The General Data Protection Regulation (GDPR) (Regulation (EU) 2016/679) is a regulation by which the European Parliament, the Council of the European Union and the European Commission intend to strengthen and unify data protection for all individuals within the European Union (EU). It also addresses the export of personal data outside the EU.
The GDPR aims primarily to give control back to citizens and residents over their personal data and to simplify the regulatory environment for international business by unifying the regulation within the EU.
When the GDPR takes effect, it will replace the data protection directive (officially Directive 95/46/EC) of 1995.
The regulation was adopted on 27 April 2016. It becomes enforceable from 25 May 2018 after a two-year transition period and, unlike a directive, it does not require national governments to pass any enabling legislation, and is thus directly binding and applicable.
It sets out the rights of the individual and establishes the obligations of those processing and those responsible for the processing of the data. It also establishes the methods for ensuring compliance as well as the scope of sanctions for those in breach of the rules.
The regulation addresses several fundamental issues.
Data subject’s rights
It lists the rights of the data subject, that is the individual whose personal data is being processed. These strengthened rights give individuals more control over their personal data, including through:
- the need for the individual’s clear consent to the processing of personal data;
- easier access by the subject to his or her personal data;
- the rights to rectification, to erasure and ‘to be forgotten’;
- the right to object, including to the use of personal data for the purposes of ‘profiling’;
- the right to data portability from one service provider to another.
It also lays down the obligation for controllers (those who are responsible for the processing of data) to provide transparent and easily accessible information to data subjects on the processing of their data.
It details the general obligations of the controllers and of those processing the personal data on their behalf (processors). These include the obligation to implement appropriate security measures, according to the risk involved in the data processing operations they perform (risk-based approach). Controllers are also required in certain cases to provide notification of personal data breaches. All public authorities and those companies that perform certain risky data processing operations will also need to appoint a data protection officer.
Monitoring and compensation
The regulation confirms the existing obligation for member states to establish an independent supervisory authority at national level. It also aims to establish mechanisms to create consistency in the application of data protection law across the EU. In particular, in important cross-border cases where several national supervisory authorities are involved, a single supervisory decision is taken. This principle, known as the one stop shop, means that a company with subsidiaries in several member states will only have to deal with the data protection authority in the member state of its main establishment.
The agreement includes the setting up of a European Data Protection Board. This board would consist of representatives of all 28 independent supervisory authorities and would replace the existing Article 29 Committee.
It recognises the right of data subjects to lodge a complaint with a supervisory authority, as well as their right to judicial remedy, compensation and liability. To ensure proximity for individuals in the decisions that affect them, data subjects will have the right to have a decision of their data protection authority reviewed by their national court. This is irrespective of the member state in which the data controller concerned is established.
It provides for very severe sanctions against controllers or processors who violate data protection rules. Data controllers can face fines of up to €20 million or 4% of their global annual turnover. These administrative sanctions will be imposed by the national data protection authorities.
Transfers to a third country
It also covers the transfer of personal data to third countries and international organisations. To this end, it puts the Commission in charge of assessing the level of protection given by a territory or processing sector in a third country. Where the Commission has not taken an adequacy decision on a territory or sector, transfer of personal data may still take place in particular cases or when there are appropriate safeguards (standard data protection clauses, binding corporate rules, contractual clauses).
Official text can be downloaded here.