Data protection in the EU
The EU has the toughest data protection rules in the world. Protection of personal data is considered a fundamental right in the EU.
Personal data in the digital age
Rapid technological developments in the last two decades have raised new challenges for the protection of personal data. The scale of data sharing and collection has grown exponentially, sometimes taking place at a global level, and individuals are increasingly making their personal information publicly available.
The economic and social integration resulting from the operation of the internal market has also led to a substantial increase in cross-border flows of data.
To take full account of all these developments and to promote the digital economy, there is a need to ensure a high level of protection for personal data, while at the same time allowing for the free movement of such data.
In the case of personal data used for law enforcement purposes, there is a growing need for authorities in the member states to process and exchange data as part of the fight against transnational crime and terrorism.
In this context, clear and consistent rules on data protection at EU level are fundamental to improving cooperation between those authorities.
Data protection as a fundamental right
Since the signing of the Lisbon Treaty in 2007, protection of personal data has become a fundamental right under EU law, recognised by:
- the Treaty on the Functioning of the European Union
- the EU Charter of Fundamental Rights
This means that the EU has a specific legal basis on which to adopt legislation to protect this fundamental right.
Article 8 of the EU Charter of Fundamental Rights stipulates that everyone in the EU has the right to:
- the protection of personal data concerning him or her
- access to data which has been collected concerning him or her, and the right to have it rectified
Examples of personal data
- name and surname
- home address
- email address such as [email protected]
- identification card number
- location data, for example the location data function on a mobile phone
- Internet Protocol (IP) address
- cookie ID
- advertising identifier of your phone
- data held by a hospital or doctor, which could be a symbol that uniquely identifies a person
The general data protection regulation (GDPR)
The EU general data protection regulation (GDPR) was adopted in 2016 and entered into application in May 2018.
The EU General Data Protection Regulation (GDPR) was adopted in 2016 and entered into force in May 2018.
The advent of the GDPR means that there is one set of data protection rules for all companies operating in the EU, wherever they are based.
The stronger rules introduced by the GDPR mean that:
- people have more control over their personal data
- businesses benefit from a level playing field
The GDPR gives people greater control over how their data are used online, including in relation to online services, advertising and automated processing.
Directive on data protection in law enforcement
This directive on protecting personal data processed for the purpose of criminal law enforcement aims to protect individuals’ right to the protection of their personal data while guaranteeing a high level of public security.
It applies to both cross-border and national processing of data by member states’ competent authorities for the purpose of criminal law enforcement.
The directive was adopted in 2016 and entered into force in 2018.
The general data protection regulation
Data protection in law enforcement
Fundamental rights in the EU
Last review: 8 June 2026