Skip to main content

Legal framework of EU data protection

Information on EU legislation concerning the protection of personal data, as well as on the authorities that ensure that this legislation is applied consistently.

Overview

Data protection is a fundamental right in the EU. This right is enshrined in Article 8 of the EU Charter of Fundamental Rights.

EU data protection legislation is comprised of the General Data Protection Directive (GDPR), the Law Enforcement Directive (LED), and the Data Protection Regulation for EU institutions, bodies, offices and agencies (EUDPR). 

To ensure that this legislation is applied consistently, national and European data protection authorities and bodies have been established.

Legislation

The General Data Protection Regulation (GDPR)

Regulation (EU) 2016/679 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data. This text includes the corrigendum published in the OJEU of 23 May 2018.

The adoption of the GDPR was an essential step to strengthen individuals' fundamental rights in the digital age and facilitate business by clarifying rules for companies and public bodies in the digital single market. A single law significantly reduces the fragmentation in different national systems and unnecessary administrative burdens.

The regulation entered into force on 24 May 2016 and applies since 25 May 2018.

The GDPR has been incorporated into the EEA Agreement, making it applicable throughout the European Economic Area. 

EU Member States must notify the Commission about how they implemented a number of the GDPR provisions

Access reports, communications and other publications on the GDPR

Guidance and tools for the application of the GDPR

The Commission issued guidance on the application of EU data protection law in the electoral context in September 2018, and guidance on apps supporting the fight against COVID-19 pandemic in relation to data protection in April 2020.

In June 2021, the Commission adopted two sets of Standard Contractual Clauses (SCCs): one for the use between controllers and processors within the European Economic Area (EEA) and one for the transfer of personal data to countries outside of the EEA.

In May 2022, the Commission published Questions and Answers to provide practical guidance on the use of the SCCs and assist stakeholders in their compliance efforts under the GDPR. These Questions and Answers are based on feedback received from various stakeholders on their experience with using the new SCCs in the first months after their adoption. They are intended to be a ‘dynamic’ source of information and will be updated as new questions arise.

Access publications on the SCCs

The Law Enforcement Directive (LED)

Directive (EU) 2016/680 on the protection of natural persons regarding processing of personal data connected with criminal offences or the execution of criminal penalties, and on the free movement of such data.

The directive protects citizens' fundamental right to data protection whenever personal data is used by criminal law enforcement authorities for law enforcement purposes. It ensures that the personal data of victims, witnesses, and suspects of crime are duly protected. At the same time, the Directive facilitates cross-border cooperation in the fight against crime and terrorism.

The directive entered into force on 5 May 2016 and EU Member States had to transpose it into their national law by 6 May 2018.

Access reports, communications and other publications on the LED

Data Protection Regulation for EU institutions, bodies, offices and agencies (EUDPR)

Regulation 2018/1725 sets forth the rules applicable to the processing of personal data by European Union institutions, bodies, offices and agencies. It is aligned with the General Data Protection Regulation and the Law Enforcement Directive.

The regulation entered into application on 11 December 2018.

Access report on the EUDPR

Data Protection Officer in the European Commission

The European Commission has appointed a Data Protection Officer who is responsible for monitoring the application of data protection rules in the European Commission. The Data Protection Officer independently ensures the internal application of data protection rules in cooperation with the European Data Protection Supervisor.

Authorities and bodies

National data protection authorities

EU Member States have set up national data protection authorities (DPAs) responsible for protecting personal data in accordance with Article 8(3) of the Charter of Fundamental Rights of the EU.

DPAs are independent public authorities that supervise, through investigative and corrective powers, the application of the data protection law. They provide expert advice on data protection issues and handle complaints lodged against violations of the GDPR and the relevant national laws.

In 2023, the Commission proposed the GDPR procedural regulation, which aims to streamline cooperation between DPAs when enforcing the GDPR in cross-border cases. It supplements the GDPR in a targeted way by specifying procedural rules to be followed by DPAs when applying the GDPR in cases which affect individuals in more than one Member State.

European Data Protection Board

The European Data Protection Board (EDPB) is an independent European body tasked with ensuring the consistent application of data protection rules throughout the European Union. The EDPB was established by the General Data Protection Regulation (GDPR).

The EDPB is composed of the representatives of the national data protection authorities of the EU/EEA countries and of the European Data Protection Supervisor (EDPS). The European Commission participates in the activities and meetings of the Board without voting right.  The secretariat of the EDPB is provided by the EDPS. The secretariat performs its tasks exclusively under the instructions of the Chair of the Board.

The EDPB’s tasks consist primarily in providing general guidance on key concepts of the GDPR and the Law Enforcement Directive advising the European Commission on issues related to the protection of personal data and new proposed legislation in the European Union, and adopting binding decisions in disputes between national data protection authorities.

European Data Protection Supervisor

Regulation 2018/1725 established the European Data Protection Supervisor (EDPS)The EDPS is an independent EU body responsible for monitoring the application of data protection rules within the European Union institutions, bodies, offices and agencies and for investigating complaints.