The GDPR — the General Data Protection Regulation, formally Regulation (EU) 2016/679 — is the European Union’s central data protection law and the reference point for privacy regulation worldwide. It sets out how personal data may be processed, gives individuals a set of enforceable rights, and applies to virtually any organisation that handles the personal data of people in the EU. For any company building software or operating in the DACH region, the GDPR is the baseline against which data practices are measured.
What counts as personal data
The GDPR governs the processing of personal data — any information relating to an identified or identifiable natural person. This is broad: it covers obvious identifiers like names and email addresses, but also IP addresses, device identifiers, location data, and any data that, alone or combined, can single out an individual. Because the definition is wide, most business systems process personal data in some form, which is precisely why the regulation reaches so far.
The core principles
At the heart of the GDPR are principles that govern all processing: lawfulness, fairness and transparency; purpose limitation; data minimisation; accuracy; storage limitation; integrity and confidentiality; and accountability. Together they require that data be collected for clear purposes, kept no longer than necessary, limited to what is needed, kept secure, and processed in ways people can understand. Accountability adds a meta-principle: the organisation must not only comply but be able to demonstrate it.
Lawful bases for processing
The GDPR permits processing only where there is a lawful basis. The six bases are consent, performance of a contract, compliance with a legal obligation, protection of vital interests, performance of a task in the public interest, and legitimate interests. Choosing the correct basis is a foundational decision: it shapes what an organisation may do with the data and which rights individuals can exercise. Consent, often over-relied upon, is only one option and carries its own strict conditions.
Controllers and processors
The GDPR assigns duties according to role. A controller determines the purposes and means of processing; a processor acts on the controller’s behalf. Controllers bear primary responsibility for compliance, while processors have their own direct obligations and must operate under a written contract — a data processing agreement. For software companies, understanding whether they act as controller, processor, or both for a given dataset is essential, because it determines their obligations.
Data-subject rights
The regulation grants individuals a suite of rights: access to their data, rectification of inaccuracies, erasure in defined circumstances, restriction of processing, data portability, and the right to object. Organisations must be able to honour these requests within set timeframes. Building systems that can locate, export, correct, and delete an individual’s data is therefore not optional — it is a structural requirement that is far easier to meet when designed in from the start.
Territorial scope
The GDPR’s reach extends well beyond the EU’s borders. It applies to organisations established in the EU, but also to those outside it that offer goods or services to people in the EU or monitor their behaviour. A Swiss or US company serving European users is therefore squarely within scope. This extraterritorial effect is one reason the GDPR has become a de facto global standard rather than a purely European one.
International data transfers
Transferring personal data outside the EU is permitted only under specific safeguards — an adequacy decision for the destination country, standard contractual clauses, or other recognised mechanisms. Because so much software relies on cloud infrastructure that may span borders, transfer compliance is a recurring practical issue. Keeping data resident within the EU, where feasible, is a common way to reduce this complexity.
Security and breach notification
The GDPR requires appropriate technical and organisational measures to keep personal data secure, proportionate to the risk. When a breach occurs, controllers generally must notify the supervisory authority without undue delay — and, where the risk to individuals is high, the affected people too. This makes security not just good practice but a legal duty, and it makes having a breach-response plan a compliance necessity rather than an afterthought.
Enforcement and fines
The GDPR is backed by significant penalties. The most serious breaches can attract fines of up to 20 million euros or 4% of global annual turnover, whichever is higher. Supervisory authorities in each member state enforce the regulation and can also order processing to stop. The scale of potential penalties, combined with reputational exposure, is why GDPR compliance is treated as a board-level concern rather than a purely technical one.
The GDPR and Switzerland
For Swiss companies, the GDPR matters even though Switzerland is not in the EU: any Swiss business serving EU customers falls within its scope. Switzerland’s own law, the revised Federal Act on Data Protection, was deliberately aligned with the GDPR, so organisations often face both regimes at once. Designing to the GDPR standard typically satisfies the bulk of Swiss requirements too, which is why DACH-focused products tend to build to GDPR by default.
Conclusion
The GDPR is the foundation of European data protection: a principles-based, extraterritorial regulation that governs how personal data is processed, grants individuals strong rights, and assigns clear duties to controllers and processors, all backed by substantial fines. For software companies and DACH businesses, it is the baseline standard — and because Swiss law mirrors it, building to the GDPR is usually the most efficient route to compliance across the region.