General Data Protection Regulation (GDPR)
GDPR governs the processing of the personal information of EU residents.
This page will be updated after 1 December 2020 when the Privacy Act 2020 comes into effect.
For information about the new Privacy Act see: Office of the Privacy Commissioner — Resources
The European Union’s (EU) General Data Protection Regulation (GDPR) came into force in May 2018.
The GDPR’s main purpose is to harmonise data protection laws across the EU. The law imposes a comprehensive set of principles and obligations on agencies who fall within its scope.
Agencies in scope of the GDPR
The GDPR applies to:
- agencies operating in the EU (for example, who have staff living and working in the EU)
- agencies outside of the EU that offer goods or services to the EU or monitor the behaviour of EU residents.
While the GDPR imposes additional obligations on agencies, and provides additional privacy rights to EU residents, an agency is likely to comply with most of its obligations under the GDPR if it complies with the Privacy Act.
Agencies that are in scope of GDPR will need to ensure they have appropriate systems and processes in place to comply with all applicable additional obligations.