What is an example of GDPR?

Asked by: Prof. Talon Daugherty  |  Last update: June 10, 2026
Score: 4.7/5 (36 votes)

GDPR examples cover what counts as personal data (names, emails, IP addresses, photos, health info) and how it's handled, requiring clear consent, purpose limitation, strong security, and rights for individuals, seen in things like transparent cookie banners, secure HR systems for employee data, and protocols for accidental data breaches like emailing the wrong person. Processing examples include collecting customer lists, using CCTV with clear signage, or sharing employee data with insurers, all needing accountability and data minimization.

What are examples of GDPR?

For example, the telephone, credit card or personnel number of a person, account data, number plate, appearance, customer number or address are all personal data.

What is the GDPR in simple terms?

In simple terms, the General Data Protection Regulation (GDPR) is a strict EU law that gives individuals more control over their personal data and requires businesses worldwide to protect it, making them transparent about how they collect, process, and store information like names, emails, and browsing habits. It sets strong rules for data privacy, meaning companies must get clear consent, secure the data, and allow people rights like accessing or deleting their own information, with heavy fines for non-compliance. 

What are the 7 main principles of GDPR?

The 7 principles of GDPR are: Lawfulness, Fairness, and Transparency (process data legally and openly); Purpose Limitation (use data only for stated reasons); Data Minimisation (collect only necessary data); Accuracy (keep data correct); Storage Limitation (don't keep data forever); Integrity and Confidentiality (secure the data); and Accountability (prove compliance). These form the core rules for handling personal data ethically and legally under the EU's General Data Protection Regulation.
 

What are 5 examples of personal data?

What is personal data?

  • a name and surname.
  • a home address.
  • an email address such as 'name.surname@company.com '
  • an Internet Protocol (IP) address.
  • an identification card number.
  • a cookie ID.
  • the advertising identifier of your phone.
  • data held by a hospital or doctor, which could be a symbol that uniquely identifies a person.

What are the 7 principles of GDPR?

43 related questions found

Is an email address part of GDPR?

The ICO defines personal data as information that could be used to identify you, including your email address. Therefore, your email address should be protected in accordance with the law. The DPA and UK GDPR outline data protection principles.

What are 10 examples of sensitive personal information?

Definition of Sensitive Personal Information

  • Racial or ethnic origin.
  • Political opinions.
  • Religious or philosophical beliefs.
  • Trade union membership.
  • Genetic data.
  • Biometric data.
  • Health data.
  • Sexual orientation or sex life.

Who does GDPR apply to?

Answer. The GDPR applies to: a company or entity which processes personal data as part of the activities of one of its branches established in the EU, regardless of where the data is processed; or.

What happens if you violate GDPR?

83(4) GDPR sets forth fines of up to 10 million euros, or, in the case of an undertaking, up to 2% of its entire global turnover of the preceding fiscal year, whichever is higher. Especially important here, is that the term “undertaking” is equivalent to that used in Art.

What are four characteristics of the GDPR?

What are the main aspects of the General Data Protection Regulation (GDPR) that a public administration should be aware of?

  • fair and lawful processing;
  • purpose limitation;
  • data minimisation and data retention.

How to explain GDPR in an interview?

Key GDPR questions for job interviews, with example answers

If you've worked with the GDPR in previous roles, offer an explanation of the type of work you carried out and how the GDPR related to it. You may also wish to mention any strategies you've used to ensure compliance with the GDPR in your previous work.

What is not classed as personal data in GDPR?

Information concerning a 'legal' rather than a 'natural' person is not personal data. Consequently, information about a limited company or another legal entity, which might have a legal personality separate to its owners or directors, does not constitute personal data and does not fall within the scope of the UK GDPR.

How do I comply with GDPR?

Anyone responsible for using personal data must make sure the information is:

  1. used fairly, lawfully and transparently.
  2. used for specified, explicit purposes.
  3. used in a way that is adequate, relevant and limited to only what is necessary.
  4. accurate and, where necessary, kept up to date.
  5. kept for no longer than is necessary.

What is GDPR in one sentence?

The General Data Protection Regulation (GDPR) is a European law that established protections for privacy and security of personal data about individuals in European Economic Area (“EEA”)-based operations and certain non-EEA organizations that process personal data of individuals in the EEA.

What are some famous GDPR breach examples?

  • Meta's 1.2 billion euro fine: The cross-border data transfer debacle.
  • Google's violation of GDPR's right to be forgotten.
  • Twitter's failure to notify the breach.
  • Cathay Pacific: A wake-up call for the industry.
  • TIM S.P.A – failure to uphold data subjects' rights.
  • Make GDPR compliance easy and your default state with Sprinto.

What is a valid example of personal data processing?

A company collects customers' names, email addresses, and phone numbers to send newsletters and promotional offers. This is personal data processing as the company is collecting, storing, and using personal data to communicate with customers.

Can GDPR be enforced in the US?

GDPR enforcement in the US comes from EU Data Protection Authorities (DPAs), rather than US regulators. This might seem counterintuitive, but it's how the regulation is designed to work across borders. EU Data Protection Authorities have full jurisdiction over US companies that process EU personal data.

What exactly constitutes a GDPR breach?

What is a personal data breach? A personal data breach means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data.

What rights do individuals have under GDPR?

right of access to personal information. right to correct inaccurate personal information. right to have their personal information deleted (within certain limits) right to restrict use of their personal information in certain circumstances.

What are the 7 principles of GDPR?

The 7 principles of GDPR are: Lawfulness, Fairness, and Transparency (process data legally and openly); Purpose Limitation (use data only for stated reasons); Data Minimisation (collect only necessary data); Accuracy (keep data correct); Storage Limitation (don't keep data forever); Integrity and Confidentiality (secure the data); and Accountability (prove compliance). These form the core rules for handling personal data ethically and legally under the EU's General Data Protection Regulation.
 

What are the 6 legal bases of GDPR?

Article 6 of the General Data Protection Regulation (GDPR) sets out what these potential legal bases are, namely: consent; contract; legal obligation; vital interests; public task; or legitimate interests.

Who is exempt from GDPR?

Some of the most common exemptions include businesses that do not process personal data of living persons, businesses that have no connection with the European Union, derogations for businesses with less than 250 employees, or data processing primarily for personal/household activities.

What is not considered personal information?

Non-personally identifiable information (non-PII) is data that cannot be used on its own to trace, or identify a person. Examples of non-PII include, but are not limited to: Aggregated statistics on the use of product/service. Partially or fully masked IP addresses.

What is data masking?

Data masking is the process of hiding data by modifying its original letters and numbers. Due to regulatory and privacy requirements, organizations must protect the sensitive data they collect about their customers and operations.

What is the most sensitive personal information?

Sensitive information often includes personal details such as names, addresses, social security numbers, and medical records. Safeguarding this information is crucial to protecting individuals' privacy and preventing identity theft, fraud, or other forms of exploitation.