What is the GDPR?

On this page: gdpr, when privacy, uavg
Date of last review: 2022-07-11

The General Data Protection Regulation (GDPR, Dutch: Algemene Verordening Gegevensbescherming [AVG]) is an EU-wide regulation meant to protect the privacy of individuals within a rapidly growing technological society. The GDPR facilitates the free movement of personal data within the European Economic Area (EEA). Its data processing principles are meant to ensure a fair balance between competing interests – for example, the right to conduct research vs. the right to protect personal data (Articles 13 and 8, from the Charter of Fundamental right of the EU).

The GDPR in a nutshell

All articles and recitals of the GDPR can be found online via https://gdpr-info.eu/. The video below highlights some important aspects of the GDPR:

Click to read the English video transcript
The General Data Protection Regulation (GDPR) regulates what we can and cannot do with personal data such as a person’s name, sexual orientation, home address and health. This also applies to personal data used in research and education. The regulation consists of 88 pages. Fortunately, the basics are easy to remember in 3 steps:
  1. First, there must be a clear legal basis for processing personal data. This can include consent, a legal obligation, or public interest.
  2. Second, appropriate technical and organisational measures must be taken while processing personal data to ensure maximum privacy.
  3. Lastly, the persons whose data you have collected must always have the option of inspecting, changing, or removing their personal data.
That is the GDPR in a nutshell.

When does the GDPR apply?

The GDPR has been applicable from May 2018 onward and applies when:

  • you are processing personal data (material scope, art 2).
  • the controller or processor of the data resides in the EEA (territorial scope, art. 3). This is independent of whether the actual processing takes place in the EEA. In some cases, the GDPR also applies when the controller or processor is not established in the EEA, but is processing data from EU citizens.

If you are collecting or using data that originated from individuals (or is related to individuals), it is very likely that the GDPR applies to your project. You can read more in the chapter What are personal data?.


While the GDPR is a regulation for the entire EEA, each EEA country can additionally implement further restrictions and guidelines in national implementation laws. The Dutch implementation law is called “Uitvoeringswet AVG (UAVG)”. The UAVG determines, for example, that it is forbidden to process Citizen Service Numbers (BSN), unless it is for purposes determined by a law or a General Administrative Order (AMvB).