GDPR

Rédigé par David Brulin, co-fondateur de Quai des Balises

GDPR is the European Union's General Data Protection Regulation (Regulation 2016/679, known as RGPD in French), in force since 25 May 2018. It governs how organisations collect, store, and process the personal data of individuals in the EU, granting people enforceable rights and imposing strict accountability obligations on data controllers and processors.

Core obligations and individual rights

GDPR applies to any organisation that processes the personal data of people located in the EU, regardless of where the organisation itself is established. This extraterritorial scope means a non-EU software vendor serving EU users must still comply.

The regulation distinguishes two roles: the data controller, who determines the purposes and means of processing, and the data processor, who processes data on the controller's behalf (typically a SaaS provider or hosting partner). Both carry direct obligations.

Key obligations for organisations include:

Lawful basis: every processing activity needs a legal basis (consent, contract, legal obligation, vital interests, public task, or legitimate interest).
Transparency: clear privacy information must be provided to data subjects.
Records of processing: maintaining a register of processing activities.
Data Protection Impact Assessments (DPIA): required for high-risk processing.
Breach notification: notifying the supervisory authority within 72 hours of becoming aware of a breach, where feasible.
Data Protection Officer (DPO): mandatory for certain public bodies and organisations engaged in large-scale or sensitive processing.

GDPR also grants individuals enforceable rights: access, rectification, erasure (the "right to be forgotten"), restriction, data portability, and the right to object.

Penalty tiers and impact on software design

GDPR enforcement is structured around two tiers of administrative fines, applied by national supervisory authorities (such as the CNIL in France).

Aspect	Lower tier	Higher tier
Maximum fine	Up to 10 million euros, or 2% of total worldwide annual turnover, whichever is higher	Up to 20 million euros, or 4% of total worldwide annual turnover, whichever is higher
Typical triggers	Failures in records, security measures, breach notification, DPO obligations	Breaches of basic processing principles, lawful basis, consent, or data subject rights
Who can be liable	Controllers and processors	Controllers and processors

For software teams, GDPR is not a one-off legal checkbox but a set of engineering constraints. Two principles are written directly into the regulation:

Data protection by design: privacy safeguards must be built into systems from the outset, not bolted on later.
Data protection by default: the most privacy-protective settings should apply unless the user actively changes them.

In practice this shapes how custom software, CRM, and ERP platforms are architected: data minimisation in the schema, granular access controls, audit logging, encryption of personal data, configurable retention and deletion policies, consent management, and the technical ability to export or erase a user's data on request. Cross-border transfers of personal data outside the EU also require an appropriate safeguard, such as Standard Contractual Clauses or an adequacy decision.

Questions fréquentes

There is none in substance. GDPR (General Data Protection Regulation) is the English name, and RGPD (Règlement Général sur la Protection des Données) is the French name for the same EU regulation, 2016/679. Both refer to the identical legal text, which applies uniformly across all EU member states.

Yes. GDPR has extraterritorial reach. It applies to any organisation that processes the personal data of individuals located in the EU, even if the organisation has no establishment in Europe. This is why non-EU software vendors and SaaS providers serving EU users must comply with the regulation.

GDPR sets two tiers of administrative fines. Less severe infringements can reach up to 10 million euros or 2% of total worldwide annual turnover, whichever is higher. The most serious breaches, such as violating data subject rights or processing principles, can reach up to 20 million euros or 4% of worldwide annual turnover.

It is a GDPR requirement that privacy be engineered into systems from the start rather than added afterwards. By design means building safeguards like data minimisation, access controls, and encryption into the architecture. By default means the most privacy-protective configuration applies automatically unless a user deliberately changes it.

Building a custom software project? We design bespoke software aligned with your roadmap.

See our custom software expertise

Définitions liées

← Retour au glossaire