EU GDPR (Regulation 2016/679)

Regulation (EU) 2016/679 (General Data Protection Regulation) — in force 25 May 2018. The substantive regime — six Article 5 principles, six Article 6 lawful bases, data-subject rights (Arts. 12-22), accountability (Arts. 24-30), security (Art. 32), breach notification (Arts. 33-34), DPIA (Art. 35), DPO (Arts. 37-39), international transfers (Arts. 44-49), administrative fines up to €20M or 4% of group worldwide turnover (Art. 83) — remains the global privacy benchmark. Post-publication updates reflected (web-verified 20 May 2026): (1) EU-US Data Privacy Framework (Commission Implementing Decision (EU) 2023/1795, July 2023) survived the Latombe annulment challenge at the General Court on 3 September 2025 (T-553/23); Latombe appeal pending at CJEU (C-206/25 P, October 2025); NOYB indicating a broader challenge based on post-July-2023 developments including PCLOB Democratic-member removals (January 2025). EDPB has completed its first annual periodic review focused on Executive Order 14086 safeguards; DPF FAQ v2.0 published 15 January 2026. (2) GDPR Procedural Regulation (Regulation (EU) 2025/2518) published in OJ 12 December 2025, entered into force 1 January 2026, applies from 2 April 2027 — harmonises Article 56 one-stop-shop, complaint admissibility, binding cooperation timelines, structured preliminary findings, simplified cross-border procedures with 12-month max timeline. (3) UK adequacy decisions (GDPR and LED) renewed by the European Commission on 19 December 2025 to 27 December 2031, following the UK's Data (Use and Access) Act 2025 (Royal Assent 19 June 2025) and EDPB Opinion 26/2025 (16 October 2025). EDPB flagged Investigatory Powers Amendment Act 2024, automated decision-making changes, and Secretary of State powers for continued monitoring. (4) Key EDPB outputs: Guidelines 1/2024 on legitimate interest (October 2024, post-CJEU C-621/22 KNLTB); Opinion 22/2024 on processors and sub-processors (October 2024); Opinion 28/2024 on AI models (December 2024, anonymity test, legitimate-interest framework, unlawful-training consequences); Guidelines 9/2022 on breach notification. (5) Key CJEU 2023-2025: C-634/21 SCHUFA (Dec 2023, Art.22 'solely automated' includes token human review); C-203/22 Dun & Bradstreet (Feb 2025, Art.15(1)(h) explanation must cover procedure and principles actually applied to the data subject); C-621/22 KNLTB (Oct 2024, commercial interests can be legitimate interests); C-655/23 Quirin Privatbank (Sep 2025, Art.82 non-material damage includes emotional harm; controller fault not relevant); C-383/23 ILVA (Feb 2025, 'undertaking' for Art.83 cap is the competition-law concept — group-level turnover); T-354/22 Bindl v Commission (Jan 2025, €400 non-material damages for unlawful US transfer; appeals C-206/25 P + C-211/25 P pending). (6) Major 2024-2025 fines: TikTok €530M (May 2025, Art.46 China transfers + Art.13 transparency); LinkedIn €310M (Oct 2024, behavioural advertising); Meta €251M (Dec 2024, 2018 breach); Uber €290M (Aug 2024, US driver-data transfer); OpenAI €15M (Garante November 2024, Arts.5, 6, 13, 24, 25, 33). Cumulative GDPR fines exceeded €5.88bn by January 2025. (7) ENISA Technical Implementation Guidance on Cybersecurity Risk Management Measures (June 2025) — operational reference for Art.32 even though formally issued under NIS2. (8) Omnibus IV (Commission proposal 21 May 2025) and Digital Omnibus (19 November 2025) propose raising the Art.30(5) RoPA exemption to <750 employees on a 'high-risk' trigger, narrowing the personal-data definition to the controller's reasonably-likely means, and 'stop the clock' on EU AI Act high-risk obligations. STATUS: PROPOSAL not adopted as of May 2026; current Art.30(5) and the broader GDPR remain operative. B10 expansion: 41 audit-defensible controls (18 Part A — Articles 5-22 principles, bases, rights; 23 Part B — Articles 24-49 + 83 + Procedural Regulation accountability, security, transfers, enforcement).

Composition

101 controls currently indexed; participates in 23 cross-framework synthesis clusters.

Participates in synthesis

Each cluster listed below combines this framework's controls with operationally equivalent controls from other frameworks, resolving the overlap into a single audit-defensible specification.

• AI incident reporting — serious incidents to authorities
• Automated Decision-Making Technology — pre-use notice, opt-out, access rights
• Cloud data privacy lifecycle — CSA CCM v4 DSP control family
• Cloud supply chain transparency — STA control family
• Consent management — capture, modify, withdraw across jurisdictions
• Consumer / Data Subject / Data Principal rights response SLA
• Cross-jurisdiction breach notification timelines
• Cross-jurisdiction consumer / Data Principal rights — operational fabric
• Cryptographic controls, key management, and post-quantum readiness
• Data Protection Impact Assessment / risk assessment for high-risk processing
• Data subject / Data Principal rights — operational rights mechanism
• Encryption at rest — sensitive data and key management
• GDPR Article 33 / 34 breach notification + multi-jurisdiction coordination
• GDPR Article 35 DPIA + cross-jurisdiction high-risk assessment
• GDPR Articles 44-49 international transfers
• GDPR accountability principle — Art 5(2) demonstrate compliance
• GDPR data subject rights — Articles 12-22 operational implementation
• PII principal rights — comprehensive ISO 27701-anchored programme
• PIMS context — Clauses 4-5 management system context and leadership
• PIMS cross-border PII transfers
• Processor (PII Processor) obligations — ISO 27701 controller relationship
• Processor / service provider contract requirements across jurisdictions
• Sensitive personal information — heightened protection across jurisdictions