The importance of personal data processing for international organizations (IOs) demonstrates the need for them to implement data protection in their work. The new EU General Data Protection Regulation (GDPR) will have considerable influence around the world, and will impact IOs as well. The application of the GDPR to IOs should be determined under relevant principles of EU law and public international law, and it should be interpreted consistently with the international obligations of the EU and its Member States. It is in the interest of IOs to implement data protection measures regardless of whether the GDPR applies to them in a legal sense. There is a need for the requirements of EU law and international law to take each other better into account, so that IOs can enjoy their privileges and immunities also with regard to EU law and avoid legal conflicts, while still providing a high level of data protection in their operations.