blog immagine

General Data Protection Regulations

The European Parliament and European Council have introduced a unifying set of regulations for companies that collect personal data of the citizens of European Union. This was introduced as General Data Protection Regulations i.e. regulation (EU) 679/2016. These regulations will take effect from May 25, 2018 after the completion of a 2 year transition period. Once effective, these regulations will be binding on all the European countries, unlike directives-where countries are required to pass subsequent Legislations. Hence, these regulations will unify the laws related to Data Privacy across Europe.

The Administrative Framework

GDPR also introduces a certain degree of simplicity in the framework of Data Protection laws for the Data Controllers and Data Processors. A central European Data Protection Board will be established under these regulations which will be responsible for the coordination of the Independent Supervisory Authorities of all the European States, which are also to be established. All the Data controllers and Data Processors will have a lead Supervisory Authority based on the location of their main operations. This entire system will work as a one stop shop for the Data Controllers and Data Processors.

 Jurisdiction- The companies coming under the effect

Currently, there is some ambiguity regarding the Data Protection laws of European Union. This question of jurisdiction of the privacy related data regulations of European Union has come under discussion in many court proceedings.

The GDPR clarifies this ambiguity and makes it certain that all the companies that control or process the personal data of the subjects who are the citizens of any European state come under the jurisdiction of these regulations.  These regulations will be applicable to all such above stated companies regardless of their area of operation. Even if a company operates from outside of EU but controls or processes the personal data of its citizens, these regulations will apply to them.

Another ambiguity about the jurisdiction is clarified by a very precise definition of Personal Data. According to article 4 of these regulations:

“‘personal data’ means any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person”

Post- Brexit scenario for U.K Based Companies

The companies which are primarily based in United Kingdom but control or process the personal data of the European Citizens also come under the jurisdiction of these regulations regardless of what happens after Brexit. However the status of the companies who are based in U.K, and only control or process the data of the citizens of U.K, remains unclear to this date.

 Obligations on the Data Processors and Controllers

General Data Protection Regulations give back the control to the European citizens over their personal data which is regularly collected by different companies for various purposes. In order to make this control effective there are some rights and options which are extended to the citizens under these regulations. Following are the main rights and options extended to the citizens:

  • Right to be forgotten: Article 17 of these regulations gives the citizens an option to ask the companies to delete any or some specific data which was collected about them.
  • Right to access: Article 15 of these regulations gives a right to the citizens to access the data that has been collected about them. Upon request companies are required to show it to the citizens that in what way their personal data is being processed.
  • Data Portability: Article 20 of these regulations gives a right to the citizens to be able to transfer their personal data from one electronic processing system to and into another, without being prevented from doing so by the data controller.
  • Right to be notified: Article 33 of these regulations provides the citizens with the right to be notified in case of major Data Breaches which might infringe upon the privacy rights of the individuals.
  • Consent: The regulations around consent have been further strengthened. It is important for the companies to obtain explicit consent of the citizens for processing their data. These regulations also give the citizens a right to withdraw their consent easily. Article 7 describes the regulations around consent very specifically.

These are some of the main rights and options which are extended to the citizens to provide them with an effective control over their personal data. All the Data Controllers and Data Processors are under an obligation to facilitate the citizens in the exercise of these rights.


There are multiple sanctions that can be imposed on companies failing to comply with these regulations. These sanctions range from regular data audits to million euros fines. These regulations also provide with the provisions under which organizations can be fined. This fine can be up to 4 percent of annual global turnover for preceding year or 20 million EUR, whichever is greater, in case of the breach of these regulations. This is the maximum fine that can be imposed for the most serious infringements such as not having the sufficient consent of the citizen for processing data.

In the light of these new regulations, it is certain that the privacy policy of all the European states is set to enter into a new era. In this new age of digital economy when the importance of data has increased significantly, these new regulations are set to make sure that the privacy of the citizens can be protected. These regulations are set to achieve this goal by increasing the control of citizens over their personal data and by introducing specific regulations and sanctions for the companies.

Studio Legale Salata

Contact us for a free preliminary consultation

Articoli correlati

Nessun articolo