GDPR
The GDPR is the European Union’s data-protection law, which can apply to Canadian businesses that offer goods or services to, or monitor, people in the EU, with fines up to €20 million or 4% of global turnover.
The General Data Protection Regulation (GDPR) is the EU’s comprehensive privacy law. It has extraterritorial reach: a Canadian business can fall under it if it offers goods or services to individuals in the EU or monitors their behaviour, regardless of where the company is based.
GDPR grants strong individual rights (access, erasure, portability, objection), requires a lawful basis for processing, and mandates 72-hour breach notification to regulators. Fines reach €20 million or 4% of global annual turnover, whichever is higher.
Canada currently holds a partial adequacy recognition under PIPEDA for commercial data transfers, which eases lawful data flows from the EU — though that status is periodically reviewed.