GDPR (General Data Protection Regulation)
GDPR (General Data Protection Regulation) is the main EU law that governs how personal data of people in the EU is collected, used, stored, shared, and transferred. It matters because it gives individuals stronger rights over their data and puts compliance duties on organizations that handle that data, including some businesses outside the EU if they target or monitor people in the EU.
Quick facts:
Also called: General Data Protection Regulation
In force since: May 25, 2018
Applies to: personal data processing involving people in the EU/EEA
Core idea: lawful, transparent, and accountable handling of personal data
Separate from: copyright law, platform content rules, and ordinary contract terms.
Example:
A music platform collects user emails, payment details, account activity, and cookie-based analytics from customers in the EU. If GDPR applies, the platform may need a valid legal basis for that processing, a clear privacy notice, data security safeguards, and a way for users to exercise rights such as access or deletion.
Gotchas:
- GDPR is not just for EU companies. It can also apply to organizations outside the EU if they offer goods or services to people in the EU or monitor their behavior there.
- It is about personal data, not copyright. GDPR deals with privacy and data processing, while copyright law deals with ownership and use of creative works.
- Consent is not the only legal basis. Organizations may rely on other lawful bases depending on the context, so “GDPR compliant” does not simply mean “got a checkbox.”
- Compliance is broader than a privacy policy. GDPR also covers security, user rights, data minimization, cross-border transfers, breach response, and accountability.
FAQs
Related terms:
Platform Terms of Service • EULA • Service Provider • Embedded Metadata • Content ID • Copyright Law • Music Log