Data of any EU citizen / entity cannot be shared without explicit consent. Terms & Conditions / Privacy checkbox doesn’t suitably give consent as per this law. Explicit consent is required
Records of when consent was given, how, what time, when revoked, etc. must be stored
Any breach of data or hacking must be informed to the stakeholders within 72 hours
It applies to whole of EU
Consent can be withdrawn anytime & when they want, and data processor / controller must comply
There is an option for right to be forgotten. If someone says to a data processor / controller that “FORGET ME” they must remove all data on them. It applies to all places which store & process / control the relevant data
GDPR applies to Production environment of Digital Systems which have data on EU citizens or entities. If Test / Pre-Production environment has unmasked data of EU citizens / entities again this law applies