General Data Protection Regulation states that:
Any processing of personal data where the personal data is processed in the Union by the establishment of the controller or processor in the course of its activities should be carried out in accordance with this Regulation, regardless of whether the processing operation itself takes place in the Union. Habitat means that effective and real activities are carried out through stable structures.
Personal data must be processed in a legal, fair and transparent manner in relation to the data subject (principle of legality, fairness and transparency), that is, only after receiving written consent of free will, active actions and knowing the specific purpose of processing (Article 5);
When data is processed on the basis of consent, the data controller must be able to prove that the data subject has given consent for his personal data to be processed (Article 7);
the duty of data controllers aims to disclose (known) information about the processing of collected personal data to data subjects (Article 13).
As soon as it becomes aware of a violation of personal data security, the data controller should notify the competent supervisory authority without undue delay and, if possible, no later than 72 hours after becoming aware of the violation of personal data security, unless the data controller can prove, in accordance with the principle of accountability, that the violation of personal data security should not endanger the rights and freedoms of natural persons (item 85).