Data protection in the EU
In today's digital age, where information is constantly shared, collected and processed, there is a need for clear and strong data protection rules.
Data protection is a fundamental right under EU law. EU data protection legislation is comprised of the General Data Protection Directive (GDPR), the Law Enforcement Directive (LED), and the Data Protection Regulation for EU institutions, bodies, offices and agencies (EUDPR).
To ensure that this legislation is applied consistently, national and European data protection authorities and bodies have been established.
Find out more about the EU's legal framework for data protection
Data protection: questions and answers
Read about key concepts such as personal data, data processing, when and to whom the GDPR applies to, and more.
Read about the rights you have over your personal data under the GDPR, how to exercise these rights, and more.
Read about data protection principles and obligations, enforcement of the rules, dealing with individuals' requests, and more.
The information and guidance in these webpages are intended to contribute to a better understanding of EU data protection rules.
This is intended purely as a guidance tool – only the text of the General Data Protection Regulation (GDPR) has legal force. As a consequence, only the GDPR is liable to create rights and obligations for individuals. This guidance does not create any enforceable right or expectation.
The binding interpretation of EU legislation is the exclusive competence of the Court of Justice of the European Union. The views expressed in this guidance are without prejudice to the position that the Commission might take before the Court of Justice.
Neither the European Commission nor any person acting on behalf of the European Commission is responsible for the use which might be made of the following information.
As this guidance reflects the state of the art at the time of its drafting, it should be regarded as a 'living tool' open for improvement and its content may be subject to modifications without notice.
International dimension of data protection
The EU has established international data protection agreements to ensure that EU citizens' personal data remains protected even if transferred outside the EU.
EU data protection legislation includes safeguards for when transferring data to third countries, including adequacy decisions, standard contractual clauses (SCC) and binding corporate rules (BCR).
Find out more about the international dimension of data protection
Funding to support the implementation of the GDPR
The Commission has provided funding to national data protection authorities to finance projects that support the implementation of the GDPR.
These projects aim to equip individuals and businesses with the knowledge and resources needed to navigate and ensure compliance with data protection rules.
The types of projects funded by the Commission typically include awareness-raising campaigns, training programs, and the development of practical tools and materials that can facilitate small and medium-sized enterprises' (SMEs) compliance with the GDPR.
Timeline
- 25 July 2024
The Commission publishes the second report on the application of the General Data Protection Regulation (GDPR).
- 4 July 2023
The Commission proposes further specifying procedural rules relating to the enforcement of the GDPR.
- 14 October 2022
The Commission publishes the first report on the application of the Data Protection Regulation for EU institutions, bodies, offices and agencies (EUDPR).
- 25 July 2022
The Commission publishes the first report on the application of the LED.
- 24 June 2020
The Commission publishes the first report on the application of the GDPR.
- 11 December 2018
The EUDPR becomes applicable.
- 23 October 2018
The European Parliament and the Council adopt the EUDPR.
- 25 May 2018
The GDPR becomes applicable.
- 6 May 2018
The Member States have to transpose the LED into their national law.
- 10 January 2017
The Commission proposes the EUDPR.
- 24 May 2016
The GDPR enters into force.
- 5 May 2016
The LED enters into force.
- 27 April 2016
The European Parliament and the Council adopt the LED and the GDPR.
- 25 January 2012
The European Commission proposes a comprehensive reform of the EU's 1995 data protection rules to strengthen online privacy rights and boost Europe's digital economy.
- 4 November 2010
The Commission presents a Communication to the other EU institutions on "A comprehensive approach on personal data protection in EU".
- 24 October 1995
The European Data Protection Directive on the protection of individuals with regard to the processing of personal data and on the free movement of such data is adopted with a transposition deadline of three years from the date of its adoption.