The core element of the data protection reform package is a general data protection regulation. This regulation updates and modernises the principles of the 1995 Data Protection Directive. It sets out the rights of the individual and establishes the obligations of those processing and those responsible for the processing of the data. It also establishes the methods for ensuring compliance as well as the scope of sanctions for those in breach of the rules.
On 24 May 2016 the general data protection regulation entered into force. It will apply from 25 May 2018.
The regulation addresses several fundamental issues.
Data subject's rights
It lists the rights of the data subject, that is the individual whose personal data is being processed. These strengthened rights give individuals more control over their personal data, including through:
- the need for the individual's clear consent to the processing of personal data
- easier access by the subject to his or her personal data
- the rights to rectification, to erasure and 'to be forgotten'
- the right to object, including to the use of personal data for the purposes of 'profiling'
- the right to data portability from one service provider to another
It also lays down the obligation for controllers (those who are responsible for the processing of data) to provide transparent and easily accessible information to data subjects on the processing of their data.
It details the general obligations of the controllers and of those processing the personal data on their behalf (processors). These include the obligation to implement appropriate security measures, according to the risk involved in the data processing operations they perform (risk-based approach). Controllers are also required in certain cases to provide notification of personal data breaches. All public authorities and those companies that perform certain risky data processing operations will also need to appoint a data protection officer.
Monitoring and compensation
The regulation confirms the existing obligation for member states to establish an independent supervisory authority at national level. It also aims to establish mechanisms to create consistency in the application of data protection law across the EU. In particular, in important cross-border cases where several national supervisory authorities are involved, a single supervisory decision is taken. This principle, known as the one stop shop, means that a company with subsidiaries in several member states will only have to deal with the data protection authority in the member state of its main establishment.
The agreement includes the setting up of a European Data Protection Board. This board would consist of representatives of all 28 independent supervisory authorities and would replace the existing Article 29 Committee.
It recognises the right of data subjects to lodge a complaint with a supervisory authority, as well as their right to judicial remedy, compensation and liability. To ensure proximity for individuals in the decisions that affect them, data subjects will have the right to have a decision of their data protection authority reviewed by their national court. This is irrespective of the member state in which the data controller concerned is established.
It provides for very severe sanctions against controllers or processors who violate data protection rules. Data controllers can face fines of up to €20 million or 4% of their global annual turnover. These administrative sanctions will be imposed by the national data protection authorities.
Transfers to a third country
It also covers the transfer of personal data to third countries and international organisations. To this end, it puts the Commission in charge of assessing the level of protection given by a territory or processing sector in a third country. Where the Commission has not taken an adequacy decision on a territory or sector, transfer of personal data may still take place in particular cases or when there are appropriate safeguards (standard data protection clauses, binding corporate rules, contractual clauses).
Timeline in the Council
The general data protection regulation applies from this day.
The regulation enters into force, 20 days after publication in the Official Journal of the EU.
Council adopts its position at first reading.
Council confirms the deal reached with the European Parliament.
Council agrees on a text and gives the Council presidency a mandate to engage in negotiations with the European Parliament.
The European Commission presents a proposal for a general data protection regulation.