Skip to main content
NOPE
In Effect Law Data Protection PRA

GDPR

Regulation (EU) 2016/679 (General Data Protection Regulation)

Foundational EU data protection law with direct AI enforcement precedent. Article 22 restricts automated decision-making; Article 9 classifies mental health data as special category requiring explicit consent; Article 8 sets children's consent thresholds (13-16 by member state).

Jurisdiction

European Union

Enacted

Apr 27, 2016

Effective

May 25, 2018

Enforcement

EU/EEA Data Protection Authorities + EDPB coordination

EUR-Lex

Why It Matters

The Replika enforcement (€5M, May 2025) establishes companion AI processes special category health data. Italian DPA found "confidant, therapist, romantic partner" positioning requires enhanced protections. This reasoning applies EU-wide.

Recent Developments

Italy Garante fined OpenAI €15M (Dec 20, 2024). Garante fined Replika €5M (decision Apr 10, 2025; announced May 19, 2025)—among the first major companion AI enforcement actions. EDPB Opinion 28/2024 addresses AI model training.

At a Glance

Who Must Comply

  • Controllers/processors handling EU personal data
  • Non-EU entities processing EU residents' data (extraterritorial)

Obligations fall on:

Safety Provisions

  • Article 22: Right not to be subject to decisions based solely on automated processing with legal/significant effects
  • Article 9: Mental health data is "special category" requiring explicit consent
  • Article 8: Children's consent threshold 13-16 years (varies by member state); parental consent below
  • Articles 13/14: Transparency about automated decision-making logic, significance, consequences
  • Article 35: DPIA required for high-risk processing (health data, systematic monitoring)
  • Data protection by design and by default
  • Data subject rights (access, deletion, objection, portability)
  • Security + 72-hour breach notification

Compliance & Enforcement

Penalties

€20M or 4% revenue (whichever higher)

Private Right of Action

Individuals can sue directly without waiting for regulatory action.

View on map

European Union

Focus Areas

Mental health & crisis
Child safety
Algorithmic accountability
Active safeguards required

Compliance Help

Requires lawful basis (explicit consent for mental health data under Art. 9); DPIA for high-risk features; data minimization and retention deletion; user rights workflows; Art. 22 posture for significant automated decisions; age verification/parental consent for children.

See how NOPE helps

Cite This

APA

European Union. (2016). Regulation (EU) 2016/679 (General Data Protection Regulation).

Related Regulations

Enacted EU

EU PLD

Modernized product liability framework explicitly covering AI systems and software as products. Shifts burden of proof in complex AI cases, allows disclosure orders for technical documentation, and addresses liability for AI-caused harm including through software updates.

In Effect EU

EU AI Act

World's first comprehensive risk-based regulatory framework for AI systems. Classifies AI by risk level with escalating requirements from prohibited practices to high-risk obligations.

In Effect CH

Switzerland FADP

Switzerland's revised data protection law with Article 21 automated decision transparency requirements, human review rights, and fines up to CHF 250,000.

In Effect PT

Portugal Digital Rights Charter

Portugal's Charter of Digital Rights with Article 9 requiring AI to respect fundamental rights and establishing algorithmic auditability principles.

In Effect RS

Serbia PDP Law

Serbia's GDPR-aligned data protection law with profiling safeguards and DPIA requirements.

In Effect AT

Digital Austria 2.0

Austria's digital sovereignty framework establishing Sovereignty Compass for AI audits and mandatory Digi-Check for all legislation.

All regulations Check if this applies to you

Last updated February 17, 2026. Verify against primary sources before relying on this information.