The European Union defines the protection and processing of personal data of natural persons within the Union as a fundamental right, which must be considered in relation to its function in society and balanced against other fundamental rights. This is furthered by the articles 8(1) of the Charter of Fundamental Rights of the European Union and 16(1) of the TFEU. Over the years, the internal market led to economic and social integration and thus substantial flows of personal data across borders. Data protection in the European single market seeks a uniform framework where citizens can rely on.
Prior to the GDPR Regulation, member states had their own legal frameworks under guidance of the European Data Protection Directive. The difference between regulation and a directive is that regulation has direct effect, while a directive allows sovereign states to implement a framework as they see fit in national legislation, for as long as the objective is secured. The ever growing importance and global penetration of personal data and privacy justifies data protection Regulation and EU law.
Data protection relates to both to data subjects and to enterprises controlling and processing the sensitive data of these data subjects. Supervisory authorities in the EU member states control abidance with the regulation to fulfil data protection for its citizens. The supervisory authority mainly works in a reactive way. Data subjects file a complaint with their local data protection supervisor who in turn investigates the complaint. If the investigation reveals shortcomings, processors and controllers can be held responsible for breaches.
Regulation for data protection aims to protect personal data of natural persons in the European Union and several other states. This means that any enterprise that deals with data from natural persons in the EEA is subject to the regulation. The purpose for data collection and processing by an enterprise is irrelevant. The only thing that matters is the uniform protection of data of natural persons throughout the EEA.