A single market needs identical rules for all participants within the territory. The European Union defines the legal and administrative borders for its member states. As such, several directives and mandatory measures with direct effect are implemented. To protect the privacy of its citizens and maintain the functioning of an equal level playing field, the General Data Protection Regulation, GDPR, was adopted in 2016 and is effective since May 2018. The GDPR has direct effect and applies to the personal data of all natural persons in the EEA and must be followed by any enterprises dealing with this personal data, regardless of its location. The consistent and homogenous application of the regulation delivers objective standards and legal certainty in particular with regard to online activity.
Personal data and privacy became of paramount importance due to an increase in the cross-border flow of personal data, substantiated by economic and social integration, rapid technological developments and furthering globalisation. As such, protection, control and regulation require a legal framework. The GDPR provides for such enforceable set of rules in the European Union and European Economic Area.
The objective of the GDPR is to ensure a consistent and high level of protection of natural persons. To achieve this objective, the regulation removes obstacles to flows of personal data within the Union. Furthermore, the rights and freedoms of natural persons with regard to the processing of such data should be equivalent in all member states. Privacy rights are governed by domestic rules in compliance with Union Law. The consequence is that enterprises follow the local rules of the countries they collect and process data from, whilst these local rules can be tested by via the Pan-European GDPR.
The fundamental principles of the single market comprise the equal treatment of EU citizens and the free movement of goods, capital, services and people. Online, cross-border and virtual transmission of personal data makes it difficult to control these data flows. With a furthering public availability and integration of sensitive data belonging to natural persons, control over such data must be warranted. The European Union seeks to protect its citizens. In relation to personal data, the European GDPR aims to protect the privacy of its citizens.
Data protection, and consequently the GDPR, is important for natural persons whose data might be considered sensitive. Thus, enterprises that deal with these data must follow the Regulation. Participants in the GDPR are referred to as data subjects, controllers and processors.