✓ Fines up to €20,000,000 or 4% of an entity’s total worldwide annual turnover
✓ Significantly expanded territorial scope
✓ Mandatory data breach notification in certain cases
✓ Mandatory appointment of a Data Protection Officer in certain cases
✓ Data Processors now also directly responsible at law
✓ More stringent consent requirements
✓ Increased level of information to be provided to data subjects
✓ More stringent requirements in controller-processor contracts
✓ Removal of the general notification requirement
✓ New data subject rights