To decrease the control individuals have over their personal data.

To allow companies unrestricted access to user data.

To tighten Europe's already strict laws about what companies can do with people's data.

To limit the amount of data companies can collect on individuals.

To make it easier for companies to share data across borders.

Because the old laws were sufficient for the digital age.

To reduce the amount of paperwork companies have to do.

Because the old laws were written before smartphones started collecting massive amounts of sensitive information.

Only your social security number.

Any data that can identify you, including IP address or location data.

Only your name and phone number.

Publicly available information.

No, because it is essential for companies to keep data forever.

Yes, people can request to have their data deleted.

Yes, but only if the data is no longer necessary.

No, once data is collected it cannot be deleted.

They receive a warning.

They are required to attend a data protection seminar.

The penalty could be up to 20 million euros or 4% of annual turnover, whichever is larger.

There are no consequences.

They must process data only with verbal consent.

They must ensure data is processed lawfully, fairly, and in a transparent manner.

They are allowed to process data based on assumptions.

They can process data without informing the individual.

Right to data portability and right to object only.

Right to be informed and right to access their data only.

Right to erasure and right to restrict processing only.

Right to be informed, right to access, right to rectification, right to erasure, right to restrict processing, right to data portability, and right to object.

To monitor compliance, educate staff, and be a point of contact for supervisory authorities.

To collect personal data from individuals.

To ensure that the company's marketing strategies comply with GDPR.

To handle customer complaints about product quality.