Gå til indhold
Tilmeld dig mailingliste

Data protection reform


The data protection reform unifies and updates the legislation on protection of personal data

Data protection in law enforcement

This directive aims to respond to the specific nature of police and judicial activities

General data protection regulation

Detailed information on the core element of the reform package: a general data protection regulation. 

The core element of the data protection reform package is a general data protection regulation. This regulation updates and modernises the principles of the 1995 Data Protection Directive. It sets out the rights of the individual and establishes the obligations of those processing and those responsible for the processing of the data. It also establishes the methods for ensuring compliance as well as the scope of sanctions for those in breach of the rules.

On 24 May 2016 the general data protection regulation entered into force. It will apply from 25 May 2018.

In detail

The regulation addresses several fundamental issues.

Data subject's rights

It lists the rights of the data subject, that is the individual whose personal data is being processed. These strengthened rights give individuals more control over their personal data, including through:

  • the need for the individual's clear consent to the processing of personal data
  • easier access by the subject to his or her personal data
  • the rights to rectification, to erasure and 'to be forgotten'
  • the right to object, including to the use of personal data for the purposes of 'profiling'
  • the right to data portability from one service provider to another

It also lays down the obligation for controllers (those who are responsible for the processing of data) to provide transparent and easily accessible information to data subjects on the processing of their data.


It details the general obligations of the controllers and of those processing the personal data on their behalf (processors). These include the obligation to implement appropriate security measures, according to the risk involved in the data processing operations they perform (risk-based approach). Controllers are also required in certain cases to provide notification of personal data breaches. All public authorities and those companies that perform certain risky data processing operations will also need to appoint a data protection officer.

Monitoring and compensation

The regulation confirms the existing obligation for member states to establish an independent supervisory authority at national level. It also aims to establish mechanisms to create consistency in the application of data protection law across the EU. In particular, in important cross-border cases where several national supervisory authorities are involved, a single supervisory decision is taken. This principle, known as the one stop shop, means that a company with subsidiaries in several member states will only have to deal with the data protection authority in the member state of its main establishment.

The agreement includes the setting up of a European Data Protection Board. This board would consist of representatives of all 28 independent supervisory authorities and would replace the existing Article 29 Committee.

It recognises the right of data subjects to lodge a complaint with a supervisory authority, as well as their right to judicial remedy, compensation and liability. To ensure proximity for individuals in the decisions that affect them, data subjects will have the right to have a decision of their data protection authority reviewed by their national court. This is irrespective of the member state in which the data controller concerned is established.

It provides for very severe sanctions against controllers or processors who violate data protection rules. Data controllers can face fines of up to €20 million or 4% of their global annual turnover. These administrative sanctions will be imposed by the national data protection authorities.

Transfers to a third country

It also covers the transfer of personal data to third countries and international organisations. To this end, it puts the Commission in charge of assessing the level of protection given by a territory or processing sector in a third country. Where the Commission has not taken an adequacy decision on a territory or sector, transfer of personal data may still take place in particular cases or when there are appropriate safeguards (standard data protection clauses, binding corporate rules, contractual clauses).

Timeline in the Council


25. maj

The general data protection regulation applies from this day.


24. maj

The regulation enters into force, 20 days after publication in the Official Journal of the EU.

8. april

Council adopts its position at first reading.


18. december

Council confirms the deal reached with the European Parliament.

15. juni

Council agrees on a text and gives the Council presidency a mandate to engage in negotiations with the European Parliament.


25. januar

The European Commission presents a proposal for a general data protection regulation.