Skip to main content Scroll Top
30/04/2026

10 Years Since the Adoption of the GDPR (General Data Protection Regulation)

April 2026 marks ten years since the adoption of Regulation (EU) 2016/679 (GDPR), which constitutes the fundamental legislative framework of the European Union for the protection of personal data and the enhancement of individuals’ privacy. This Regulation replaced Directive 95/46/EC, aiming to adapt the legal framework to modern digital conditions and the increased need for the protection of private life. At the same time, it further specified the requirements of Article 8 par.1 of the Charter of Fundamental Rights of the European Union and Article 16 par.1 of the TFEU, effectively enshrining the right of every individual to the protection of personal data concerning them.

Of particular importance was the EU legislator’s choice to adopt a Regulation rather than a Directive. Unlike Directives, which bind Member States as to the result to be achieved and require transposition into national law, the GDPR has direct and uniform application across all Member States, thereby enhancing legal certainty and ensuring a consistent level of protection for individuals within the Union.

The GDPR has significantly strengthened the rights of data subjects. Among others, it established the right of access, rectification, and erasure (“right to be forgotten”), as well as the right to be informed about the processing of personal data. At the same time, it imposed enhanced transparency obligations on data controllers, requiring clear and prior information to data subjects regarding the content and purpose of processing, as well as the identity of the controller.

Furthermore, the Regulation introduced fundamental principles such as data minimization, accountability, purpose limitation, and storage limitation. Organizations are required to implement appropriate technical measures to ensure data protection, while in the event of a data breach, there is an obligation to notify the competent authorities within 72 hours and, where necessary, the data subjects themselves.

These obligations are accompanied by a strict system of sanctions. Administrative fines may reach up to 4% of a company’s global annual turnover or up to €20 million, demonstrating the substantive and not merely formal enforcement of the Regulation.

The influence of the GDPR has extended beyond the borders of the European Union, serving as a model for similar legislation worldwide (e.g., in the United States, the UK GDPR, etc.), thereby confirming its regulatory reach and its impact on the global legal landscape.

Moreover, the GDPR has served as the foundation for the development of a broader EU digital strategy. More recent legislative instruments, such as the AI Act and the Data Act, draw from its core philosophy, extending the protection of individuals into emerging fields such as artificial intelligence. In this way, the European Union seeks to establish a coherent and holistic regulatory framework capable of addressing the challenges of the digital age.

Since the entry into force of the Regulation and Law 4624/2019, our law firm, through its specialized associates, has been supporting its clients, companies and individuals, in the practical implementation of personal data protection legislation in Greece, by providing tailored policies and expert advice.