Help Print this page 

Summaries of EU Legislation

Title and reference
Protection of personal data (from 2018)

Summaries of EU legislation: direct access to the main summaries page.
Multilingual display
Dates
  • Date of last review: 21/11/2016
  • Initial creation date: 21/11/2016
Summarized and linked documents
Miscellaneous information
  • Author: Publications Office
Text

Protection of personal data (from 2018)

 

SUMMARY OF:

Regulation (EU) 2016/679 — protection of natural persons with regard to the processing of personal data and the free movement of such data

WHAT IS THE AIM OF THE REGULATION?

KEY POINTS

Citizens’ rights

The GDPR strengthens existing rights, provides for new rights and gives citizens more control over their personal data. These include:

  • easier access to their data — including providing more information on how that data is processed and ensuring that that information is available in a clear and understandable way;
  • a newright to data portability — making it easier to transmit personal data between service providers;
  • a clearer right to erasure (‘right to be forgotten’) — when an individual no longer wants their data processed and there is no legitimate reason to keep it, the data will be deleted;
  • right to know when their personal data has been hacked — companies and organisations will have to inform individuals promptly of serious data breaches. They will also have to notify the relevant data protection supervisory authority.

Rules for businesses

The GDPR is designed to create business opportunities and stimulate innovation through a number of steps including:

  • a single set of EU-wide rules — a single EU-wide law for data protection is estimated to make savings of €2.3 billion per year;
  • a data protection officer, responsible for data protection, will be designated by public authorities and by businesses which process data on a large scale;
  • one-stop-shop — businesses only have to deal with one single supervisory authority (in the EU country in which they are mainly based);
  • EU rules for non-EU companies — companies based outside the EU must apply the same rules when offering services or goods, or monitoring behaviour of individuals within the EU;
  • innovation-friendly rules — a guarantee that data protection safeguards are built into products and services from the earliest stage of development (data protection by design and by default);
  • privacy-friendly techniques such as pseudonymisation (when identifying fields within a data record are replaced by one or more artificial identifiers) and encryption (when data is coded in such a way that only authorised parties can read it);
  • removal of notifications — the new data protection rules will scrap most notification obligations and the costs associated with these. One of the aims of the data protection regulation is to remove obstacles to free flow of personal data within the EU. This will make it easier for businesses to expand;
  • impact assessments — businesses will have to carry out impact assessments when data processing may result in a high risk for the rights and freedoms of individuals;
  • record-keeping — SMEs are not required to keep records of processing activities, unless the processing is regular or likely to result in a risk to the rights and freedoms of the person whose data is being processed.

Review

The European Commission must submit a report on the evaluation and review of the regulation by 25 May 2020.

FROM WHEN DOES THE REGULATION APPLY?

The GDPR will apply as of 25 May 2018.

BACKGROUND

For more information, see:

MAIN DOCUMENT

Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation) (OJ L 119, 4.5.2016, pp. 1–88)

RELATED ACTS

Directive (EU) 2016/680 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data by competent authorities for the purposes of the prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties, and on the free movement of such data, and repealing Council Framework Decision 2008/977/JHA (OJ L 119, 4.5.2016, pp. 89–131)

last update 21.11.2016

Top