gdpr

GDPR

General Data Protection Regulation (EU 2016/679)

European Union | In force since May 25, 2018

The EU's flagship privacy law governs how organizations collect, process, store, and transfer personal data of EU/EEA residents — regardless of where the organization is based. RAIL Score checks content against 12 GDPR requirements covering lawful basis, consent, data minimisation, transparency, erasure rights, automated decision-making, and international transfers.

Official Resources

gdpr-info.eu — Full regulation text
edpb.europa.eu — European Data Protection Board
enforcementtracker.com — CMS Law enforcement tracker

Maximum Penalties

Violation Type	Maximum Fine
Most serious (unlawful processing, transfers, children's data)	EUR 20M or 4% global annual turnover
Less serious (consent records, DPO obligations, certification bodies)	EUR 10M or 2% global annual turnover

Cumulative GDPR fines since May 2018 reached EUR 7.1 billion as of January 2026.

Requirements Checked by RAIL Score

ID	Article	Requirement	What RAIL Evaluates
GDPR-001	Art. 6	Lawful basis for processing	Is a valid legal basis stated or implied?
GDPR-002	Art. 7	Conditions for consent	Is consent freely given, specific, informed, unambiguous?
GDPR-003	Art. 5	Data minimisation	Is only necessary data mentioned or collected?
GDPR-004	Art. 13/14	Transparency and information	Are users informed of purpose, retention, recipients?
GDPR-005	Art. 17	Right to erasure	Is data deletion addressed?
GDPR-006	Art. 22	Automated decision-making	Is automated profiling disclosed with opt-out?
GDPR-007	Art. 25	Privacy by design and default	Does the system embed data protection structurally?
GDPR-008	Art. 32	Security of processing	Are security measures described?
GDPR-009	Art. 35	Data Protection Impact Assessment	Is DPIA referenced for high-risk processing?
GDPR-010	Art. 44-49	International transfers	Are transfers outside EEA adequately protected?
GDPR-011	Art. 37	DPO designation	Is a Data Protection Officer mentioned where required?
GDPR-012	Art. 83	Dark patterns / consent manipulation	Are consent interfaces fair and non-coercive?

2025–2026 Enforcement Snapshot

EUR 1.2 billion in GDPR fines were issued in 2025, matching 2024 levels. Average breach notifications exceeded 400 per day — a 22% year-on-year increase.

Major Recent Violations

Date	Entity	Fine	Violation
May 2025	TikTok	EUR 530M	Unlawful transfer of EEA user data to China without adequate safeguards (Art. 46)
Sep 2025	Google LLC	EUR 325M	Gmail ads without consent; manipulative cookie acceptance flow (Art. 82 + ePrivacy)
2025	SHEIN	EUR 150M	Cookies placed before consent; incomplete cookie information; difficult opt-out
2025	Replika AI	EUR 5M	GDPR violations in AI data processing — lawful basis, transparency, DPIAs
2024	LinkedIn	EUR 310M	Invalid consent for behavioral advertising; no legitimate interest basis
2023	Meta	EUR 1.2B	Systematic transfer of EU user data to US servers without adequate safeguards

2026 Enforcement Priorities

The EDPB designated transparency and information provision as its 2026 coordinated enforcement theme. National DPAs are running parallel investigations into:

What data is collected, for what purpose, on which legal basis, and for how long
Dark patterns — making cookie rejection harder than acceptance is now explicitly enforced
AI system transparency — Italy's Garante is applying GDPR to AI systems ahead of EU AI Act enforcement
International data transfers — EU to US and EU to China; Transfer Impact Assessments under scrutiny
Data subject rights — access (Art. 15), erasure (Art. 17), and portability (Art. 20)

Key Lessons for AI Systems

Behavioral advertising is not a "necessary" contract purpose — Meta's legal basis argument was rejected
AI chatbots that collect user data must have a DPIA and clear lawful basis (Replika precedent)
Consent withdrawal must actually work — cosmetic compliance is insufficient
Repeat violations lead to exponentially higher fines

RAIL Dimension Mapping

GDPR requirements map to these RAIL dimensions. The compliance check returns framework-specific dimension scores.

RAIL Dimension	GDPR Articles	Focus
Privacy	Art. 5, 6, 7, 17, 22, 25	Data minimisation, consent, erasure, profiling
Transparency	Art. 13, 14, 15	Information obligations, access rights
Accountability	Art. 24, 25, 30, 35, 37	DPO, DPIA, records of processing
Safety	Art. 32, 33, 34	Security measures, breach notification
Fairness	Art. 5(1)(a), 22	Lawful and fair processing, automated decision-making

API Example

See the Compliance API reference for full endpoint documentation, parameters, and response schema.

Python — GDPR compliance check

from rail_score_sdk import RailScoreClient

client = RailScoreClient(api_key="YOUR_RAIL_API_KEY")

result = client.compliance_check(
    content="""
    Our platform uses AI to analyze user behavior and purchase history.
    We share aggregated user profiles with advertising partners to improve
    ad targeting across platforms.
    """,
    framework="gdpr",
    context={
        "domain": "general",
        "processes_personal_data": True,
        "jurisdiction": "EU"
    },
    strict_mode=True,
    include_explanations=True
)

print(f"Score: {result.compliance_score.score}/10 ({result.compliance_score.label})")
for req in result.requirements:
    status = "PASS" if req.status == "PASS" else ("WARN" if req.status == "WARN" else "FAIL")
    print(f"  [{status}] {req.requirement_id}: {req.requirement}")
    if req.status == "FAIL":
        print(f"    Article: {req.article} | {req.reference_url}")

Sources: gdpr-info.eu · edpb.europa.eu · CMS Enforcement Tracker · DLA Piper GDPR Survey 2026