A data privacy legal framework all European Union (EU) countries share. The GDPR regulates transmission, storage, and use of personal data associated with people “based in” the EU. Organizations may process personal data only on the basis of at least one of the following six justifications: 1. Processing is done with the individual’s own consent. 2. Processing is done pursuant to a contract with the individual. 3. Processing is necessary to comply with an existing legal obligation. 4. Processing is necessary to protect a person’s vital interests. 5. Processing is necessary for the public interest or in the exercise of public authority. 6. Processing is necessary in pursuit of a legitimate interest of the organization or some third party.