EU General Data Protection Regulation

Image

EU General Data Protection Regulation Topic Page

In December 2016, the EU Parliament and Council agreed upon the EU General Data Protection Regulation, first proposed in 2012, and as of May 25, 2018, it is in effect.

The GDPR offers a framework for data protection with increased obligations for organizations, and its reach is far and wide. It is applicable to any organization — no matter where it resides — that intentionally offers goods or services to the European Union, or that monitors the behavior of individuals within the EU.

Here, you can find the IAPP’s collection of coverage, analysis and resources related to the GDPR.

Featured Resources

TOOL

GDPR Genius

This interactive tool provides IAPP members ready access to critical GDPR resources — enforcement precedent, interpretive guidance, expert analysis and more — all in one location.
Read More

INFOGRAPHIC

GDPR at Five

These statistics point to the GDPR’s tangible impact in the five years since becoming applicable.
Read More

ARTICLE

Impressions on GDPR’s maturity

Policymakers at the IAPP DPC 2023 were reflective about how the GDOR has shaped data privacy discussion five years after it took effect. This article delves into the successes and challenges the law has presented for the privacy world.
Read More

RESOURCE ARTICLE

Going back to basics for the EDPB’s year of the DPO

The EDPB’s coordinated enforcement action focused on the role of the DPO. This article examines the legal requirements for DPOs and breaks down the role’s designation, position and tasks as set out in the GDPR.
Read More

INFOGRAPHIC

Requirements of the GDPR-mandated DPO

This infographic outlines the requirements of the GDPR-mandated DPO. The European Data Protection Board chose the role of data protection officer for coordinated enforcement action in 2023.
Read More

CHART

The GDPR’s Six Legal Bases for Data Processing

This chart provides a refresher on the six bases for lawful processing under Article 6 of the EU General Data Protection Regulation.
Read More


Europe Data Protection Digest newsletter

Be in-the-know on EU privacy news by subscribing to the Europe Data Protection Digest newsletter.

Additional News and Resources

Key points of the DPC's GDPR decision on TikTok and children's data

Following the European Data Protection Board's dispute resolution decision, Ireland's Data Protection Commission in September adopted its final decision against TikTok Technology Limited related to the company's processing of children's personal data.  The findings build on many positions established in the DPC's September 2022 decision concerning Instagram's processing of children's personal data. For example, regarding transparency information for child users, the DPC found that stating "peop... Read More

Can Generative AI Survive the GDPR? (AI Governance Global, an IAPP event 2023)

The spectacular development of generative artificial intelligence has triggered a global thinking about how best to regulate the technology's risks. Several proposals for new rules have been advanced, including during the legislative process for an EU AI Act. When it comes to issues related to data protection, privacy and security, however, generative AI is already regulated by the EU General Data Protection Regulation. Italy's data protection authority, the Garante, only lifted a ban on ChatGPT after OpenAI committed to take a series of actions to address GDPR issues. Still, major questions remain open, and several other DPAs have launched investigations, while the European Data Protection Board created a task force on this. What could be the legal basis for training large-language models with personal data? How to address the other GDPR issues? Is it possible to reconcile the EU's data protection regulation with the need for innovation? And how is the potential governance of generative AI being shaped in the context of U.S. and global regulation? Read More

GDPR fine calculation: A look at the EDPB's new guidelines and the UK's approach

The EU General Data Protection Regulation, which came into effect pre-Brexit in May 2018, introduced a consistent framework of fines to enforce compliance with data protection regulations across the EU. Some five years later, the European Data Protection Board released new guidelines on calculating administrative fines under the GDPR 24 May. These new guidelines aim to provide clarity and consistency in the calculation of fines across all EU member states and, in the EDPB's own words, "aim to ha... Read More

Ireland DPC's data transfers decision: Pragmatic punch or knockout blow?

On May 22, Ireland's Data Protection Commission published its anxiously anticipated decision in the Meta data transfers case, which includes a record-breaking 1.2 billion euro fine, a stop-transfer order with a carefully delineated timeline and an order to cease unlawful processing of EU data in the U.S. within six months. Those who have watched the trans-Atlantic data transfer's title fight closely enough to require sweat towels themselves might be asking — should we mark today's decision as a... Read More

Meta's EU data transfer case faces Article 65 dispute resolution mechanism

The fate of Meta's data transfers to the U.S. could hinge on an Article 65 dispute resolution mechanism in the EU, after Ireland's Data Protection Commission was unable to resolve objections from other EU data protection authorities to its draft enforcement decision. Politico reporter Vincent Manancourt originally broke the news, which was then confirmed by the DPC in an email to The Privacy Advisor. "We haven't been able to resolve the objections raised on our draft decision and have to trigg... Read More

Breaking down enforcement of Meta’s legal basis for personalized ads

Last week, Ireland's Data Protection Commission fined Meta 390 million euros — 210 million euros against Facebook and 180 million euros against Instagram. In its decision, the DPC announced the platforms’ basis for seeking user permission to collect data for personalized advertising is invalid and gave the company three months to bring data processing operations into compliance with the EU General Data Protection Regulation. Notably, the decision that Meta’s contract-based request for personali... Read More

Using sensitive data to prevent AI discrimination: Does the EU GDPR need a new exception?

Organizations can use artificial intelligence to make decisions about people for a variety of reasons, such as selecting the best candidates from many job applications. However, AI systems can have discriminatory effects when used for decision making. For example, an AI system could reject applications of people with a certain ethnicity, even though the organization did not plan such discrimination. In Europe, an organization can run into a problem when assessing whether its AI system accidenta... Read More

Are EU AI Act sandboxes viable without GDPR waivers for experimentation?

The proposed EU Artificial Intelligence Act is anticipated to pave the way for a regulated approach to the future development of artificial intelligence. One means of testing new AI technologies is through regulatory sandboxes created by various data protection authorities around Europe. To explore how AI regulatory sandboxes are helping companies develop their machine-learning models, IAPP Managing Director, Europe, Isabelle Roccia hosted a Linkedin Live session Dec. 12 with Secure Practice co... Read More

Proposed EU AI Act blurs lines between AI developers and data processors under GDPR

The proposed EU Artificial Intelligence Act and its intersections with the EU General Data Protection Regulation could present compliance issues for data compliance officers across the continent, according to IAPP Senior Westin Research Fellow Jetty Tielemans. The AI Act has some similarities with the Digital Services Act and the Digital Markets Act regarding how they clarify the GDPR, Tielemans said during a recent IAPP LinkedIn Live. However, she explained the AI Act differs in that "sensitiv... Read More

Sanctions under EU GDPR and recent data regulations: A case of double jeopardy?

The European Union is on the verge of adopting a series of regulations that will affect how data is collected and shared in the EU. These include the Data Governance Act, the Digital Services Act, the Digital Markets Act, the Artificial Intelligence Act and the Data Act. These acts do not focus on personal data — in fact, European lawmakers continuously stress that the main aim of these acts is to regulate nonpersonal data. But these acts also do not exempt personal data from their scope of appl... Read More

Record of processing activities — Are you ready for maturity?

Let’s be honest — back in 2018, when the EU General Data Protection Regulation was enforced in Europe, most companies were in a rush to comply by the due date. There were many reasons for that, typical of significant changes in laws and regulation: difficulties to convince senior executives of the importance early enough, time necessary to size and scope a program and obtain a decent budget, lack of internal skills and knowledge, and lack of clarity on the requirements. In a nutshell, organizati... Read More

A look behind the EDPB's move to enhance enforcement cooperation

Members of the European Data Protection Board met in Vienna, Austria, last month to forge closer cooperation on strategic cases and increase the methods available to data protection authorities for enhancing enforcement. The initial result from the two-day meeting was a statement on enforcement cooperation, in which authorities "will collectively identify cross border cases of strategic importance in different Member States on a regular basis, for which cooperation will be prioritised and suppor... Read More

Consent as legal basis for EU and UK employment

Consent is one of the EU General Data Protection Regulation legal bases that can be used to justify the collection, handling or storage of personal data. For consent to be valid, it must be clearly distinguishable from other matters, intelligible and in clear and plain language, freely given, as easy to withdraw as it was to provide, specific, informed and unambiguous (GDPR Article 6, 7 and Recitals 32, 33 and 43). In the employment context, consent is deemed to be problematic. An actual or per... Read More

CJEU ruling on GDPR litigation builds 'jurisprudence on data protection'

A ruling by the Court of Justice of the European Union confirming consumer groups have a right to file representative actions over alleged EU General Data Protection Regulation violations, when permitted under national law, unblocks dozens of cases and puts an end to a lingering enforcement question. The court’s April 28 judgment allows consumer protection organizations to autonomously bring forward lawsuits on behalf of consumers against an individual or entity claimed to be responsible for “a... Read More

ICO GDPR Guidance: Special Category Data

This guidance from the U.K. Information Commissioner's Office discusses special category data in detail, specifically helping organizations understand the conditions for processing special category data and remaining compliant under the GDPR.  Click To View ... Read More

Dodging the one-stop shop

On. Feb. 2, the Belgian Data Protection Authority issued its long-awaited decision against IAB Europe, finding the IAB Europe’s Transparency and Consent Framework in violation of General Data Protection Regulation. The decision has EU-wide impact as the Belgian DPA acted as the "lead DPA" under the one-stop-shop enforcement mechanism of the GDPR. This is noteworthy, as the Belgian DPA (in cases where it does not qualify as the lead DPA), has shown a reluctance on several occasions to apply the o... Read More

Would anyone in their right mind reopen the GDPR? The IAF’s answer is yes.

The Information Accountability Foundation believes the EU General Data Protection Regulation should be amended to explicitly include knowledge creation and scientific research as legal bases to process personal data, providing a foundation for the responsible use of artificial intelligence. The IAF’s blog summarizing its comments on the European Commission’s proposed regulation on artificial intelligence suggested that the GDPR “should make possible technology applications such as AI” and that “... Read More

3 years in, GDPR highlights privacy in global landscape

The EU’s General Data Protection Regulation took effect three years ago today, elevating awareness of privacy and data protection from boardrooms to living rooms and setting a standard for countries and jurisdictions around the world. “Broadly, it’s been really good. It’s been good for the privacy profession, it’s been good for individuals who are at the heart of the GDPR, it’s driven an acceleration of privacy program maturity and privacy technology development, and for privacy professionals i... Read More

Federal Constitutional Court: CJEU must clarify whether GDPR provides materiality threshold

The German Federal Constitutional Court has ruled the Court of Justice of the European Union needs to clarify if the EU General Data Protection Regulation provides for a materiality threshold for GDPR damage claims. Background The Federal Constitutional Court's decision overturns a judgment of the Goslar Local Court of Sept. 27, 2019, regarding the unlawful sending of an advertising email. The Local Court had held that the plaintiff had not suffered any compensable damage under Article 82 of t... Read More

Encrypt your data to make GDPR and Russian Data Localization Law compatible

Russian law mandates data controllers store and update data collected from Russian citizens using Russian servers. Not only is this obligation technically complicated and often costly from the business perspective, but it is also a headache for the data protection officer. After all, keeping a portion of your user database located outside of the EU in a country that is not deemed adequate under Article 45 of the EU General Data Protection Regulation may conflict with data minimization and may ne... Read More

Privacy pros say GDPR dispute-resolution trigger 'no surprise'

Uncertainty is a common theme in the privacy community, but it seems one thing that can always be counted on is a difference of opinion on how to apply the EU General Data Protection Regulation. This butting of heads recently revealed itself again as European data protection authorities triggered the dispute-resolution mechanism in Article 65 of the GDPR. The mechanism was invoked by the Irish Data Protection Commission in relation to its ongoing case against Twitter, one of the first high-prof... Read More

Bird & Bird Guide to the General Data Protection Regulation

This guide from Bird & Bird summarizes the key changes the GDPR will bring and highlights the most important actions organizations should take in preparing to comply with it. The summary is divided into chapters sub-divided into themes. Each sub-chapter starts with a speed-read summary, a list of suggested priority action points, assessment of the degree of change, and a signpost to guide you to relevant source material within the regulation. Click To View (PDF) ... Read More

GDPR’s second anniversary: A cause for celebration — and concern

Spanning more than 100 pages and 50,000 words — that’s 20,000 words more than Shakespeare’s "Hamlet" — the EU General Data Protection Regulation is more a hike up Mont Blanc than a stroll in the Jardin du Luxembourg. Adopted to great fanfare in 2016 and launched two years ago, May 25, 2018, it is often heralded as the most important technology-legal reform in a generation. With a broad geographical scope sweeping across national borders and industrywide application straddling even the public-pri... Read More

White Paper – DPAs on the Ground

This piece focuses on the resources available to each DPA and its progress so far in addressing complaints, both individually and in coordination with other member states. Additionally, it highlights the GDPR's impact on budget and staffing levels in relation to a country's GDP. Results from the questionnaire provide an illustrative snapshot into DPAs’ work “on the ground.” Read More

Why blockchain is not inherently at odds with GDPR

This article from Lokke Moerel and Marijn Storm address the current perception that blockchain is not compatible with the EU General Data Protection Regulation. The article argues none of the issues identified by legal scholars and stakeholders are likely to pose issues for blockchain applications and that GDPR is well able to regulate this new technology. Click To View (PDF) ... Read More

What you must know about 'third parties' under GDPR and CCPA

With the EU General Data Protection Regulation being in force for quite a while and its "controller" and "processor" concepts for yet much longer, there seems to be a well-established practice for identifying third parties and where they fit into that picture. However, there are still situations in which this remains a significant challenge, both to organizations concerned and to the data protection authorities. The California Consumer Privacy Act, on the other hand, is a completely new legal a... Read More

Platform helps organizations take deep dives into GDPR, CCPA

Privacy technology vendors have had plenty of success creating tools to tackle one component of the EU General Data Protection Regulation rather than the entirety of the law. Perhaps a vendor will focus on a handful of articles in order to create a specialized compliance tool that handles a specific aspect of the law really well, such as data subject access requests or privacy impact assessments. SafeGuard Privacy CEO and Co-Founder Richy Glassberg and Executive Vice President, General Counsel ... Read More

How to 'background check' under the GDPR

Information security, risk and compliance are in focus and one of the core issues for many companies. For obvious reasons it has been early recognized that people are one of the key factors and often times the weakest link in organizational security. From this point of view, it was natural to conclude that by knowing more about your employees and future employees you mitigate, to a degree, risks arising from internal threats, and you are employing people with proven records and sufficient level ... Read More

GDPR and CCPA: A compatibility story

The way companies use personal data is somewhat reminiscent of how people approach their wardrobes. You start buying clothes of a particular style or brand, but over time, your sense of fashion changes, and you buy based on new needs and desires. The use of personal data works in the same way, as companies collect data for one purpose and then use it differently as new needs arise. In both instances, the sudden change in direction merits some type of justification, and that's especially the cas... Read More

The tension between GDPR and the rise of blockchain technologies

This paper from the CMS looks at the tension between the EU General Data Protection Regulation and the quick rise of blockchain and other distributed ledger technologies. It specifically looks at the issues of processing of personal data, identification and obligations of data controllers in a decentralized environment and the exercise of key data subject rights.  Click To View (PDF) ... Read More

Publicly available data under the GDPR: Main considerations

One the issues when applying the specific EU General Data Protection Regulation provisions, including the very principles relating to processing of personal data and data subject rights, is how to make these provisions work in practice when it comes to publicly available personal data. This is important, as clearly the GDPR applies in full irrespective of if the data are or were publicly available or not. There are various provisions of the GDPR that refer to such types of data, but as they co... Read More

GDPR one year later: Looking backward and forward

Late May is a good time for privacy regulations to come into effect. Prior to May, short days, cold weather and rain typically keep us indoors anyway, so what better to do than work on data protection? But, after May, it’s helpful to have things mostly in order to allow for more time wandering in and thinking about nature instead of data. Isn’t it? Well (wistfully), for many data protection officers, May 25, 2018, was hardly an ending. At the IAPP, we kept working into the summer and beyond to ... Read More

Want Europe to have the best AI? Reform the GDPR

Artificial intelligence is rapidly transforming the global economy and society. From accelerating the development of pharmaceuticals to automating factories and farms, many countries are already seeing the benefits of AI. Unfortunately, it is becoming increasingly clear that the European Union’s data-processing regulations will limit the potential of AI in Europe. Data provides the building blocks for AI, and with serious restrictions on how they use it, European businesses will not be able to... Read More

Global recall: How the GDPR impacts product recalls

On April 27, 2016, the European Parliament passed Regulation (EU) 2016/679, better known as the EU General Data Protection Regulation. The extensive consumer data privacy bill has an overarching goal to give European Union residents control over their personal data and to provide transparency between companies and consumers, causing wide-reaching effects on businesses and organizations worldwide. Further, many other jurisdictions have introduced their own consumer data privacy bills in line with... Read More

Privacy professionals begin to look back at year one of the GDPR

Privacy professionals will probably never be able to forget the lead up to the EU General Data Protection Regulation, no matter how hard they try. Plenty of studies showed companies were not ready for the May 25, 2018, implementation date, which led to speculation about what would happen when the European rules finally arrived. One of those studies was conducted by McDermott Will & Emery and the Ponemon Institute. In their survey, released in April 2018, 40 percent of respondents said they ... Read More

Recap: EDPB’s first-year review of GDPR

Last month, the European Data Protection Board released its first overview of the implementation and enforcement of the General Data Protection Regulation and the roles and means of the national supervisory authorities. The report indicates that the GDPR cooperation and consistency mechanisms are working quite well in practice due to the EDPB and national supervisory authorities’ ongoing efforts to facilitate collaboration and communication. Since May 25, 2018, the total number of cases reporte... Read More

Op-ed: Encrypted data may still be personal under GDPR

In Josh Gresham’s recent piece for the IAPP, he opined that encrypted data should not be considered personal data under the EU General Data Protection Regulation. Encryption of data cannot, however, be deterministic as to whether that information is personal. As Josh correctly discusses, the GDPR provides existing factors for controllers to make that determination. First and foremost, a controller must decide whether the data relates to an “identified or identifiable natural person.” Putting as... Read More

Infographic: GDPR Enforcement Priorities

Published: April 2018 Click To View (PDF) Click To View (PNG) European Supervisory Authorities have shed light on their initial enforcement priorities. Take a look at this IAPP infographic to learn more about where to focus your efforts to be on the right side of regulators. ... Read More

GDPR Awareness Guide

Published: September 2017Click To View (PDF) The IAPP offers this high-level look at what the GDPR requires of organizations collecting or processing the data of individuals in the European Union, what rights it grants to individuals, and what consequences exist for not complying with the regulation. ... Read More

The General Data Protection Regulation Matchup Series

Last Updated: October 2018 In this Privacy Tracker series, we look at laws from across the globe and match them up against the EU General Data Protection Regulation. The aim is to help you determine how much duplication of operational effort you might avoid as you move toward GDPR compliance and help you focus your efforts. GDPR Matchup Series: The APEC Privacy Framework and Cross-Border Privacy Rules Argentina’s draft Data Protection Act Australia's Privacy Act 1988 Brazil's General D... Read More