European Union: Privacy

This is an Insight article, written by a selected partner as part of GDR's co-published content. Read more on Insight

Legal framework


The right to privacy emerged after World War II and was initially enacted in the Universal Declaration of Human Rights,[1] before finding expression in the European Convention on Human Rights (ECHR).[2] Later, the right to data protection was recognised by the European Court of Human Rights (ECtHR) as part of the broadly interpreted concept of private life.[3]

In the EU, the right to data protection was first recognised by the Treaty on the Functioning of the European Union[4] and was given the status of a human right by the Charter of Fundamental Rights of the European Union (CFR).[5]

In 1995, to harmonise data protection laws, ensure a high level of protection and guarantee the free flow of personal data among member states, the European Commission (EC) adopted the Data Protection Directive, which had to be implemented in each member state.[6] In parallel, the ePrivacy Directive[7] was adopted in 2002 to address personal data in the specific context of electronic communication services and adapt the applicable rules to the digital age.

However, confronted with various challenges, in particular the persistent fragmentation of data protection laws throughout the EU and increasing digitalisation, the EU decided to review the legal framework. This led to the adoption of the General Data Protection Regulation (GDPR).[8] Adopted in 2016, the GDPR became directly applicable in all member states on 25 May 2018. Reform and adaptation of other privacy-related laws as part of the EU’s Digital Strategy were also initiated.

Updates and trends

The GDPR, by being directly applicable in the member states, achieved a high degree of harmonisation for the data protection rules in the EU. However, member states still have ‘margins of manoeuvre’ and can adopt national legislation to specify, restrict or expand the GDPR rules under certain circumstances (eg, for children’s consent or the scope of data subject rights).[9] In early 2022, the EC launched an infringement procedure against Slovenia, as Slovenia had still not adapted its national data protection framework accordingly.

The Brexit transition period ended on 31 December 2020, which means that the GDPR is no longer directly applicable in the UK. The UK’s national data protection legislation broadly mirrors the current GDPR and is now called the ‘UK GDPR’.[10] If the GDPR were to change, the UK might not follow suit, so the rules might diverge. In June 2021, the EC adopted an adequacy decision for the UK, which means that personal data can be transferred to the UK without any additional safeguards. However, unlike other adequacy decisions, the UK adequacy decision will automatically expire in 2025 (and the EU will also monitor UK law for any divergence before then). In June 2022, the UK revealed details of its planned data protection regime to drive economic growth following greater regulatory freedom outside the EU.

Focus on the GDPR


In the spirit of the ECHR and the CFR, the GDPR seeks to protect individuals’ personal data as an overarching, fundamental human right. Article 1 of the GDPR states that it shall protect fundamental rights and freedoms of natural persons and reduce barriers for businesses by facilitating the movement of personal data within the EU.[11] In addition, the GDPR aims to address the data protection risks associated with new technologies and their widespread use by imposing more stringent obligations. Finally, the GDPR aims to ensure effective protection of personal data by strengthening data subjects’ rights and the obligations of those who process personal data, and by establishing authorities to monitor and ensure compliance.

Scope of application

The GDPR’s scope of application is defined by reference to activities,[12] actors[13] and geography.[14]

The GDPR applies to the ‘processing’ of ‘personal data’. Both concepts are to be interpreted very broadly. Processing covers every action that can be conducted with personal data, while personal data means any information relating to an identified or identifiable natural person. The fact that a person took part in a meeting or signed a specific document will for instance be considered personal data. Only anonymised data does not fall under the scope of the GDPR. However, anonymisation is quite hard to achieve in practice. In most cases where anonymisation is attempted, data will only be considered ‘pseudonymised’ (eg, identifiers or references to individuals are removed but it is still possible to re-identify data with additional knowledge from other sources). The GDPR fully applies to pseudonymised data.

The GDPR also recognises specific categories of personal data, namely ‘sensitive data’ (or ‘special category’ data) and ‘data relating to criminal convictions and offences’.[15] Sensitive data is:

data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, and the processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person’s sex life or sexual orientation.[16]

The processing of those categories of data is subject to more stringent requirements. In most cases, the data subject’s consent is required.

Data processed in the course of a purely personal or household activity is explicitly exempted. However, the exemption has to be interpreted rather narrowly. Larger scale or more intrusive activities generally fall under the GDPR’s scope, even if the main purpose is personal.

The GDPR defines three ‘data protection roles’, namely:

  • the data subject, who is the natural person whose information is being processed;
  • the controller,[17] who determines the purposes and means of the processing; and
  • the processor,[18] who processes the personal data on the controller’s behalf.

Controllers and processors are subject to specific requirements under the GDPR, whereas data subjects enjoy extensive rights.

The GDPR is very far-reaching: it applies to entities established in the EU[19] and to certain others without such an establishment.[20] In the latter case, it applies to the processing of personal data of data subjects who are in the EU, if the processing is related to offering goods or services or monitoring their behaviour (eg, online tracking) as far as their behaviour takes place within the EU. Those entities must appoint an ‘EU representative’, which acts as a point of contact for authorities and data subjects.

Principles relating to personal data processing and accountability

Article 5 of the GDPR sets out the general principles with which controllers and processors must comply when processing personal data. These principles serve as the cornerstone of all subsequent GDPR provisions and they guide courts and authorities in their interpretation of the GDPR.

  • Lawfulness, fairness and transparency: personal data must be processed lawfully, fairly and in a transparent manner in relation to the data subject.
  • Purpose limitation: personal data must be collected for specified, explicit and legitimate purposes, must not be used for any purposes other than those notified to the individual and must not be further processed in any manner incompatible with those initial purposes, unless the further processing is based on a new lawful purpose.
  • Data minimisation: personal data must be adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed.
  • Accuracy: personal data must be accurate, kept up to date and erased or rectified, if necessary.
  • Storage limitation: personal data must be kept in a form that permits identification of data subjects for no longer than is necessary for the purposes for which the data is being processed, and otherwise must be deleted or anonymised.
  • Integrity and confidentiality: personal data must be processed in a manner that ensures appropriate security of the personal data, using appropriate technical or organisational measures (TOMs).

In accordance with the principle of accountability, controllers are responsible for and must be able to demonstrate compliance with these principles. The GDPR therefore puts a particular emphasis on documentation, in particular through the maintenance of a record of processing activities.[21] The principle of accountability also leads to a shift of the burden of proof in certain cases (ie, it is the controller’s responsibility to evidence GDPR compliance).

Lawfulness of data processing

Processing of personal data is lawful only if and to the extent it is based on one or more of the legal bases listed in the GDPR.[22] Whether a lawful basis for processing applies, and if so which, is to be determined with regard to the type of personal data and the purpose of the processing.

The most common lawful bases for processing of (ordinary) personal data are: (1) processing is necessary for the performance of a contract; (2) consent; and (3) the controller’s overriding legitimate interests, as set out below:

  • To rely on the performance of a contract, the processing must be ‘necessary’ to the contract, meaning that if ‘there are realistic, less intrusive alternatives, the processing is not necessary’.[23] For example, the use of a cloud storage application necessarily requires that personal data is stored in the respective cloud so that the controller can rely on the performance of a contract exemption. However, the use of the data for other purposes (eg, analysing data for marketing purposes) is not necessary and requires another legal basis.
  • Consent is often regarded as the ‘method of choice’ but in practice it is very challenging to rely on this legal basis. The threshold for obtaining valid consent is very high. Indeed, consent has to be ‘freely given’, ‘specific’ and ‘informed’ and must express the unambiguous indication of the wishes of the data subject.[24] The data subject must also be able to withdraw their consent, at any time, as easily as it was given. In particular, the requirement of freely given consent is sometimes hard to achieve (eg, when an employer asks employees for consent).
  • Relying on overriding legitimate interests may also be quite challenging. First, the existence of a legitimate interest must be carefully assessed in each case. The GDPR does not provide a list of interests to be considered as such. However, for instance, the GDPR states that ‘the processing of personal data for direct marketing purposes may be regarded as carried out for a legitimate interest’.[25] Second, controllers have to balance these legitimate interests against the data subject’s fundamental rights and freedoms. Only when those rights do not override the controller’s legitimate interests is it possible to rely on this legal ground. In light of the ‘accountability principle’, controllers must generally document the balancing of interest test.

The other three lawful bases also require the processing to be ‘necessary’ for a specific purpose, namely compliance with a legal obligation; protecting the data subjects’ vital interests; or the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller.

Sensitive data may only be processed if a legal basis, for example, ‘explicit consent’, according to the (stricter) catalogue pursuant to article 9 GDPR, is applicable.

The GDPR also regulates specific types of processing, such as automated decision-making, including profiling. Profiling means any form of automated processing of personal data to evaluate certain personal aspects relating to the individual, in particular to analyse or predict certain aspects. Although the GDPR permits this kind of data processing in principle, it imposes certain requirements to ensure additional guarantees to protect personal data.

Rights of the data subject

The GDPR grants a wide range of rights to data subjects regarding the processing of their personal data, giving them more control over their personal data. Data subject rights can be classified into two groups.

The first group covers all information obligations[26] imposed on controllers. These require a controller to:

  • give the data subject specific information about the circumstances of the data processing, irrespective of whether the personal data is collected directly from the data subject or not. This information must be given at the time personal data is collected or before it is processed;
  • inform the data subject before carrying out changes to the data processing;
  • inform the data subject of personal data breaches where relevant;[27] and
  • take reasonable steps to inform other controllers of a right exercised by the data subject in some cases,[28] such as if the data subject asks for their data to be erased and the data was made public by the controller.

The second group includes rights that must be exercised by the data subject for the controller to act. The data subject has the right to:

  • access his or her personal data processed by the controller[29] (right of access);
  • obtain rectification of inaccurate or incomplete personal data[30] (right to rectification);
  • request restriction of processing,[31] which means that personal data can still be stored but may not be used in certain situations (right to restriction of processing);
  • request erasure[32] of their personal data in particular circumstances (right to be forgotten);
  • receive the personal data they provided in a structured and commonly used machine-readable format and request the controller to transmit this directly to another controller[33] (right to data portability);
  • object to the processing of their personal data on grounds relating to their particular situation[34] (right to object). This right is not absolute: the controller must stop processing the data only if it cannot show compelling legitimate grounds for the processing that override the individual’s interests (although this does not apply where the personal data is processed for direct marketing purposes); and
  • not be subject to a decision based solely on automated processing, including profiling, which produces legal or similar effects for the data subject.[35] This right is also not absolute; it does not apply if automated decision-making is necessary for the performance of a contract between the controller and the data subject.

If a controller or processor breaches the GDPR, the data subject has the right to lodge a complaint with practically any data protection supervisory authority (DPA), including those established in a member state other than where they live, as well as the right to start judicial proceedings. The data subject may also file a claim for damages.

Oversight and enforcement

Each member state has established at least one DPA.[36] The DPA, which must be independent in performing its tasks and exercising its powers, must contribute to the consistent application of the GDPR throughout the EU. The DPA has a wide range of responsibilities and a broad scope of powers, including investigative and corrective powers. In particular, it can issue warnings, reprimands or fines (up to €20 million or 4 per cent of worldwide annual (group) turnover, whichever is higher); order data to be rectified, blocked or deleted; or impose a ban on processing. A DPA regulates controllers and processors established in its own member state, as well as data processing by those elsewhere if the processing affects data subjects in the member state or is otherwise connected.

If more than one DPA would have jurisdiction for a specific processing activity of a controller or processor established in the EU (ie, for cross-border processing), the DPA of the entity’s ‘main establishment’ will act as ‘lead supervisory authority’. This ‘one-stop-shop mechanism’[37] ensures more efficient cross-border proceedings, but there is still some uncertainty over the definition of ‘main establishment’.

All DPAs are members of the independent European Data Protection Board (EDPB),[38] along with the European Data Protection Supervisor.[39] The EDPB is responsible for ensuring the uniform application of the GDPR throughout member states and efficient co-operation among DPAs. The EDPB can issue guidelines[40] and recommendations, and make binding decisions in relation to disputes as to which DPA is competent or the lead supervisory authority,[41] as well as in relation to urgency procedures.[42]

Updates and trends

Regarding the enforcement of the GDPR, the following developments are of particular importance for practitioners:

  • DPAs have continued to impose very high fines and some have already adopted fining guidelines to facilitate enforcement activities.[43] On 12 May 2022, the EDPB adopted harmonised guidelines on the calculation of fines.[44]
  • In June 2021, the Court of Justice of the European Union (CJEU), the highest court with authority to interpret the GDPR, issued a ruling[45] on the one-stop-shop mechanism. The court held that a national data protection supervisory authority can bring proceedings against an organisation infringing the GDPR for cross-border data processing under certain circumstances, even though that authority is not the lead authority.
  • Data subjects have been lodging claims directly with civil courts (in parallel to their DPAs) for alleged GDPR infringements. As a result, data protection litigation in many European jurisdictions is on the rise. This trend is fostered by privacy activists who facilitate these claims. In this context, on 28 April 2022, the CJEU decided that consumer protection associations and competitors may seek injunctions in their own name against controllers under the GDPR if national law allows.[46]

Privacy governance

The role of the data protection officer

The data protection officer’s (DPO) main responsibility is to monitor GDPR compliance and to ensure awareness-raising and training of staff involved in processing operations.[47] The ultimate responsibility to comply with the GDPR lies, however, with the controller and its management.

The controller[48] or the processor must appoint a DPO if their ‘core activities’ consist of the regular, systematic and large-scale monitoring of data subjects; or the large-scale processing of sensitive data or data relating to criminal convictions and offences. Member states can stipulate further cases where a DPO must be appointed.[49]

Businesses must appoint the DPO on the basis of the person’s professional qualities, their expert knowledge of data protection, and their ability to fulfil the assigned tasks. Businesses may appoint an employee or an external provider (although, off the record, certain DPAs have expressed concerns over the appointment of external DPOs by businesses that process a significant amount of personal data).[50] In both cases the DPO must be able to perform their tasks independently and without any conflict of interest.

Once designated, the DPO’s contact details must be published and communicated to the DPA. The DPO serves as a contact point both for data subjects and the DPAs.

Ensuring GDPR compliance of data processing operations

Data protection by design and by default

The controller must do the following:[51]

  • Implement appropriate TOMs to satisfy the general data protection principles under the GDPR and to integrate necessary safeguards in order to meet the GDPR’s requirements throughout the whole processing, from the initial to the final stages. For example, when a controller builds a new product, it must ensure that the product is developed with privacy in mind; this can, for example, be documented and achieved by adding ‘privacy gates’ into the product development cycle. TOMs must be implemented considering the state of the art, the cost of implementation and the nature, scope, context and purposes of processing, as well as the risks of varying likelihood and severity for the rights and freedoms of individuals.
  • Implement appropriate TOMs ensuring that, by default, only personal data that is necessary for each specific purpose of the processing is processed (eg, some applications may require the functionality to turn certain data collection on and off, and the default setting should be ‘off’).

The controller must also regularly review and update the TOMs, to consider privacy by design and by default.[52]

Appropriate TOMs to ensure data security

To keep personal data secure, controllers and processors must implement appropriate TOMs.[53] Technical measures are precautionary measures relating to the processing itself, like a backup system or User-ID policy. Organisational measures cover the external framework conditions surrounding the processing, like employee training, policies or a safety plan.

The GDPR does not specifically define what security measures must be taken, but it does list criteria for the measures, to ensure a level of security appropriate to the risk. There is neither a one-size-fits-all solution, nor an ideal one, so controllers and processors must carry out a ‘balancing test’. The controller or processor has quite a broad margin of discretion, but its decision to implement certain TOMs might be closely scrutinised. So, controllers and processors should assess the specific risks raised by their different processing and the protective effects of individual TOMs. In the event of a personal data breach, TOMs should be adapted accordingly to prevent such incident from recurring.

When assessing a risk, relevant factors are:

  • the nature of the risk (eg, data destruction, data alteration, unauthorised disclosure or unauthorised access);
  • its likelihood, taking into account, for example, the data transfer method (eg, in the cloud) or the storage method (duration, location); and
  • its severity, taking into account, for example, the importance of the data or the type of likely damage.

When assessing individual TOMs, the controller or processor must assess whether and how it can prevent the risk from occurring, given the state of the art, the costs of implementation and the nature, scope, context and purposes of processing. It should focus on measures such as encryption and pseudonymisation, which may be considered state of the art in certain cases and for certain types of data. It must take measures that can ensure the ongoing confidentiality, integrity, availability and resilience of the processing, and restore the availability of and access to the data if there is an incident.

Data protection impact assessments

If data processing poses a high risk to the rights and freedoms of individuals, the controller must first carry out a data protection impact assessment (DPIA). A DPIA is an internal risk assessment to document any risks identified and any measures taken to mitigate the risks (eg, implementing TOMs or adding contractual safeguards with third parties).

In particular, a DPIA is required when: new technologies are used; there is a systematic and extensive evaluation of personal aspects based on automated processing; sensitive personal data is processed on a large scale; or there is systematic monitoring of a publicly accessible area on a large scale.[54] There may be other cases where the processing is likely to result in a high risk.

EU guidelines suggest that a controller must consider the following criteria to determine the risk of processing,[55] and a DPIA is generally required if two of these criteria are met:

  • evaluation or scoring;
  • automated decision-making with legal or similar significant effect for data subjects;
  • systematic monitoring;
  • sensitive data or data of a highly personal nature;
  • data processed on a large scale;
  • matching or combining datasets;
  • data concerning vulnerable data subjects (eg, children);
  • innovative use or applying new technological or organisational solutions; and
  • when the processing in itself prevents data subjects from exercising a right or using a service or contract.

Finally, DPAs may establish non-exhaustive ‘blacklists’ or ‘whitelists’ of those activities that always require a DPIA and those that do not.[56]

In the rare event that the risks identified in a DPIA cannot be mitigated, the controller must consult with the relevant DPA before processing.

Contractual requirements

Although the GDPR has increased the data processor’s responsibilities, the controller remains primarily responsible. The controller must only use processors that provide sufficient guarantees to ensure GDPR compliance; this requires appropriate processes for vendor management to document that the selection of processors is based on reasonable criteria.[57] The controller must also conclude a binding contract with the processor setting out all the elements of the processing and certain restrictions, including that the processor may process data only upon the documented instructions of the controller, the controller has certain audit rights, and the processor must support the controller to ensure GDPR compliance.[58]

Joint controllers must determine their respective responsibilities for GDPR compliance in a transparent manner, in particular as regards the exercise of data subject rights and the controllers’ respective duties to provide information to data subjects.[59]

Data exports

The GDPR includes restrictions regarding data transfers to countries outside the European Economic Area (EEA). Safeguards must be used to ensure an ‘adequate level of data protection’, unless the personal data is transferred to a country covered by an ‘adequacy decision’ – that is, where the EC has found that the country has an adequate level of data protection.[60]

If the recipient country is not covered by an adequacy decision, the transfer must be subject to ‘appropriate safeguards’,[61] namely:

  • binding corporate rules (ie, group internal data protection frameworks approved by the relevant DPA);
  • standard contractual clauses (SCCs) adopted by the EC or by a DPA;[62]
  • an approved code of conduct;
  • an approved certification mechanism; or
  • individual contractual clauses authorised by the DPA.

If the transfer is not covered by these safeguards, an exemption might apply, such as where the data subject has given explicit consent or where the transfer is necessary for the performance of a contract with the data subject.[63]

Following the CJEU’s judgment in a case commonly referred to as Schrems II,[64] the landscape relating to data exports has significantly evolved. First, the EU–US Privacy Shield, a scheme that allowed data to flow from the EEA to US companies registered with the scheme, has been declared invalid[65] as a basis for data exports (with no official grace period).

In June 2021, the EC released a new set of SCCs in response to the Schrems II judgment.[66] The new SCCs have a few new or updated aspects, including a modular approach, a docking clause that facilitates the formation of multilateral contractual relationships by allowing new parties to accede to an already existing agreement, and a ‘practical toolbox’ to comply with the Schrems II ruling. In addition, before concluding the SCC, data exporters must review whether the recipient abroad can guarantee compliance with EU data privacy law (a ‘transfer impact assessment’), and under certain circumstances implement additional technical, organisational and contractual measures,[67] depending on the level of security for the data in the country of the data importer. There is an 18-month transition period for those using the pre-existing SCCs, ending on 27 December 2022.

On 25 March 2022, the European Commission and the US announced that they have agreed in principle on a new Trans-Atlantic Data Privacy Framework, serving as successor arrangement to the EU–US Privacy Shield.

Personal data breaches

Under the GDPR, a personal data breach means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of or access to personal data.[68] Any security incident affecting the confidentiality, integrity or availability of personal data is therefore a personal data breach. This could include, for instance, a lost USB stick, an intrusion by a hacker or the sending of an email to the wrong recipient.

If a controller suffers a data breach, it must implement certain remediation measures. If the breach poses a risk to data subjects, it must notify the relevant DPA without delay, and, where feasible, within 72 hours of becoming aware of the breach. Where there is a high risk, the affected data subjects must also be notified. In practice, these tight deadlines will be challenging for many businesses and the emphasis is often on assessing when a business can reasonably be said to be ‘aware’, bearing in mind the complexities of many data breach investigations.

A wide range of factors will be relevant to assess the level of risk: the type of breach;[69] the nature, sensitivity and volume of personal data; the consequences for affected individuals; the number of affected individuals; and the likelihood and severity of the consequences on affected individuals, such as discrimination, identity theft or financial loss.

Controllers must document each data breach, whether or not the threshold for notifying or communicating has been met, and make the documentation available to the relevant DPA upon request.[70]

Focus on specific requirements

Sector-specific requirements

In sectors like banking, healthcare, social security, post, telecoms and gambling, specific data protection requirements may apply that stipulate particular requirements or exemptions beyond the GDPR.

Regarding telecoms, with the recent entry into application of the European Electronic Communications Code (EECC), the regulatory landscape for electronic communications service providers is becoming increasingly complex. In particular, the EECC expands the definition of ‘electronic communications services’ so that over-the-top providers that did not previously fall within the definition are now subject to applicable rules.


In 2016, the EU adopted the Directive on Security of Network and Information Systems[71] (the NIS Directive) to enhance cybersecurity standards for certain businesses with IT infrastructure in the EU. The directive generally applies only to certain critical infrastructure where specific thresholds are met (eg, energy, health, transport, banking and digital infrastructure). Entities regulated under the NIS Directive must implement state-of-the-art cybersecurity measures and report breaches to national cyber regulators.

In May 2022, the EU Parliament and the EU Council reached a provisional agreement on the proposal for a revised NIS Directive: the NIS 2 Directive, expanding the scope of the current NIS Directive by adding new sectors and by introducing a clear size cap. Also, entities would be classified in light of their importance and not their nature (ie, there is no distinction between operators of essential services and digital service providers). Finally, the applicable security requirements would be strengthened.

Other EU digital and data-related legislation

The EU’s Digital Strategy aims to protect individuals and foster innovation by imposing rules to safely navigate digitalisation. In 2022, the European Parliament has adopted two of the EC’s proposed acts:[72] the Digital Services Act, regulating online intermediaries and platforms like social networks, and the Digital Markets Act, setting out rules on gatekeeper platforms.

Other data-related legislative proposals in the course of the EU’s Digital Strategy include the Data Act, regulating access to data by users and third parties, and the Data Governance Act, setting out rules inter alia for providers of data-sharing services.

The 2002 ePrivacy Directive, which has been implemented into domestic member state law, applies to electronic communications in addition to the GDPR. It covers a wide range of issues, such as collection of traffic data, cookies and unsolicited communications. It goes beyond the GDPR; for example, certain cookies may be used only if the user has given consent, and certain marketing communications require that recipients have explicitly opted in to receive them.[73] EU discussions to replace the directive with a regulation continue.


The GDPR has established a stringent and far-reaching data protection framework with a significant extraterritorial reach. As it is principles based and there is still limited guidance from courts or regulators, this shifts a lot of responsibility to businesses that process personal data. As a best practice, many businesses have set up privacy governance committees to manage their GDPR risk. This approach is now slowly extending to businesses that are not subject to the GDPR, because many countries have adopted or are in the process of adopting similar comprehensive privacy frameworks.[74] Aligning different national requirements is difficult for businesses, not only because EU member states still have leeway to enact country-specific rules, but also because the approach taken in countries outside the EU sometimes conflicts with the GDPR. That said, for those looking to implement global compliance programmes, developing principles-based policies and procedures with the GDPR as their bedrock is often a pragmatic solution.


[1] Article 12 of the Universal Declaration of Human Rights.

[2] Article 8 of the Convention for the Protection of Human Rights and Fundamental Freedoms.

[3] ECtHR, 26 March 1987, case of Leander v Sweden; ECtHR, 4 May 2000, case of Rotaru v Romania.

[4] Article 16 of the Treaty on the Functioning of the European Union.

[5] Article 8 of the Charter of Fundamental Rights of the European Union.

[6] Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data.

[7] Directive 2002/58/EC of the European Parliament and of the Council of 12 July 2002 concerning the processing of personal data and the protection of privacy in the electronic communications sector.

[8] Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC.

[9] As of July 2022, only Slovenia had not yet adopted specific national legislation to supplement the GDPR.

[10] The EU GDPR was retained within UK law by the EU (Withdrawal) Act 2018.

[11] The GDPR is intended to help promote European economic development.

[12] Article 2 of the GDPR.

[13] Article 4 of the GDPR.

[14] Article 3 of the GDPR. See also EDPB, Guidelines 3/2018 on the territorial scope of the GDPR.

[15] Article 10 of the GDPR.

[16] Article 9 of the GDPR.

[17] The controller can be a natural or legal person, public authority, agency or any other body. When two or more controllers jointly determine the purposes and means of a processing activity, they are ‘joint controllers’. See also EDPB, Guidelines 07/2020 on the concepts of controller and processor in the GDPR.

[18] The processor can be a natural or legal person, public authority, agency or any other body. See also EDPB, Guidelines 07/2020 on the concepts of controller and processor in the GDPR.

[19] This is the ‘establishment criterion‘.

[20] This is the ‘targeting criterion’.

[21] Article 30 of the GDPR.

[22] Article 6 of the GDPR.

[23] For further information, see WP29, Guidelines 2/2019 on the processing of personal data under article 6(1)(b) GDPR in the context of the provision of online services to data subjects.

[24] EDPB, Guidelines 05/2020 on consent under Regulation 2016/679.

[25] Recital 47 of the GDPR.

[26] Articles 12, 13 and 15 of the GDPR.

[27] Article 34 of the GDPR.

[28] Article 29(2) of the GDPR.

[29] Article 15 of the GDPR. See also EDPB, Guidelines 01/2022 on data subject rights – Right of access.

[30] Article 16 of the GDPR.

[31] Article 18 of the GDPR.

[32] Article 17 of the GDPR.

[33] Article 20 of the GDPR. See WP29, Guidelines on the right to data portability, WP242 rev. 01.

[34] Article 21 of the GDPR.

[35] Article 22 of the GDPR.

[36] Germany, as a federal country, has several DPAs. Where more than one DPA is established in a member state, that member state must designate the supervisory authority that is to represent the others at the EU level.

[37] A register containing decisions taken by DPAs following the one-stop-shop mechanism is published by the EDPB.

[38] The EDPB replaced the article 29 Working Party (WP29), which ceased to exist on 25 May 2018.

[39] The European Data Protection Supervisor is the DPA for the EU institutions and bodies.

[40] During its first plenary meeting, the EDPB endorsed some of the WP29 Guidelines, such as those on consent, transparency, personal data breach notification, the obligation to maintain records of processing activities and the application and setting of administrative fines.

[41] Article 65 of the GDPR.

[42] Article 66 of the GDPR.

[43] See, for instance, the fining models issued by the German, Dutch, Danish and Lithuanian DPAs.

[44] See EDPB, Guidelines 04/2022 on the calculation of administrative fines under the GDPR.

[45] CJEU, 15 June 2021, Case C-645/19.

[46] CJEU, 28 April 2022, Case C-319/20.

[47] Article 39 of the GDPR.

[48] A group of undertakings may appoint a single DPO, article 37(2) of the GDPR.

[49] Article 37(4) of the GDPR contains an opening clause allowing member states to impose other requirements for the appointment of a DPO. For instance, Germany has provisions in place that go beyond the general DPO requirement under the GDPR. Irrespective of a legal obligation, companies can also appoint a DPO voluntarily, and this has been recommended by several DPAs.

[50] The DPO may also fulfil other tasks and duties as long as it is ensured that there is no conflict of interests.

[51] Article 25 of the GDPR.

[52] Article 24 of the GDPR.

[53] Article 32 of the GDPR.

[54] Article 35(3) of the GDPR.

[55] WP29, Guidelines on Data Protection Impact Assessment (DPIA) and determining whether processing is ‘likely to result in a high risk’ for the purposes of Regulation 2016/679, WP248 rev.01.

[56] Articles 35(4) and 35(5) of the GDPR. The EDPB publishes opinions on draft lists submitted to it by the DPAs.

[57] Article 28 of the GDPR.

[58] ibid.

[59] Article 26 of the GDPR.

[60] Article 45 of the GDPR. So far, the Commission has recognised the following countries as providing an adequate level of data protection: Andorra, Argentina, Canada, the Faroe Islands, Guernsey, the Isle of Man, Israel, Japan, Jersey, New Zealand, South Korea, Switzerland, the UK and Uruguay.

[61] Article 46 of the GDPR.

[62] See for instance the SCCs adopted by the Danish DPA.

[63] Article 49 of the GDPR.

[64] On 16 July 2020, the CJEU in the ‘Schrems II’ case (C-311/18) invalidated the EU–US Privacy Shield and said that those who transfer data out of the EEA using the SCCs must review whether the recipient of data abroad can guarantee compliance with EU data privacy law. Both findings were based on the wide rights of US government agencies to access personal data and the lack of judicial redress for non-US citizens.

[65] Talks around a Privacy Shield replacement are currently still ongoing.

[66] One for the transfer of personal data to third countries (see Commission implementing decision (EU) 2021/914 of 4 June 2021 on standard contractual clauses for the transfer of personal data to third countries pursuant to Regulation (EU) 2016/679 of the European Parliament and of the Council) and one for use between controllers and processors based in the EU (Commission implementing decision (EU) 2021/915 of 4 June 2021 on standard contractual clauses between controllers and processors under article 28(7) of Regulation (EU) 2016/679 of the European Parliament and of the Council and article 29(7) of Regulation (EU) 2018/1725 of the European Parliament and of the Council).

[67] See EDPB, Recommendations 01/2020 on measures that supplement transfer tools to ensure compliance with the EU level of protection of personal data.

[68] Article 4(12) of the GDPR.

[69] One generally distinguishes between a confidentiality breach, an availability breach or an integrity breach.

[70] Article 33(5) of the GDPR.

[71] Directive (EU) 2016/1148 of the European Parliament and of the Council of 6 July 2016 concerning measures for a high common level of security of network and information systems across the Union.

[72] Both still need to be signed off by the EU Council, which is expected to take place in September 2022.

[73] The ePrivacy Directive also provides for exceptions but these are quite restrictive.

[74] eg, Australia, Brazil, South Korea or California, Nevada and Colorado in the US.

Unlock unlimited access to all Global Data Review content