MADRID: In four weeks’ time, anyone living in Europe will have the right to know everything that companies know about them, under a wide-ranging and far-reaching consumer privacy law. The General Data Protection Regulation (GDPR) will be force people better protection over the information, data and online profiles, and means social media or other online companies will have to maintain strict codes over just how and when that data is used — and for how long.

Here are the key points:

What is the GDPR?

The GDPR is a European Union-wide regulation that has been adopted by the 28-member bloc that will require companies to protect the personal data and privacy of anyone who lives in any of the EU countries. It doesn’t just cover citizens of EU nations but extends too to anyone living across the bloc.

When does it take effect?

The GDPR takes effect on May 25 next. It replaces the current rules that came into effect on 1995, and it will restrict the way companies collect, store and use personal data.

Who does GDPR affect?

It applies to anyone living in any EU-member state. But it goes further. It also applies to any company doing business with any customer who lives in the EU, not just companies based in the EU.

What does GDPR cover?

The new data protection and privacy rules apply to any information related to any person living in the European Union that can identify them in any way. This includes names, addresses, IP addresses, telephone numbers, email addresses, bank details, past transactions, photographs, video recordings, posts on social network sites, biometric information of any kind, medical records, financial or insurance histories, survey details — basically anything and everything that might have been collected with permission or otherwise by any company anywhere with dealings with anyone living now in the EU.

Does it affect anyone living outside the EU?

Because the GDPR is so wide-ranging and far-reaching and applies to companies who do business with anyone living in the EU, it will have a knock-on effect on those who live outside the EU. Facebook, for example, has pledged to offer GDPR to all its users regardless of where they live. And because businesses based outside the EU will likely have many dealings with anyone living inside the EU, their safest course is to make sure the same GDPR standards apply to all. Besides, it’ll make their life easier, rather than maintaining two separate databases with separates sets of personal data for EU and non-EU customers.

What rights do people have under GDPR?

Come May 25, anyone living in the EU can file a ‘data subject request’ to any company to see what online data is held. Companies have 30 days to respond to these requests, and penalties can escalate to 4 per cent of total profits in a given year for those who fail to cooperate.

What about data breaches?

Any company that has a data breach has 72 hours to notify its clients of the failure. And failing to do that will result in heavy penalties that may amount to 4 per cent of total profits in a given year.

What’s the right to be forgotten?

The GDPR also gives anyone the right to be forgotten — meaning companies must delete data from any person who withdraws their permission for it to be held. In effect, companies can only collect your personal data if there’s a specific business purpose for it. And they must delete it if requested.

Need more information?

European nations are required to have Data Protection Offices in their individual states. The office of the European Data Protection Board collectively oversees the rules, including the new GDPR on May 25.