The General Data Protection Regulation (GDPR) is a regulation in EU law on data protection and privacy for all individuals within the European Union (EU) and the European Economic Area (EEA). It also addresses the export of personal data outside the EU and EEA.
The GDPR strengthens and expands the rights of individuals to control how their personal data is collected, used, and shared. It also imposes stricter rules on organizations that process personal data and significant fines for non-compliance.
Under the GDPR, personal data is any information that relates to an identified or identifiable natural person. This includes, but is not limited to, name, address, email address, IP address, and medical information.
Organizations that process personal data must ensure that they have a legal basis for doing so, such as obtaining explicit consent from the individual or processing the data for the performance of a contract. They must also implement appropriate technical and organizational measures to protect personal data and ensure that it is processed in accordance with the GDPR.
Individuals have the right to request access to their personal data, the right to have their personal data rectified or erased, the right to restrict processing, and the right to data portability. They also have the right to object to the processing of their personal data and the right to not be subject to automated decision-making, including profiling.
Organizations that suffer a personal data breach must notify the relevant supervisory authority and, in certain cases, the individuals affected by the breach.
The GDPR applies to any organization that processes the personal data of EU and EEA citizens, regardless of the organization’s location. It replaces the 1995 EU Data Protection Directive.