The European General Data Protection Regulation (GDPR) contains rules for companies and public authorities on how personal data is to be protected. At the same time, it also ensures the free exchange if data within the European internal market. The Regulation came into effect on 24 May 2016 and must be applied from 25 May 2018 at the latest. It is part of the EU’s reform of data protection rules. The Regulation establishes the legal basis for data protection activities and defines the rights of data subjects and the obligations of companies. One new element is the ‘right to be forgotten’. The GDPR is also binding upon companies based outside the EU but used by EU citizens.