The data protection package adopted in May 2016 aims at making Europe fit for the digital age. More than 90% of Europeans say they want the same data protection rights across the EU and regardless of where their data is processed.
Regulation (EU) 2016/679 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data. This text includes the corrigendum published in the OJEU of 23 May 2018.
The regulation is an essential step to strengthen individuals’ fundamental rights in the digital age and facilitate business by clarifying rules for companies and public bodies in the digital single market. A single law will also do away with the current fragmentation in different national systems and unnecessary administrative burdens.
The regulation entered into force on 24 May 2016 and applies since 25 May 2018. More information for companies and individuals.
Information about the incorporation of the General Data Protection Regulation (GDPR) into the EEA Agreement.
The EU’s cookie regulations, which are part of the General Data Protection Regulation (GDPR), aim to protect the privacy of online users. Here are some key points to keep in mind:
It’s important to note that the regulations apply to all websites targeting EU users, regardless of where the website is based. Failure to comply with the regulations can result in hefty fines. Therefore, website owners should ensure that they have clear policies and procedures in place to obtain and manage users’ cookie consent.
Personal data must be collected lawfully, fairly, and transparently for legitimate purposes. The data must be adequate, relevant, and limited to what is necessary, accurate, and updated. The storage of personal data must be possible for identification but not longer than necessary, and must be processed with confidentiality. The data controller is responsible for compliance with these principles. Personal data may be transferred only under strict conditions and with additional safeguards in the EU. Sensitive data may not be processed except under special circumstances. Data subjects have the right to withdraw their consent, access and correct their personal data, and object to processing. Controllers must inform data subjects when collecting data, reply to their requests, ensure data protection compliance, use only EU-approved data processors, maintain detailed records, notify data breaches, perform data protection impact assessments, and ensure the security of electronic networks. The EDPS, acting with independence and confidentiality, supervises EU institutions’ data processing, conducts investigations and sanctions, warns controllers, and cooperates with national data protection supervisory authorities. Data protection officers are appointed for a term of 3-5 years. The regulation has applied since December 11, 2018, and applies to the processing of personal data by Eurojust since December 12, 2019.
Regulation (EU) 2018/1725 of the European Parliament and of the Council of 23 October 2018 on the protection of natural persons with regard to the processing of personal data by the Union institutions, bodies, offices and agencies and on the free movement of such data, and repealing Regulation (EC) No 45/2001 and Decision No 1247/2002/EC (OJ L 295, 21.11.2018, pp. 39–98).
Commission Decision (EU) 2020/969 of 3 July 2020 laying down implementing rules concerning the Data Protection Officer, restrictions of data subjects’ rights and the application of Regulation (EU) 2018/1725 of the European Parliament and of the Council, and repealing Commission Decision 2008/597/EC (OJ L 213, 6.7.2020, pp. 12–22).
Decision of the European Data Protection Supervisor of 15 May 2020 adopting the Rules of Procedure of the EDPS (OJ L 204, 26.6.2020, pp. 49–59).
European Data Protection Supervisor Decision of 2 April 2019 on internal rules concerning restrictions of certain rights of data subjects in relation to the processing of personal data in the framework of activities carried out by the European Data Protection Supervisor (OJ L 99I, 10.4.2019, pp. 1–7).
Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation) (OJ L 119, 4.5.2016, pp. 1–88).
Successive amendments to Regulation (EU) 2016/679 have been incorporated into the original text. This consolidated version is of documentary value only.
Directive (EU) 2016/680 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data by competent authorities for the purposes of the prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties, and on the free movement of such data, and repealing Council Framework Decision 2008/977/JHA (OJ L 119, 4.5.2016, pp. 89–131).
Directive (EU) 2016/680 on the protection of natural persons regarding processing of personal data connected with criminal offenses or the execution of criminal penalties, and on the free movement of such data.
The directive protects citizens’ fundamental right to data protection whenever personal data is used by criminal law enforcement authorities for law enforcement purposes. It will in particular ensure that the personal data of victims, witnesses, and suspects of crime are duly protected and will facilitate cross-border cooperation in the fight against crime and terrorism.
The directive entered into force on 5 May 2016 and EU countries had to transpose it into their national law by 6 May 2018.
EU countries have set up national bodies responsible for protecting personal data in accordance with Article 8(3) of the Charter of Fundamental Rights of the EU.
The European Data Protection Board (EDPB) is an independent European body which shall ensure the consistent application of data protection rules throughout the European Union. The EDPB has been established by the General Data Protection Regulation (GDPR).
The EDPB is composed of the representatives of the national data protection authorities of the EU/EEA countries and of the European Data Protection Supervisor. The European Commission participates in the activities and meetings of the Board without voting right. The secretariat of the EDPB is provided by the EDPS. The secretariat performs its tasks exclusively under the instructions of the Chair of the Board.
The EDPB tasks consist primarily in providing general guidance on key concepts of the GDPR and the Law Enforcement Directive, advising the European Commission on issues related to the protection of personal data and new proposed legislation in the European Union, and adopting binding decisions in disputes between national supervisory authorities.
Regulation 2018/1725 sets forth the rules applicable to the processing of personal data by European Union institutions, bodies, offices and agencies. It is aligned with the General Data Protection Regulation and the Data Protection Law Enforcement Directive. It entered into application on 11 December 2018.
Regulation 2018/1725 established a European data protection supervisor (EDPS). The EDPS is an independent EU body responsible for monitoring the application of data protection rules within European Institutions and for investigating complaints.
The European Commission has appointed a Data Protection Officer who is responsible for monitoring and the application of data protection rules in the European Commission. The data protection officer independently ensures the internal application of data protection rules in cooperation with the European data protection supervisor.
Following the adoption in June 2021 of two sets of Standard Contractual Clauses (SCC) (one for the use between controllers and processors within the European Economic Area (EEA)and one for the transfer of personal data to countries outside of the EEA), the European Commission published on 25 May 2022 Questions and Answers (Q&As) to provide practical guidance on the use of the SCCs and assist stakeholders in their compliance efforts under the General Data Protection Regulation (GDPR). These Q&As are based on feedback received from various stakeholders on their experience with using the new SCCs in the first months after their adoption. The Q&As are intended to be a ‘dynamic’ source of information and will be updated as new questions arise.