As compared to Directive 95/46/EC (the “Data Protection Directive”) which it replaces, the new General Data Protection Regulation seeks to extend the reach of EU data protection law. − An EU based data controller and processor falls into its scope where GDPR personal data is processed “in the context of its activities” - a broadly interpreted test. − Where no EU presence exists, the new General Data Protection Regulation will still apply whenever: (1) an EU resident’s personal data is processed in connection with goods/services offered to him/her; or (2) the behaviour of individuals within the EU is “monitored”.
• Despite being a Regulation, the new General Data Protection Regulation allows Member States to legislate in many areas. This will challenge the new General Data Protection Regulation’s aim of consistency, including employee data processing.
• The new General Data Protection Regulation does not apply to certain activities – including processing covered by the Law Enforcement Agencies (“LEA”) Directive, for national security purposes and processing carried out by individuals purely for personal/ household activities.
• The new General Data Protection Regulation will take effect on 25 May 2018.
GDPR Facts & Figures