The EU Charter of Fundamental Rights stipulates that EU citizens have the right to protection of their personal data.
The new data protection package adopted in May 2016 aims at making Europe fit for the digital age. More than 90% of Europeans say they want the same data protection rights across the EU and regardless of where their data is processed.
The General Data Protection Regulation (GDPR)
Regulation (EU) 2016/679 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data.
The regulation is an essential step to strengthen citizens' fundamental rights in the digital age and facilitate business by simplifying rules for companies in the digital single market. A single law will also do away with the current fragmentation and costly administrative burdens.
The regulation came into force on 24 May 2016 and will apply from 25 May 2018.
Information about the incorporation of the General Data Protection Regulation (GDPR) into the EEA Agreement.
The Data Protection Law Enforcement Directive
Directive (EU) 2016/680 on the protection of natural persons regarding processing of personal data connected with criminal offences or the execution of criminal penalties, and on the free movement of such data.
The directive protects citizens' fundamental right to data protection whenever personal data is used by criminal law enforcement authorities. It will in particular ensure that the personal data of victims, witnesses, and suspects of crime are duly protected and will facilitate cross-border cooperation in the fight against crime and terrorism.
The directive entered into force on 5 May 2016 and EU countries have to transpose it into their national law by 6 May 2018.
National data protection authorities
EU countries have set up national bodies responsible for protecting personal data in accordance with Article 8(3) of the Charter of Fundamental Rights of the EU.
European Data Protection Board
The EU’s national supervisory authorities are currently working together in the framework of the Article 29 Working Party. The European Data Protection Supervisor (EDPS) and the Commission are also members. As of 25 May 2018, the Article 29 Working Party will be replaced by the European Data Protection Board (EDPB). The EDPB has the status of an EU body with legal personality and is provided with an independent secretariat.
The EDPB has extensive powers to determine disputes between national supervisory authorities, to give advice and guidance on key concepts of the GDPR and Police Directive.
Data Protection in the EU Institutions and Bodies
Regulation 45/2001 sets forth the rules applicable to the processing of personal data by EU institutions and bodies. On 10 January 2017, the Commission put forward a proposal to amend those rules to bring them in line with the General Data Protection Regulation (GDPR).
European Data Protection Supervisor
The regulation on the protection of individuals with regard to the processing of personal data by EU institutions established a European data protection supervisor (EDPS). The EDPS is an independent EU body responsible for monitoring the application of data protection rules within European Institutions and for investigating complaints.
Data Protection Officer in the European Commission
The European Commission has appointed a Data Protection Officer who is responsible for monitoring and the application of data protection rules in the European Commission. The data protection officer independently ensures the internal application of data protection rules in cooperation with the European data protection supervisor.