General Data Protection Regulation also addresses export of personal data outside the EU. The Commission's primary objectives of the GDPR are to give citizens back the control of their personal data and to simplify the regulatory environment for international business by unifying the regulation within the EU.
When the GDPR takes effect it will replace the data protection directive (officially Article 29 of Directive 95-46-EC) from 1995. Perhaps confusingly for some, there is a new directive as well as a new regulation; it will apply to police procedures, which will continue to vary from one Member State to the other.
The regulation was adopted on 27 April 2016. It enters into application 25 May 2018 after a two-year transition period and, unlike a Directive it does not require any enabling legislation to be passed by governments.
The regulation does not apply to the processing of personal data for national security activities or law enforcement ("competent authorities for the purposes of prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties").personal data is any information relating to an individual, whether it relates to his or her private, professional or public life. It can be anything from a name, a photo, an email address, bank details, posts on social networking websites, medical information, or a computer’s IP address." 
- Customer data, purchasing histories, pictures, emails, names and phone numbers;
- IP addresses and motor vehicle registration numbers;
- B2B and B2C information;
- Biometric information such as fingerprints, faces, voice prints and eyeballs.
Not only is the personal data itself covered by the new rules, but everything that’s done with the data, too. “Processors [of data] also have a Responsibility,” Hammarstrand said. “What’s new in this legislation is they have a direct responsibility. They could actually be reviewed and fined if they are not complying with the legislation.”
When is processing permitted?#
- Necessary for the performance of a contract which the data subject is party
- Necessary for compliance with a legal obligation
- Necessary in order to protect the vital interests of the data subject
- Necessary for the performance of a task carried out in the public interest.
- Legitimate interests when not overridden by the interests of the data subject
- Informed Consent
More Information#There might be more information for this subject on one of the following:
- General Data Protection Regulation
- IDM Related Compliance Items
- Web Blog_blogentry_100716_1
- Web Blog_blogentry_170216_1
- [#1] - General_Data_Protection_Regulation - based on information obtained 2016-07-10
- [#2] - Two Ways GDPR Will Change Your Data Storage Solution - based on information obtained 2017-03-24