This information is intended to support you through your data protection and privacy journey, and should not be used as a substitute for legal advice.

What is the EU General Data Protection Regulation?

As of May 25, 2018, the GDPR introduces far-reaching obligations for companies that collect, use, or otherwise process personal information.

The GDPR is the EU’s reform of its privacy framework. It replaces and harmonizes the EU’s long standing bundle of national data privacy laws.

The GDPR introduces a single framework that is directly applicable in all EU Member States. However, a number of national customizations remain possible.

The GDPR contains the same six core data protection principles, but there are significant changes and additional requirements designed to protect EU citizens’ privacy. For example, the GDPR introduces certain enhanced rights for covered individuals, such as data portability rights.

To whom does the GDPR apply?

Companies established in the EU that process personal information.

Companies based outside the EU that: offer goods or services directly to individuals in the EU (regardless of whether payment is required), or monitor behavior of individuals in the EU (for instance, through customer profiling).

Key changes under GDPR.

Personal Privacy

Individuals have the right to:

  • Access their personal data
  • Correct errors in their personal data
  • Erase their personal data
  • Request personal data access

Privacy by Design

GDPR introduces the Privacy by Design principle and Inxite Out continues to deepen our commitment to privacy as we work with customers to develop the best approach to address these new regulations, on an ongoing basis.


Internal focus for all associates.

Controls + Notifications.

Organizations need to:

  • Protect personal data using appropriate security
  • Notify authorities of personal data breaches
  • Obtain appropriate consents of processing data
  • Keep records detailing data processing

What is a data controller and data processor?

The GDPR applies to both data “controllers” and data “processors” of EU personal data. The data controller determines the purposes and means of processing personal data, while the data processor processes data on behalf of the data controller.

If you are a data controller, you may find guidance related to your responsibilities under GDPR by regularly checking the website of your national or lead data protection authority under the GDPR (as applicable), as well as by reviewing publications by data privacy associations such as the International Association of Privacy Professionals (IAPP).

International data transfers

If your organization operates in more than one EU member state (i.e., you carry out cross-border processing), you should determine your lead data protection supervisory authority.

The GDPR provides for several mechanisms to facilitate transfers of personal data outside of the EU. These mechanisms are aimed at confirming an adequate level of protection or ensuring the implementation of appropriate safeguards when personal data is transferred to a third country.

Appropriate safeguards can be provided for by model contract clauses. An adequate level of protection can be confirmed by adequacy decisions such as the ones that support the EU-U.S. and Swiss-U.S. Privacy Shields.