---

name: kb-data-privacy-gdpr
description: Use when a matter involves EU or UK data protection law, including GDPR compliance, lawful bases for processing, data subject rights, DPO obligations, international transfers, breach notification, or supervisory authority engagement. Also use when comparing GDPR requirements against MENA-region privacy laws (Egypt, KSA PDPL, UAE PDPL) for cross-border operations. Priority P0 reference for any EU/UK-data-touching transaction.
license: MIT
metadata:
id: kb.data-privacy-GDPR
category: kb
practice_area: Data Privacy & Technology Law
jurisdictions: [EU, UK]
priority: P0
intent: [GDPR, data-protection, personal-data, compliance, data-subject-rights]
related: [kb-data-privacy-egypt, kb-data-privacy-ksa-pdpl, kb-data-privacy-uae-pdpl, kb-healthcare-regulation-mena, draft-data-processing-agreement, draft-privacy-policy]
source: Louis — HAQQ Legal AI (github.com/sboghossian/mini-claude-for-legal)
version: "1.0"

Knowledge Pack — GDPR (EU 2016/679) and UK GDPR

Scope

The General Data Protection Regulation (Regulation EU 2016/679) applies to:

• Processing of personal data of EU residents (data subjects located in the EU at the time of processing), regardless of where the processing organization is established.
• Organizations established in the EU/EEA.
• Organizations outside the EU that:
  • Offer goods or services to EU residents (even for free), or
  • Monitor the behavior of EU residents.

The UK GDPR (retained after Brexit; amended by the UK Data Protection Act 2018) applies the same framework to UK residents. Post-Brexit, the EU and UK operate independent regimes; adequacy decisions exist between them but may be reviewed.

Roles and Accountability

Role	Definition	Key Obligation
Controller	Determines purposes and means of processing	Full GDPR compliance; appoints processor via DPA
Processor	Processes on controller's behalf	Only acts on controller instructions; Art 28 contract
Joint controllers	Jointly determine purposes and means	Agree on and publish roles and responsibilities (Art 26)
Data subject	Identified/identifiable natural person	Rights under Arts 15–22
DPO	Data Protection Officer	Advise, monitor, cooperate with supervisory authority

Lawful Bases for Processing (Art 6)

1. Consent — specific, informed, freely given, unambiguous, withdrawable at any time. Not valid if conditioned on service delivery (bundled consent).
2. Contract — necessary to perform a contract with the data subject, or pre-contractual steps at their request.
3. Legal obligation — required by EU or Member State law.
4. Vital interests — protect the life of the data subject or a third party; used narrowly.
5. Public task — exercise of official authority or a task in the public interest vested by law.
6. Legitimate interests (Art 6(1)(f)) — controller's or third party's interests, provided not overridden by data subject's fundamental rights. Requires documented balancing test. Not available for public authorities in their public-task capacity.

Practical note for MENA-headquartered organizations

Organizations operating from KSA, UAE, or Lebanon that process EU personal data (e.g., EU client data, EU employee data) must comply with GDPR. They must designate an EU representative (Art 27) unless an EU establishment already exists.

Special Category Data (Art 9)

Requires explicit consent or specific statutory exemptions:

• Health and medical data
• Genetic data
• Biometric data (for identification purposes)
• Racial or ethnic origin
• Religious or philosophical beliefs
• Political opinions
• Trade-union membership
• Sexual orientation and gender identity

Processing of criminal conviction and offence data (Art 10) subject to similar heightened restrictions.

Data Subject Rights

Right	Article	Deadline	Notes
Access (Subject Access Request)	Art 15	1 month	Extendable +2 months for complexity
Rectification	Art 16	1 month
Erasure ("right to be forgotten")	Art 17	1 month	Subject to exceptions (legal obligation, public interest, legal claims)
Restriction	Art 18	Without undue delay	Suspend processing while dispute resolved
Data portability	Art 20	1 month	Machine-readable format; only for consent/contract basis
Objection	Art 21	Immediately	Stop processing unless compelling grounds; absolute right for direct marketing
No automated decisions	Art 22	—	Applies to solely automated decisions with significant effect

Data Protection Officer (DPO)

Mandatory when:

• Public authority or body (with limited exceptions)
• Core activities = large-scale regular and systematic monitoring of data subjects
• Core activities = large-scale processing of special category data

DPO must:

• Have expert knowledge of data protection law
• Report directly to highest management level
• Be functionally independent (cannot be instructed)
• Register with supervisory authority
• Be accessible to data subjects

Privacy by Design and by Default (Art 25)

• Privacy protections must be built into systems and processes from the outset.
• Default settings must be data-minimization compliant (only necessary data processed by default).
• Documented in Records of Processing Activities (RoPA).

Records of Processing Activities (Art 30)

All controllers with 250+ employees or processing that is not occasional, or involves special category / criminal data must maintain a written RoPA including:

• Controller's name and contact
• Processing purposes
• Categories of data subjects and data
• Recipients
• International transfer safeguards
• Retention periods
• Security measures

Data Protection Impact Assessment (DPIA) (Art 35)

Required before commencing high-risk processing, including:

• Large-scale processing of special category data
• Systematic and extensive automated profiling
• Large-scale public monitoring (CCTV, tracking)
• Novel technologies with high privacy risk

DPIA must be consulted with supervisory authority if residual risk remains high (prior consultation, Art 36).

International Transfers (Chapter V)

Personal data may only be transferred outside the EU/EEA to a third country if one of the following applies:

Mechanism	Description
Adequacy decision (Art 45)	European Commission has determined the country provides adequate protection (UK, Switzerland, Japan, South Korea, UAE-DIFC and Abu Dhabi ADGM, Canada PIPEDA, etc.)
Standard Contractual Clauses (SCCs) (Art 46)	EU-approved model contracts (2021 version in 4 modules)
Binding Corporate Rules (BCRs) (Art 47)	Intra-group policies approved by lead supervisory authority
Codes of conduct / certification (Art 46)	Approved sector or certification scheme
Derogations (Art 49)	Explicit consent; contract performance; public interest; legal claims; vital interests — narrow use

Important for MENA: DIFC (Dubai) and ADGM (Abu Dhabi) have EU adequacy decisions; UAE onshore, KSA, Egypt, and Lebanon do not. Transfers to KSA, Egypt, Lebanon must use SCCs or another mechanism.

Breach Notification (Arts 33–34)

Obligation	Deadline	Threshold
Notify supervisory authority	72 hours from awareness	Any breach likely to result in risk to individuals
Notify data subjects	Without undue delay	Breach likely to result in high risk to individuals

Breach register mandatory; all incidents documented (even those not reported externally).

Penalties (Art 83)

Tier	Maximum Penalty	Examples
Lower tier	€10M or 2% global annual turnover (higher)	RoPA breaches; processor DPA; DPIA
Upper tier	€20M or 4% global annual turnover (higher)	Unlawful processing; special category violations; international transfers; data subject rights

UK GDPR (from 2024 ICO updated framework): £17.5M or 4% global annual turnover (higher).

Supervisory authorities may also issue warnings, reprimands, temporary/permanent bans on processing.

Supervisory Authorities

• EU: each Member State designates one or more national Data Protection Authorities (DPAs).
• One-stop-shop: organizations with a main EU establishment deal primarily with that Member State's DPA (lead DPA). Cross-border processing triggers consistency mechanism.
• UK: Information Commissioner's Office (ICO) — independent from EU post-Brexit.
• Data subjects may complain to the DPA of their habitual residence, place of work, or place of the alleged infringement.

UK GDPR Specifics

Feature	UK GDPR
Maximum fine	£17.5M or 4% global turnover
Supervisory authority	ICO
EU/UK transfers	EU → UK: adequacy decision (under review); UK → EU: UK domestic adequacy decision for EU
SCCs	UK has its own IDTA (International Data Transfer Agreement) and UK addendum to EU SCCs
Future reform	UK Data Reform Act anticipated; ICO has published updated guidance

How to Use This Pack

When advising on GDPR compliance:

1. Establish whether GDPR applies (EU establishment or extra-territorial scope).
2. Identify the role (controller / processor / joint controller).
3. Map processing activities and identify the lawful basis for each.
4. Check for special-category or criminal data — higher bar.
5. Review or create RoPA (Art 30).
6. Assess DPO requirement.
7. Review international transfer mechanisms (critical for MENA organizations).
8. Check breach notification procedure is in place.
9. Verify data subject rights procedures are operational.

Caveats & Currency

GDPR has been in force since May 2018. Supervisory authority guidance, EDPB (European Data Protection Board) opinions, and national DPA decisions continually develop the interpretation of key provisions. Verify:

• Current EU adequacy decisions (UK adequacy is time-limited and under review).
• EU SCCs version (2021 modules replaced the 2010 standard clauses).
• UK IDTA vs UK addendum — standard form issued by ICO.
• Member State national derogations (permitted under GDPR Arts 85–91 for specific sectors).

Related Skills

• [[kb-data-privacy-egypt]]
• [[kb-data-privacy-ksa-pdpl]]
• [[kb-data-privacy-uae-pdpl]]
• [[kb-healthcare-regulation-mena]]
• [[draft-data-processing-agreement]]
• [[draft-privacy-policy]]