tags: #publish links: [[Law]] created: 2020-10-14 Wed related: [[Schrems I]], [[Schrems II]] --- # GDPR **General Data Protection Regulation** European Union data protection and privacy law effective since 2018. Replaces the previous Data Protection Directive. https://gdpr.eu/ https://gdpr-info.eu/ https://en.wikipedia.org/wiki/General_Data_Protection_Regulation - Covers processing of data for *any people in the EEA* regardless of whether they are EU citizens/residents. - Applies to *companies outside the EU* regardless of the location/jurisdiction of the company or the data. ## Provisions Data may not be processed unless there is a legal basis to do so. Bases include: - With informed consent for personal data processing - Contract / legal obligations with the person - Or, data collector's obligations - Legal / protecting interests - Public interest or official - 'Legit interests' unless overridden by the subject's interest You can withdraw consent. Resulting in a **Right to be forgotten** concept, which was diluted slightly to **Right of erasure**. You have the right to access your data and info about its processing. Pseudonymisation is required. Tech security safeguards are mandated. Records about processing must be kept. ## Penalties Large, % of revenue. ## Exemptions Not much! Personal activities; non-commercial (not *economic activity* which is a broad definition); law enforcement and national security.