Privacy protection is paramount in a complex society where the line between private information and public data is thin. Alongside domestic laws that protect the rights of individuals, the European Union protects the data of its residents via Regulation EU 2016/679, referred to as the GDPR. With the Regulation, EU residents have control over data held by legal entities.
The European General Data Protection Regulation is laid down in a binding model as defined in EU 2016/679. The regulation supersedes the Data Protection Directive and combines the rights for individual data subjects to control their personal data, whilst defining the regulatory environment for enterprises within the European Single Market. The key factor of the regulation is the processing and controlling of personal information belonging to individuals inside the European Single Market. This single market includes the European Economic Area.
Regulation EU 2016/679 describes six lawful bases to process personal data. These are consent, contract, public task, vital interest, legitimate interest and legal requirement. Yet, consent is not provided for unrestricted access and unlimited time. Data subjects may request erasure of their data and are protected by regulation EU 2016/679 to substantiate removal.
The scope of the Regulation is restricted to the European Economic Area. However, since the Regulation applies to all citizens of the European single market, any enterprise offering its services to individuals in the European Economic Area is bound to Regulation EU 2016/679. Since the Regulation has direct effect it is legally binding in the EU member states and EEA countries. It is mandatory for member states to maintain the principles of the TFEU and its European single market. Therefore, uniform European regulation ensures an equal level playing field whilst protection the sovereignty of the member states. As a consequence, domestic rules may differ for as long as the aims and objectives of Regulation EU 2016/679 are met.
Since May 2018, the Regulation is enforceable. Enterprises, regardless of their objectives, must comply with the GDPR. Violations can trigger regulatory intervention and civil liability. Even small and medium sized enterprises and voluntary networks are subject to compliance. The main criteria for the Regulation is personal information and the data privacy of individuals residing in the European Economic Area.