EU-28: Adopted Regulation (EU) 2016/679 (GDPR) introducing data protection requirements

On 27 April 2016, the European Parliament and the Council adopted the General Data Protection Regulation (GDPR) which creates a comprehensive data protection regulation within the European Union. The GDPR introduces new obligations for organisations collecting, storing and processing data, as well as rights for data subjects. The GDPR provides six legal bases for the processing of personal data (user consent, contract, legal obligations, vital interests of the data subject, public interest and legitimate interest). It requires organisations collecting, storing and processing personal data to implement appropriate technical and organisational measures to protect the personal data of individuals against unlawful processing, loss, destruction or damage. Furthermore, organisations would be obliged to appoint a data protection officer to ensure that data controllers and processors comply with the requirements outlined in the regulation. Regarding data subject rights, chapter three of the GDPR outlines the rights, including among others the right to access to personal data, and rectification and erasure of personal data. Furthermore, the GDPR gives data subjects the right to access information about data processing, including the type of that that is processed and who has access to their data. Individuals also have the right to submit a complaint if they believe that their rights were violated. Regarding data breaches, the GDPR obliges organisations collecting, storing and processing data to notify the authorities in the case of data breaches within 72 hours after the incident and conduct an assessment of the data breach.