What is General Data Protection Regulation (GDPR)

​The primary objectives of the GDPR are to give control back to citizens and residents over their personal data and to simplify the regulatory environment for international business by unifying the regulation within the EU, to strengthen and unify data protection for all individuals within the European Union (EU).

A person shall be able to transfer their personal data from one electronic processing system to and into another, without being prevented from doing so by the data controller. Both data that has been 'provided' by the data subject, and data that has been 'observed' — such as about their behaviour — is within scope. The data must be provided by the controller in a structured and commonly used Open Standard electronic format. 

Under EU rules, you have the following rights or obligations:

As an Individual:
  • Your data may be collected and used only under strict conditions and you must always be informed about the intention to collect and use your data.
  • Data controllers must respect your rights while processing personal data entrusted to them.
  • You have the right to know the name of the controller, what the processing is going to be used for, to whom your data may be transferred;
  • You have the right to receive this information whether the data was obtained directly or indirectly, unless this information proves impossible or too difficult to obtain, or is legally protected;
  • You are entitled to ask the data controller if he or she is processing personal data about you;
  • You have the right to receive a copy of this data in intelligible form;
  • You have the right to ask for the deletion, blocking or erasing of the data.
  • Decisions that can significantly affect your life, such as granting loans or insurance, are sometimes taken on the sole basis of automated data processing, data controllers must adopt suitable safeguards, such as giving you the opportunity to discuss the thinking behind the processing of the data or to contest decisions based on inaccurate data.
  • If you believe your data protection rights have been breached, you may also submit an official complaint.
As a Data Controller:
  • Each data controller must respect the following rules as set out in the Directive:
  • Personal Data must be processed legally and fairly;
    It must be collected for explicit and legitimate purposes and used accordingly;
  • It must be adequate, relevant and not excessive in relation to the purposes for which it is collected and/or further processed;
    It must be accurate, and updated where necessary;
  • Data controllers must ensure that data subjects can rectify, remove or block incorrect data about themselves;
  • Data that identifies individuals (personal data) must not be kept any longer than strictly necessary;
  • Data controllers must protect personal data against accidental or unlawful destruction, loss, alteration and disclosure, particularly when processing involves data transmission over networks. They shall implement the appropriate security measures;
  • These protection measures must ensure a level of protection appropriate to the data.
  • If a data subject is of the view that his/her data has been compromised, he/she can send a complaint to the data controller. If the data controller's handling of a complaint is not satisfactory, the data subject can file a complaint to the national supervisory data protection authority.
  • Every EU country must provide one or more independent supervisory authorities to monitor its application, all data controllers must notify their supervisory authorities when they process personal data.
The new EU data protection regime extends the scope of the EU data protection law to all foreign companies processing data of EU residents. It provides for a harmonization of the data protection regulations throughout the EU, thereby making it easier for non-European companies to comply with these regulations.

GDPR becomes enforceable from 25 May 2018, unlike a directive, it does not require any enabling legislation to be passed by national governments and is thus directly binding and applicable. A single set of rules will apply to all EU member states.


Sources: European Commission 2018 reform of EU data protection rules,  Data protection and Wikipedia

Learn more about all the forces at play

Sign up for updates

* Prifina will not share it with any third party.

The User-Held Data Company

Prifina is a venture-backed data platform based in San Francisco dedicated to enabling Personal AI Twins and personal data ownership. Prifina empowers individuals to collect, combine, and leverage their personal information, giving them full control over their digital lives. Consumer brands and developers can create AI agents and apps that deliver personalized customer experiences while ensuring users retain ownership and control over their data.
​© 2025 Prifina, Inc.