The General Data Protection Regulation is a regulation in EU law on data protection and privacy in the EU and the European Economic Area (EEA). The GDPR is an important component of EU privacy law and of human rights law, in particular Article 8(1) of the Charter of Fundamental Rights of the European Union. It also deals with the transfer of personal data outside the EU and EEA areas. GDPR’s primary goal is to improve individuals’ control and rights over their personal data and to simplify the regulatory environment for international business. The regulation replaces the data protection directive 95/46/EC, and contains provisions and requirements related to the processing of personal data about individuals, formally called “data subjects”, who are located in the EEA, and applies to any business – regardless of its location and the citizenship or residence of the data subjects – that is, processing of personal data of individuals within the EEA.
The GDPR was adopted on 14 April 2016 and was enforced from 25 May 2018. As the GDPR is a regulation, not a directive, it is directly binding and applicable, providing flexibility for certain aspects of the regulation to be adjusted by individual member states.
The regulation became a model for many other laws around the world, including in Turkey, Mauritius, Chile, Japan, Brazil, South Korea, South Africa, Argentina and Kenya. From 6 October 2022, the UK retains the law in identical form despite no longer being an EU member state. The California Consumer Privacy Act (CCPA), enacted on June 28, 2018, has many similarities to the GDPR.
