As of 25 May 2018 the General Data Protection Regulation (GDPR) is replacing the current Directive 95/46 on data protection. The GDPR harmonises the national legislations of the EU member states, deriving from this Directive. The GDPR is an evolution, not a revolution, to protect even further the personal data of individuals and its free movement in the EU. With the GDPR the EU remains a pioneer in the protection of personal data at a global scale, offering stronger protection at a time of growing demand by European citizens.
When will the GDPR be applicable?
The GDPR was adopted in May 2016 and, after a 2-year adjustment period, it is now applicable since 25 May 2018. Since that date, all entities concerned must comply with the new rules when processing personal data.
Who has to apply the GDPR?
The GDPR applies to:
- entities established in the EU (or branches established in the EU) that process personal data as part of their activities, regardless of where the data is processed; and
- entities established outside the EU, offering goods/services to individuals in the EU or monitoring the behaviour in the EU of these individuals.
What is personal data?
Personal data is any information related to an identified or identifiable natural person – the data subject – i.e. names, identification number, emails, postal address, phone, location data, picture, signature etc.
Information about companies, anonymised or statistical data IS NOT personal data.
What is processing of personal data?
Processing means any operation performed on personal data, such as collecting, recording, storing, organising, filing, using, combining, disclosing, transferring, erasing manually or automatically, i.e. collecting contact details of participants to an event, sending newsletters by email, publication of participants lists or pictures with persons related to an event, subscription to e-services etc.
Therefore, since 25 May 2018, also applicants, beneficiaries, contractors or subcontractors receiving funding from EU programmes managed by EASME such as H2020, COSME, EMFF, LIFE, the SME Instrument or EEN, to name a few, but also trainers and experts, must comply with the GDPR. Any natural or legal person who collects or in any way uses for professional purposes personal data of individuals must comply with the new rules, as is the case with any other EU or national legislation they are subject to.
Beneficiaries established outside the EU can find more specific information on the dedicated webpage of the European Commission.
For more information
At national level every EU member state has appointed a competent national authority in charge of the monitoring of the data protection rules. Check them out to find guidelines, checklists, tools and advice on the GDPR in the national languages.
The European Commission has published comprehensive information on GDPR and its application to companies and organisations. Check out the Commission website, to find guidelines, Q&As and other useful information as well as the GDPR library.
Furthermore, EASME staff will be ready to reply to project related questions on data protection during events held with coordinators, beneficiaries and other participants, such as kick-off meetings and info days.