The EU's stringent data protection rules have bolstered the rights of European citizens and imposed new responsibilities on companies since coming into force a year ago.
Here is an explainer on the rights and obligations entailed under the General Data Protection Regulation (GDPR), which launched on May 25, 2018.
Facebook, Google 'manipulate' users to share data despite EU law - study
Rules for companies
For companies, the regulations are not one-size-fits-all. Their obligations depend on what kind of data they collect, what they do with it and their size. It doesn't matter if they are European firms or not - if they collect data from Europeans then the GDPR applies to them.
For most small and medium-sized businesses the regulations simply protect the information they have on their clients and suppliers using the "rules of common sense", in the words of France's data protection agency CNIL.
One of the GDPR's main objectives is to reduce the amount of data being collected and processed from the start.
This means that firms should evaluate what data they really need, and then how to protect it. The information should then be updated regularly.
Clients and subcontractors should also be informed about what data is being collected and what for, as well as how they can exercise their rights.
Companies also need to set out policies on who has access to data and how, designate who is responsible for data protection and put into place all necessary measures to safeguard the data, particularly sensitive information.
Firms also have the right to appeal to their national data regulator.