GDPR
European regulation 2016/679, applicable since 25 May 2018. Governs the collection and processing of personal data of EU residents — purposes, legal basis, retention, data subject rights, obligations of the controller and its processors.
What the GDPR is
The General Data Protection Regulation is a European regulation directly applicable in every member state. It harmonises the rules of personal data protection and grants natural persons extensive rights over the data concerning them.
Six founding principles
- Lawfulness, fairness, transparency — processing must rest on a clear legal basis and be communicated.
- Purpose limitation — data cannot be repurposed for incompatible purposes.
- Data minimisation — collect only what is strictly necessary.
- Accuracy — data must be kept up to date.
- Storage limitation — justified and documented retention duration.
- Integrity and confidentiality — adapted technical and organisational security.
Data subject rights
Access, rectification, erasure (“right to be forgotten”), restriction, objection, portability, withdrawal of consent, post-mortem instructions. Responses must be provided within one month of a complete request.
Sanctions
Up to €20M or 4% of worldwide annual turnover, whichever is higher, for serious breaches. The CNIL enforces in France; equivalent national authorities elsewhere in the EU.
GDPR at Hexceos
Hexceos offers an outsourced DPO service, support on processing inventory and data protection impact assessments (DPIAs), and sovereign compliant hosting in its HDS datacenter. See also our privacy policy and GDPR charter.
Last updated: 19 May 2026