European Data Protection Supervisor
European Data Protection Supervisor

The History of the General Data Protection Regulation

The History of the General Data Protection Regulation

The EU's data protection laws have long been regarded as a gold standard all over the world. Over the last 25 years, technology has transformed our lives in ways nobody could have imagined so a review of the rules was needed.

In 2016, the EU adopted the General Data Protection Regulation (GDPR), one of its greatest achievements in recent years. It replaces the1995 Data Protection Directive which was adopted at a time when the internet was in its infancy.

The GDPR is now recognised as law across the EU. Member States have two years to ensure that it is fully implementable in their countries by May 2018.

The timeline below contains key dates and events in the data protection reform process from 1995 to 2018.

The timeline also contains highlights of some of the ways that the GDPR strengthens your right to data protection. These can be found under the headings Did you know.

Timeline

The General Data Protection Regulation will apply from this day

Did you know

Appointment of a Data Protection Officer
  • Some organisations, for instance those whose core activities involve regular and systematic monitoring of personal or sensitive data on a large scale as well as public sector organisations, will have to appoint a Data Protection Officer to ensure they comply with the GDPR.

Did you know

Appointment of a Data Protection Officer
  • Some organisations, for instance those whose core activities involve regular and systematic monitoring of personal or sensitive data on a large scale as well as public sector organisations, will have to appoint a Data Protection Officer to ensure they comply with the GDPR.
25/05/2018

Data Protection Directive for the police and justice sectors into national legislation applicable from this day

Members States must have transposed the Data Protection Directive for the police and justice sectors into national legislation. It will be applicable from this day.

Members States must have transposed the Data Protection Directive for the police and justice sectors into national legislation. It will be applicable from this day.

Did You Know

Privacy by Design
  • Organisations processing personal data must take measures to ensure that the data is protected by design.
    The aim of privacy by design is to build privacy and data protection into the design and architecture of information and communication systems and technologies so that they comply with privacy and data protection principles.
06/05/2018

EC proposes two new regulations on privacy and electronic communications and on the data protection rules applicable to EU institutions

The European Commission proposes two new regulations on privacy and electronic communications (ePrivacy) and on the data protection rules applicable to EU institutions (currently Regulation 45/2001) that align the existing rules to the GDPR.

The European Commission proposes two new regulations on privacy and electronic communications (ePrivacy) and on the data protection rules applicable to EU institutions (currently Regulation 45/2001) that align the existing rules to the GDPR.

Did You Know

Privacy By Default
  • Organisations processing personal data must take measures to ensure that the data is protected by default.
    Privacy by default requires that technical and organisational measures are put in place so that only the necessary personal information is processed, used or accessed for a specified purpose.
10/01/2017

The Regulation enters into force, 20 days after publication in the Official Journal of the EU

Did You Know

Your Data Protection Rights
  • The GDPR reinforces a wide range of existing rights and establishes new ones for individuals including:
  • the right to erasure (right to be forgotten); you can request that an organisation delete your personal data, for instance where your data are no longer necessary for the purposes for which they were collected or where you have withdrawn your consent.

Did You Know

Your Data Protection Rights
  • The GDPR reinforces a wide range of existing rights and establishes new ones for individuals including:
  • the right to erasure (right to be forgotten); you can request that an organisation delete your personal data, for instance where your data are no longer necessary for the purposes for which they were collected or where you have withdrawn your consent.
24/05/2016

The Article 29 Working Party issues an action plan for the implementation of the GDPR

Did you know

Your Data Protection Rights
  • The GDPR reinforces a wide range of existing rights and establishes new ones for individuals. These include the: 
  • Right of data portability: You have the right to receive your personal data from an organisation in a commonly used form so that you can easily share it with another.
  • Right not to be profiled: Unless it is necessary by law or a contract, decisions affecting you cannot be made on the sole basis of automated processing.

Did you know

Your Data Protection Rights
  • The GDPR reinforces a wide range of existing rights and establishes new ones for individuals. These include the: 
  • Right of data portability: You have the right to receive your personal data from an organisation in a commonly used form so that you can easily share it with another.
  • Right not to be profiled: Unless it is necessary by law or a contract, decisions affecting you cannot be made on the sole basis of automated processing.
02/02/2016

EP, Council and EC reach an agreement on the GDPR

The European Parliament, the Council and the Commission reach an agreement on the GDPR.

The European Parliament, the Council and the Commission reach an agreement on the GDPR.

Did you know

International Data Transfers
  • The GDPR ensures that the rights and safeguards it provides to individuals in the EU are preserved when their data are transferred outside of the Union
  • The European Commission will continue to adopt adequacy decisions where a country offers a legal framework for data protection that is essentially equivalent to the EU.
  • Without an adequacy decision, data can be transferred to a country if the processing organisation puts in place binding corporate rules, contractual clauses or other appropriate safeguards.
  • Without these, transfers can only take place under strict circumstances, for example, with the consent of the individual or where the transfer is necessary for the conclusion or the performance of a contract. 
15/12/2015

EDPS recommendations on the final text of the GDPR

The European Data Protection Supervisor publishes his recommendations to the European co-legislators negotiating the final text of the GDPR in the form of drafting suggestions. He also launches a mobile app comparing the Commission's proposal with the latest texts from the Parliament and the Council.

The European Data Protection Supervisor publishes his recommendations to the European co-legislators negotiating the final text of the GDPR in the form of drafting suggestions. He also launches a mobile app comparing the Commission's proposal with the latest texts from the Parliament and the Council.

Did you know

Fines
  • The GDPR introduces fines for organisations breaching EU data protection law which can amount to €20 million or 4% of the company’s worldwide turnover.
27/07/2015

The Council reaches a general approach on the GDPR

Did you know

The European Data Protection Board
  • The European Data Protection Board will replace the Article 29 Working Party. The European Data Protection Supervisor will provide the secretariat for this new, independent European body of which all European data protection authorities will be members. The role of the EDPB will be to ensure the consistency of the application of the GDPR throughout the Union, through guidelines, opinions and decisions.

Did you know

The European Data Protection Board
  • The European Data Protection Board will replace the Article 29 Working Party. The European Data Protection Supervisor will provide the secretariat for this new, independent European body of which all European data protection authorities will be members. The role of the EDPB will be to ensure the consistency of the application of the GDPR throughout the Union, through guidelines, opinions and decisions.
15/06/2015

EP adopts GDPR

The European Parliament demonstrates strong support for the GDPR by voting in plenary with 621 votes in favour, 10 against and 22 abstentions.

The European Parliament demonstrates strong support for the GDPR by voting in plenary with 621 votes in favour, 10 against and 22 abstentions.

Did you know

One-Stop-Shop & Consistency Mechanism
  • The GDPR introduces a single point of contact for cross-border data protection matters. Where the processing organisation is established in several Member States and/or where individuals in several Member States are affected, the supervisory authority in the Member State where the organisation has its main establishment will be the lead authority, responsible for adopting measures directed at the organisation, in cooperation with all involved supervisory authorities.
12/03/2014

WP29 update on data protection reform

The Article 29 Working Party provides further input on the data protection reform discussions.

The Article 29 Working Party provides further input on the data protection reform discussions.

Did you know

Data breach notification
  • Organisations must notify data breaches to their data protection authority within 72 hours unless the breach is unlikely to pose a risk for individuals. In specific cases, they will have to inform the affected individuals.
05/10/2012

WP29 Opinion on data protection reform proposal

The Article 29 Working Party adopts an Opinion on the data protection reform proposal.

The Article 29 Working Party adopts an Opinion on the data protection reform proposal.

Did you know

Consent
  • Consent of the individual is one of the few circumstances under which an organisation may lawfully process personal data. Consent must be freely given, informed and unambiguous. Individuals may withdraw their consent at any time. In addition, consent to process sensitive personal data as well as consent to transfer personal data outside the EU must be explicit.
  • Parental consent is required for children aged 13 to 16, depending on the Member State.
23/03/2012

EDPS Opinion on EC data protection reform package

The European Data Protection Supervisor adopts an Opinion on the Commission's data protection reform package.

The European Data Protection Supervisor adopts an Opinion on the Commission's data protection reform package.

Did you know

Accountability
  • The accountability principle means that organisations and any third parties who help them in their data processing activities must be able to demonstrate that they comply with data protection principles. This includes for instance, documenting their processing activities to prove that they adopted appropriate measures and steps to implement their obligations. In certain cases, organisations will have to carry out a data protection impact assessment.
07/03/2012

EC proposal to strengthen online privacy rights and digital economy

The European Commission proposes a comprehensive reform of the EU's 1995 data protection rules to strengthen online privacy rights and boost Europe's digital economy.

The European Commission proposes a comprehensive reform of the EU's 1995 data protection rules to strengthen online privacy rights and boost Europe's digital economy.

Did you know

Expanded territorial reach
  • Organisations established outside the EU, offering goods and services to, or monitoring individuals in the EU, must comply with the GDPR and designate a representative in the EU.
25/01/2012

EDPS Opinion on EC Communication 'A comprehensive approach on personal data protection in EU'

The European Data Protection Supervisor publishes an Opinion on the European Commission's Communication.

The European Data Protection Supervisor publishes an Opinion on the European Commission's Communication.

Did you know

The GDPR kickstarts the updating of other regulations...
  • Member States are entitled to provide specific rules or derogations to the GDPR, where freedom of expression and information is concerned; or in the context of employment law; or to preserve scientific or historical research. 
  • Similarly, the entry into force of the GDPR requires the updating of other EU regulations, such as the revision of the ePrivacy directive which regulates the confidentiality of communications and the use of cookies, or Regulation 45/2001 which applies to the EU institutions when they process personal data.
22/06/2011

Directive 95/46/EC is adopted

The European Data Protection Directive (Directive 95/46/EC) on the protection of individuals with regard to the processing of personal data and on the free movement of such data) is adopted.

The European Data Protection Directive (Directive 95/46/EC) on the protection of individuals with regard to the processing of personal data and on the free movement of such data) is adopted.

Did you know

The GDPR kickstarts other data protection actions
  • The European Commission will review the existing list of countries which offer an adequate level of protection of personal data.
  • Data Protection Authorities will, at national and EU level, explore data protection certification - granting seals and marks to services - to reinforce consumer confidence.
24/10/1995