09 May 2016

European Parliament publishes new General Data Protection Regulation – new law will become enforceable on 25 May 2018

On 4 May 2016 the European Parliament and the European Council published the new General Data Protection Regulation (GDPR) in the Official Journal of the European Union. This is the final step of a legislative process spanning over five years. According to Art. 99 Sec. 2 GDPR it will enter into force on 25 May 2018.

For further details, please see our comprehensive summary, dated 7 November 2013 (here), as well as our alerts on 24 April 2014 (here) and on 14 January 2016 (here).

Key elements of the GDPR include:

  • Right to be forgotten

  • Right to data portability

  • A decision cannot solely be taken based on automated data processing

  • Implementing data protection by design and by default

  • Enhanced obligations to notify the relevant Data Protection Authority within 72 hours of a data breach

  • The need to carry out privacy impact assessments before high risk processing

  • “Lead authority” approach to cross-border processing

  • Increased penalties - up to 4 % of group annual worldwide turnover in the preceding financial year

The GDPR will be directly applicable throughout the European Union – and even beyond if a company processes personal data of European citizens regarding offering them goods or services or monitoring their behavior within the European Union.

Over the next two years, the impact of the GDPR will be discussed. Some practical questions are:

  • How to draft data protection clauses in contracts which (potentially) run until after 25 May 2018. Parties need to take the GDPR into account.

  • How to implement and execute the right to data portability. A company needs to be prepared to provide personal data in a way that another company can easily import it.

  • How to carry out a privacy impact assessment. A white paper has already been published to characterize a tool to prepare such assessment.

  • The remaining scope of national data protection law, in other words the data protection regime under, for example, the German Teleservices Act and employment data protection.

We will provide you with updates on these discussions on a regular basis.

Data Central

Have you checked out our new Data Hub? Data Central contains a range of resources to help our clients minimise the legal, regulatory and commercial risks this data-driven environment presents and ensure that its full value is being realised.

A Guide to Doing Business in China

We explore the key issues being considered by clients looking to unlock investment opportunities in the People’s Republic of China.

Doing Business in China
Share on LinkedIn Share on Facebook Share on Twitter
    You might also be interested in

    The European Commission has formally adopted the EU-US Privacy Shield; however will this provide legal certainty for transatlantic data transfers?

    19 July 2016

    The European Commission’s proposed Geo-Blocking Regulation fails to address some of the key e-commerce concerns the Commission had previously identified.

    21 June 2016

    European Commission refrains from imposing regulations specifically targeting online platforms, for now. General EU e-commerce rules will however apply.

    20 June 2016

    European Commission finds widespread geo-blocking practices in the EU e-commerce sector. We discuss the story so far and what businesses can expect.

    21 April 2016

    This site uses cookies to enhance your experience and to help us improve the site. Please see our Privacy Policy for further information. If you continue without changing your settings, we will assume that you are happy to receive these cookies. You can change your cookie settings at any time.

    For more information on which cookies we use then please refer to our Cookie Policy.