A tool made for and used by people and businesses

  • 4.3 million citizens and businesses consulted the European Commission’s online portal on the GDPR over the last two years.
  • 69% of the EU population above the age of 16 have heard about the GDPR, according to arecent FRA survey.
  • 71% of people in the EU have heard about their national data protection authority.
  • 275,000 complaints over data protection breaches were lodged by individuals to national data protection authorities between May 2018 and November 2019.

GDPR allows flexibility

Flexibility The GDPR is a flexible, protective and effective tool, as it showed during the coronavirus outbreak. The GDPR allowed for coronavirus tracing apps to be developed, all while respecting personal data protection as a fundamental right. In April 2020, the European Commission issued a toolbox and guidance for the use of technology and data in the context of tracing apps.

Guidance on compliance


The European Data Protection Board provides guidelines on the application of the GDPR. Data protection authorities created new tools to better inform individuals and businesses about the GDPR, such as seminars and events for data protection officers and SMEs, hotlines for consultations and templates for processing contracts.

Strict enforcement, strong protection


The GDPR provides individuals with enforceable rights, such as the right of access, rectification, erasure, the right to object, portability, and enhanced transparency. If those who handle personal data fail to protect these rights, data protection authorities are the ones who
can issue fines and other corrective measures such as warnings and reprimands, orders to rectify, erase or restrict processing, temporary or definitive limitations of processing, including bans. Between May 2018 and November 2019, 22 EU/EEA data protection authorities issued 785 fines.

Protecting rights and ensuring compliance: a pan-European approach

Pan European
  • The GDPR set up an innovative governance system that aims to ensure harmonised interpretation, application and enforcement of data protection rules. It relies on independent national data protection authorities and the European Data Protection Board, composed of the representatives of the national data protection authorities of the EU/EEA countries and of the European Data Protection Supervisor. The Commission participates in the activities and meetings of the Board without voting rights.
  • At the national level, GDPR establishes independent data protection authorities responsible for the enforcement of the GDPR. To this purpose it provides them with harmonised and strengthened enforcement powers, ranging from warnings and reprimands to administrative fines. Those authorities also provide expert advice on data protection issues and handle complaints lodged against violations of data protection rules.
  • At the European level, the European Data Protection Board provides a framework for the cooperation between data protection authorities and fosters a consistent application of data protection rules throughout the EU. It issues guidelines on how to interpret core concepts of the GDPR and can issue binding decisions addressed to the data protection authorities on dispute in concrete cases regarding cross-border processing.

GDPR: a global point of reference on data protection


From Chile to South Korea, to Brazil, to Kenya, many countries around the world are modernising their privacy rules. This creates new opportunities to increase protection for individuals and facilitate data flows – along GDPR standards.

In 2019, the mutual EU-Japan Adequacy Decision has created the largest area of safe and free data flows in the world, allowing personal data to flow freely between the two economies on the basis of strong protection guarantees.

The importance of data protection to ensure trust in the digital economy and to facilitate data flows has been recognised at international level. For example, the “Data Free Flow with Trust” initiative (2019) was endorsed by G20 and G7 leaders in Osaka and Biarritz.

Looking forward: increased uniformity and convergence

Looking forward
  • The European Commission will continue to monitor closely the implementation of the GDPR by Member States.
  • The data protection authorities, working together in the European Data Protection Board, should ensure that the data protection rules in the EU are applied in an harmonised and effective way, and should support organisations and SMEs to ensure compliance with the GDPR.
  • At global level, the European Commission will continue to promote convergence of data protection rules, as well as international cooperation between enforcers.


DownloadPDF - 443.8 KB