General Data Protection Regulation (GDPR)

The General Data Protection Regulation (GDPR) establishes the main legal framework for data protection and privacy within the European Union, replacing the 1995 Data Protection Directive (95/46/EC). Adopted on 27 April 2016 and applicable from 25 May 2018, it harmonises data-processing rules across Member States, strengthens individual rights, and imposes direct obligations on controllers and processors. The Regulation sets out key principles of lawfulness, fairness, transparency, purpose limitation, and accountability, while granting data subjects enforceable rights including access, rectification, erasure, and portability. For artificial intelligence governance, the GDPR provides essential safeguards through its provisions on automated decision-making and profiling (Article 22), which limit decisions based solely on automated processing that significantly affect individuals. It remains a cornerstone of European digital regulation and an international benchmark for human-centred, rights-based governance of AI and data systems.