The GDPR includes new and improved privacy rights for individuals within the EU, such as “the right to be forgotten”. The new obligations relate to the collection, use and transfer of consumers’ personal data.
According to the European Commission, "personal data is any information relating to an individual, whether it relates to his or her private, professional or public life. It can be anything from a name, a photo, an email address, bank details, posts on social networking websites, medical information, or a computer’s IP address."
The regulation applies if the data controller or processor (organisation) or the data subject (person) is based in the EU. It also applies to organisations based outside the European Union if they process personal data of EU residents.