Skip to content

Data protection in the EU

The EU has the toughest data protection rules in the world. Protection of personal data is considered a fundamental right in the EU.

Personal data in the digital age

Rapid technological developments in the last two decades have raised new challenges for the protection of personal data. The scale of data sharing and collection has grown exponentially, sometimes taking place at a global level, and individuals are increasingly making their personal information publicly available.

The economic and social integration resulting from the operation of the internal market has also led to a substantial increase in cross-border flows of data.

To take full account of all these developments and to promote the digital economy, there is a need to ensure a high level of protection for personal data, while at the same time allowing for the free movement of such data.

In the case of personal data used for law enforcement purposes, there is a growing need for authorities in the member states to process and exchange data as part of the fight against transnational crime and terrorism.

In this context, clear and consistent rules on data protection at EU level are fundamental to improving cooperation between those authorities.

Data protection as a fundamental right

Since the signing of the Lisbon Treaty in 2007, protection of personal data has become a fundamental right under EU law, recognised by:

  • the Treaty on the Functioning of the European Union
  • the EU Charter of Fundamental Rights

This means that the EU has a specific legal basis on which to adopt legislation to protect this fundamental right.

Article 8 of the EU Charter of Fundamental Rights stipulates that everyone in the EU has the right to:

  • the protection of personal data concerning him or her
  • access to data which has been collected concerning him or her, and the right to have it rectified

Examples of personal data

  • identification card number
  • location data, for example the location data function on a mobile phone
  • Internet Protocol (IP) address
  • cookie ID
  • advertising identifier of your phone
  • data held by a hospital or doctor, which could be a symbol that uniquely identifies a person

The general data protection regulation (GDPR)

The EU general data protection regulation (GDPR) was adopted in 2016 and entered into application in May 2018.

The EU General Data Protection Regulation (GDPR) was adopted in 2016 and entered into force in May 2018.

The advent of the GDPR means that there is one set of data protection rules for all companies operating in the EU, wherever they are based.

The stronger rules introduced by the GDPR mean that:

  • people have more control over their personal data
  • businesses benefit from a level playing field

The GDPR gives people greater control over how their data are used online, including in relation to online services, advertising and automated processing.

Directive on data protection in law enforcement

This directive on protecting personal data processed for the purpose of criminal law enforcement aims to protect individuals’ right to the protection of their personal data while guaranteeing a high level of public security.

It applies to both cross-border and national processing of data by member states’ competent authorities for the purpose of criminal law enforcement.

The directive was adopted in 2016 and entered into force in 2018.

A translucent blue shield with a subtle network pattern stands in front of a circular web of connected yellow dots, symbolising data protection and security.
The general data protection regulation

The general data protection regulation

A glowing digital padlock icon on a blue circuit board background, symbolising data security and protection.
Data protection in law enforcement

Data protection in law enforcement

A white dove in flight next to an open book, with a yellow circle in the background.
Fundamental rights in the EU

Fundamental rights in the EU

Last review: 8 June 2026