EU GDPR framework and compliance


On 15 December 2015, the European Union Parliament, the European Union Council and the European Union Commission reached an agreement on the new data protection rules, establishing a modern and harmonized data protection framework across the European Union (EU) with relevance to third world countries. The political support offered to these new rules by the competent EU Institutions was widely approved as the innovative framework will also serve the purpose of enhancing and supporting the EU.

Digital Single Market Strategy

On 27 April 2016, the European Parliament and Council adopted the Regulation (EU) 2016/679 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data and repealing Directive 95/46/EC (universally known as “General Data Protection Regulation – GDPR”). On the same day, both institutions also adopted the Directive (EU) 2016/680 on the protection of natural persons with regard to the processing of personal data by competent authorities for the purposes of the prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties, and on the free movement of such data, and repealing Council Framework Decision 2008/977/JHA.  On 4 May 2016, the official texts of this Regulation and this directive have been published in the EU Official Journal in all the official languages. While the GDPR entered into force on 24 May 2016, and started to be effective the 25 May 2018. The Directive entered into force on 5 May 2016 and EU Member States transposed it into their national law by 6 May 2018.

The GDPR is celebrated as an essential step to strengthen EU citizens’ fundamental rights in the digital age and facilitate business by simplifying rules for companies in the Digital Single Market. For instance, it aims to simplify and clarify the current fragmentation and costly administrative burdens. The EU Commission has calculated that this simplification will lead to savings for businesses of around €2.3 billion a year. The directive for the police and criminal justice sector, instead, aims to protect EU citizens’ fundamental rights to data protection whenever personal data is used by criminal law enforcement authorities. It wants to ensure that the personal data of victims, witnesses, and suspects of crimes are duly protected. The directive aims also to further facilitate cross-border cooperation of competent bodies in the fight against crime and terrorism.

Relevance For Transfer of Data to Third World Countries:

The EU Commission will be responsible to adopt decisions on the adequacy of the protection of personal data in third world countries, when related to the transfer of EU citizens’ data to such countries. In fact, the European Council and the European Parliament have given the EU Commission the power to determine, on the basis of Art. 25(6) of Directive 95/46/EC whether a “third country ensures an adequate level of protection by reason of its domestic law or of the international commitments it has entered into”.

The adoption of a (comitology) Commission decision based on Art. 25.6 of the Directive involves:

  • A proposal from the Commission
  • An opinion by Member States’ data protection authorities (DPAs) and the European Data Protection Supervisor (EDPS) in the framework of the “Article 29 Working Party<
  • An approval from the “Article 31 Committee”, composed of representatives of Member States, under the comitology “examination procedure”
  • The adoption of the decision by the College of Commissioners;
  • At any time, the European Parliament and the European Council may request the Commission to maintain, amend or withdraw the adequacy decision claiming its act exceeds the implementing powers provided for in the directive.

 The effect of such a decision of the Commission is that personal data can flow from the 28 EU countries and three EEA member countries (Norway, Liechtenstein and Iceland) to third world countries without any further necessary safeguards.

The Commission has so far recognized Andorra, Argentina, Canada (commercial organizations), Faeroe Islands, Guernsey, Israel, Isle of Man, Jersey, New Zealand, Switzerland, and Uruguay as providing adequate protection.

These adequacy decisions do not cover data exchanges in the law enforcement sector.  For special arrangements concerning exchanges of data in this field, see the PNR (Passenger Name Record) and TFTP (Terrorist Financing Tracking Programme) agreements.

 All information contained in this page is of official source, accessible at the European Commission