EU Regulation · GDPR
General Data Protection Regulation
Regulation (EU) 2016/679
The General Data Protection Regulation governs how the personal data of people in the EU is processed. It is relevant to any connected product that collects personal data, and shapes obligations such as data minimisation, security of processing and breach notification.
What it covers
Any product that processes the personal data of people in the EU — names, emails, identifiers, biometrics or location.
How it applies to your product
Most connected hardware ends up in scope because it collects personal data — a user account, a device identifier, location or biometrics. The practical duties are data minimisation, security of processing, and breach notification, and they sit alongside the product’s CE-marking file rather than inside it. The CRA and GDPR increasingly overlap on the security of connected devices.
Authoritative source
Always confirm against the primary text on EUR-Lex — the official EU legal database.
Read Regulation (EU) 2016/679 on EUR-Lex ↗Check your product