Library / Jurisdictions
GDPR

General Data Protection Regulation (EU)

The EU's comprehensive data protection regime, in force since May 2018, with extraterritorial reach over any controller or processor handling EU resident data.

At a glance
Effective
25 May 2018
Authority
National supervisory authorities, coordinated by EDPB
Maximum fine
€20m or 4% of global turnover (whichever is higher)
Vendor monitoring
Required (Articles 24, 28, 32)

The General Data Protection Regulation (Regulation (EU) 2016/679) is the EU's harmonised data protection regime. It applies to any controller or processor processing personal data in the EU, and extraterritorially to any controller or processor outside the EU offering goods or services to, or monitoring the behaviour of, EU data subjects (Article 3).

For a vendor monitoring program, the operative articles are:

  • Article 24 — Responsibility of the controller. Requires documented compliance, ongoing.
  • Article 28 — Processor obligations. Requires DPAs, prior authorisation of subprocessors, defined audit rights.
  • Article 30 — Records of processing activities. Vendors are recorded.
  • Article 32 — Security of processing. Risk-appropriate measures, including those involving processors.
  • Article 33 — Breach notification. 72-hour controller obligation; processor must notify controller without undue delay.
  • Articles 44-50 — Transfers to third countries. SCCs, BCRs, adequacy.

What it expects of vendor oversight

GDPR doesn't prescribe a specific monitoring frequency, but the cumulative effect of Articles 24, 28, and 32 is that the controller has to be able to demonstrate, on demand, that its processors are compliant. "We signed a DPA in 2022" is insufficient. Auditable evidence of ongoing oversight is the expectation.

Specific monitoring obligations that show up in practice:

  • Subprocessor changes. If the DPA grants a right of objection within a defined window, the controller has to actually be able to exercise it — which requires noticing.
  • Transfer mechanism changes. SCC version updates, new SCC modules, replacement of one transfer tool with another.
  • Privacy notice changes. New purposes, new recipient categories, new retention periods all affect the controller's own privacy notice and RoPA.
  • Security posture changes. Reduced encryption commitments, changes to access controls, expired attestations.

Key supervisory authorities

Each EU member state has at least one supervisory authority. The most active in cross-border enforcement:

  • CNIL (France).
  • AEPD (Spain).
  • Garante (Italy).
  • DPC (Ireland) — leads many cases involving large US-headquartered tech companies given their EU establishments.
  • BfDI and Land authorities (Germany).

The European Data Protection Board (EDPB) coordinates cross-border cases and issues guidance interpreting GDPR.

Enforcement profile

GDPR enforcement has steadily intensified. Notable themes:

  • Cross-border consent and transparency (Meta, Google, TikTok cases).
  • International transfers post-Schrems II (Meta record fine in 2023).
  • AI training on personal data (multiple authorities, ongoing).
  • Children's data (Instagram, TikTok).

Vendor relationships rarely produce headline fines, but they regularly produce administrative findings during audits and investigations triggered by other matters.

Companion legislation

GDPR doesn't sit alone. Adjacent regimes that interact with vendor monitoring:

  • ePrivacy Directive (2002/58/EC, as amended). Cookie consent, electronic marketing.
  • NIS2 Directive. Cybersecurity for critical sectors, including supply chain risk.
  • DSA, DMA. Online platforms.
  • AI Act. Risk-based regulation of AI systems, with vendor implications for high-risk and limited-risk systems.

The UK GDPR, post-Brexit, is closely aligned with EU GDPR and shares most of the operational requirements; references to the EU GDPR in this document also apply, with localised authority and currency, to the UK regime.

Related references