness, and transparency — data must be processed lawfully, fairly, and in a transparent manner in relation to the data subject. This means, among other things, that processing must have a legal basis, and individuals must be informed about what happens with their data.

2. Purpose limitation — data may only be collected for specified, explicit, and legitimate purposes. It must not be collected “just in case” or used for purposes incompatible with the original ones.

3. Data minimisation — only the data necessary for the specified purpose should be collected. If an email address is sufficient for sending a newsletter, you should not require a national ID number.

4. Accuracy — data must be accurate and, where necessary, kept up to date. The controller should take reasonable steps to ensure that inaccurate data is erased or rectified.

5. Storage limitation — data must not be stored indefinitely. A specific retention period should be defined for each type of data and purpose, and once it expires, the data should be erased or anonymised.

6. Integrity and confidentiality — data must be processed in a manner that ensures appropriate security, including protection against unauthorised access, loss, destruction, or damage.

7. Accountability — the controller must be able to demonstrate compliance with all of the above principles. The burden of proof lies with the controller — it is not enough to comply with the GDPR; you must also document it.

6 Legal Bases for Processing Personal Data (Article 6 GDPR)

Every instance of personal data processing must be based on at least one of the six legal bases set out in Article 6 of the GDPR. Without a legal basis, processing is unlawful.

a) Consent — the data subject has given consent to the processing of their personal data for one or more specific purposes. Consent must be freely given, specific, informed, and unambiguous. It can be withdrawn at any time. Most commonly used in marketing and newsletters.

b) Performance of a contract — processing is necessary for the performance of a contract with the data subject, or for taking steps prior to entering into a contract at the data subject’s request. Example: processing a delivery address to fulfil an online order.

c) Legal obligation — processing is necessary for compliance with a legal obligation to which the controller is subject. Example: retaining employee data for the period required by labour and tax law.

d) Vital interests — processing is necessary to protect the vital interests of the data subject or another person (e.g., saving a life). This basis is rarely used and applies only in exceptional circumstances.

e) Public interest — processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority. This mainly applies to public authorities.

f) Legitimate interest — processing is necessary for the purposes of the legitimate interests pursued by the controller or a third party, provided that such interests are not overridden by the interests or fundamental rights of the data subject. This requires a balancing test (Legitimate Interest Assessment). Examples: CCTV for property protection, direct marketing to existing customers.

Choosing the correct legal basis is crucial — a different basis may entail different obligations, different data subject rights, and different consequences in the event of an audit.

Rights of Data Subjects (Articles 15–22 GDPR)

The GDPR grants natural persons a range of rights that the controller must respect:

Right of access (Article 15) — the data subject has the right to obtain confirmation from the controller as to whether their data is being processed and, if so, to access the data along with information about the purposes of processing, categories of data, recipients, and the planned retention period.

Right to rectification (Article 16) — the data subject may request the correction of inaccurate data or the completion of incomplete data.

Right to erasure, known as the “right to be forgotten” (Article 17) — the data subject may request erasure of their data if, for example, the data is no longer necessary for the purposes of processing, consent has been withdrawn, or the data was processed unlawfully. This right is not absolute — the controller may refuse if processing is necessary, e.g., for compliance with a legal obligation.

Right to restriction of processing (Article 18) — the data subject may request the restriction of processing, e.g., while the accuracy of the data is being verified.

Right to data portability (Article 20) — the data subject has the right to receive their data in a structured, commonly used format and to transmit it to another controller.

Right to object (Article 21) — the data subject may object to processing based on the controller’s legitimate interest, including profiling. In the case of direct marketing, the objection is absolute — the controller must cease processing.

Right not to be subject to automated decision-making (Article 22) — the data subject has the right not to be subject to a decision based solely on automated processing (including profiling) that produces legal effects or similarly significant effects. This right is becoming particularly important in the age of artificial intelligence.

The controller generally has one month to respond to a data subject’s request (Article 12(3) GDPR).

Information Obligations (Articles 13–14 GDPR)

The controller is obliged to inform the data subject about the processing of their data — both when data is collected directly from the individual (Article 13) and when it is obtained from another source (Article 14).

A privacy notice must include, among other things: the identity and contact details of the controller, DPO contact details (if appointed), purposes and legal bases of processing, information about data recipients, the retention period, information about data subject rights, and information about the right to lodge a complaint with the supervisory authority (UODO in Poland).

The information must be provided in a concise, transparent, intelligible, and easily accessible form, using clear and plain language. In practice, this means privacy notices should be written in an understandable way — not as multi-page legal documents, but as readable information for the average person.

Data Protection Officer (DPO)

Certain organisations are required to appoint a Data Protection Officer (Article 37 GDPR). This applies primarily to public authorities, organisations whose core activities involve regular and systematic monitoring of individuals on a large scale, and organisations that process special categories of data on a large scale.

The DPO serves as an internal data protection expert — informing and advising the controller, monitoring GDPR compliance, cooperating with the supervisory authority, and acting as a contact point for data subjects.

The DPO may be an employee of the organisation or an external expert (outsourced DPO). The DPO must be guaranteed independence — they may not receive instructions regarding the performance of their tasks and may not be penalised for performing them (Article 38 GDPR).

Data Breaches and Fines

The GDPR requires that personal data breaches be reported to the supervisory authority (UODO in Poland) within 72 hours of becoming aware of the breach (Article 33 GDPR). If the breach is likely to result in a high risk to the rights and freedoms of individuals, the controller must also notify those individuals (Article 34 GDPR).

Violations of the GDPR carry severe administrative fines. Article 83 provides for two tiers:

Up to EUR 10 million or 2% of annual global turnover — for violations of controller, processor, certification body, or monitoring body obligations.

Up to EUR 20 million or 4% of annual global turnover — for violations of the basic principles of processing, data subject rights, or provisions on data transfers to third countries.

In Poland, UODO has imposed fines reaching several million PLN. Across Europe, record fines have run into hundreds of millions of euros.

For a detailed overview of breach notification procedures and the most significant fines, see our separate article: Personal Data Breach Under GDPR — Notification Procedure, Obligations, and Fines.

International Data Transfers Outside the EEA

The transfer of personal data to third countries (outside the EEA) is subject to specific rules set out in Chapter V of the GDPR (Articles 44–50). Data may be transferred if at least one of the following conditions is met: an adequacy decision by the European Commission, the use of Standard Contractual Clauses (SCCs), Binding Corporate Rules (BCRs), or other appropriate safeguards.

This topic gained particular significance following the Court of Justice of the EU’s Schrems II ruling (Case C-311/18), which invalidated the Privacy Shield as a mechanism for data transfers to the US. A new framework — the EU-US Data Privacy Framework — is currently in place, but its long-term stability remains uncertain.

In practice, if you use services from US-based providers (Google, Microsoft, Amazon AWS), the issue of international data transfers concerns you directly.

GDPR and Other EU Regulations — AI Act, NIS2, Data Act

The GDPR does not exist in a vacuum. In recent years, the European Union has adopted a number of new regulations that complement and interact with the GDPR:

AI Act (Artificial Intelligence Regulation) — regulates the use of AI systems in the EU. Many AI systems process personal data, which means the GDPR and the AI Act must be applied simultaneously. The intersection between Data Protection Impact Assessments (DPIA) and the AI Act’s requirements for high-risk systems is particularly important.

NIS2 Directive — expands cybersecurity obligations. Organisations subject to NIS2 must implement security measures that also support the personal data protection required by the GDPR.

Data Act and Data Governance Act — new regulations on data sharing and governance. They must be applied with due regard to the personal data protection principles under the GDPR.

What Your Company Should Do — Practical Checklist

To conclude — a list of the key steps every organisation should take to ensure GDPR compliance:

Conduct a data inventory — identify what personal data you process, for what purposes, and on what legal basis.
Prepare a Record of Processing Activities (ROPA) — an obligation under Article 30 GDPR, documenting all data processing activities in the organisation.
Determine the legal bases for processing — for each purpose, select the appropriate basis from Article 6 (and from Article 9 if you process special category data).
Prepare privacy notices — for each group of data subjects (customers, employees, contractors, website users).
Enter into data processing agreements — with every entity that processes data on your behalf (Article 28 GDPR).
Implement a data subject request procedure — a mechanism for fulfilling access, erasure, rectification, and other rights.
Implement a breach response procedure — so that you can report a breach to UODO within 72 hours.
Assess whether you need a DPO — and if so, appoint one and register them with UODO.
Conduct a DPIA — if your data processing involves a high risk to individuals’ rights.
Ensure technical and organisational security — encryption, access control, staff training, and regular audits.

Need Help With GDPR Compliance?

GDPR implementation is a process that requires both legal expertise and an understanding of the technical aspects of data processing. At the Law Office of Dr Joanna Maniszewska-Ejsmont, we help companies and institutions achieve comprehensive GDPR compliance — from audits, through documentation, to serving as an external DPO.