GDPR

The General Data Protection Regulation (GDPR) is the European Union's principal data-protection law, in force since May 2018. It applies to any organization that processes personal data of people in the EU — including organizations outside the EU that offer goods or services to EU residents (extraterritorial scope).

Core principles:

• Lawful basis required for every processing activity.
• Purpose limitation — data collected for one purpose cannot be repurposed without a new basis.
• Data minimization — collect only what is necessary.
• Accuracy — data must be kept accurate and up to date.
• Storage limitation — retain only as long as necessary.
• Integrity and confidentiality — appropriate technical and organizational security.
• Accountability — controllers must be able to demonstrate compliance.

Key obligations include 72-hour breach notification, mandatory Data Protection Impact Assessments for high-risk processing, and the right to data portability.

Maximum fines are the greater of €20 million or 4% of global annual revenue. Enforcement has been active and substantial fines have been issued to global tech companies.

GDPR is the conceptual ancestor of Thailand's PDPA. The two are closely aligned but PDPA is calibrated for Thai legal context and includes Thai-language requirements.