Factbox: Europe's new data protection law - what will change?

BRUSSELS (Reuters) - The European Union’s General Data Protection Regulation (GDPR) is the biggest overhaul of data privacy laws in over 20 years.

FILE PHOTO: A 3D-printed Facebook logo is seen in front of the logo of the European Union in this picture illustration made in Zenica, Bosnia and Herzegovina on May 15, 2015. REUTERS/Dado Ruvic/Illustration/File Photo

The law will come into force on May 25, giving EU citizens new rights over how their personal data are used. Companies doing business in the EU will face new rules on how they handle people’s data and stiff penalties for breaching the law.

For a related story please click here:

Here are some key elements of GDPR:


Under GDPR, personal data is anything that relates to an identified or identifiable individual. For example: name, address, email address, location data or computer IP address.

Sensitive data, such as religious beliefs, racial or ethnic origin, sexual orientation or trade union membership, are subject to extra protections.


People living in the EU will get the right to:

- Receive clear and understandable information about who is processing their data and why.

- Access data an organization holds about them.

- Ask for personal data to be erased if there is no longer any legitimate reason to keep it.

- Have data corrected if it is incorrect.

- Move data from one service provider, such as an email service or social network, to another.


GDPR foresees fines of 2 to 4 percent of a company’s annual revenues or 20 million euros ($24 million), whichever is higher.


Companies will need to get freely given, specific, unambiguous and informed consent from individuals to process their data. They will also need users to opt in to the processing of their data - simply giving them an opt out will not be valid. In other words, companies will no longer be able to ask consumers to tick a box after a long set of terms and conditions that most people never read.


GDPR will apply to any company that has customers in the EU, whether the firm was established in the bloc or not.


GDPR distinguishes between data “controllers” and data “processors”. A data controller determines why personal data must be collected and processed as well as how. A data processor only processes personal data on behalf of the controller and is usually a third-party company.

For example a retailer that hires a human resources company to handle payroll and other functions is the data controller, while the human resources company is the data processor.

Under GDPR, data processors must guarantee the same standards as controllers and ensure they meet the requirements of the law. There must be a legal contract between a processor and a controller, and a processor may not engage another company to process data without the controller’s consent.


Companies processing personal data must ensure it is lawful, fair and transparent. They may not use data for purposes other than those for which it was collected, with limited exceptions.

Data processing is lawful if:

- An individual has consented to it.

- It is necessary for the performance of a contract.

- It is necessary to meet a legal obligation under EU or national law.

- It is necessary to protect the vital interests of an individual.

- It is necessary to carry out a task in the public interest under EU or national law.

- It is in the company’s legitimate interest, as long as it does not override an individual’s fundamental rights and freedoms.

If a company collected data on the basis of consent, then it may not use it for other purposes.


Companies must notify data protection authorities of data breaches within 72 hours of becoming aware of it, if it is likely to impact the rights of individuals. If the breach carries a high risk for individuals then the company must notify the affected people without undue delay.


GDPR introduces a “one-stop shop” mechanism to make it easier for companies operating across the EU, for example Facebook, Google and Mastercard.

Companies processing data across the bloc will have a lead authority in the country where they have their main establishment, for example Facebook in Ireland.

The lead authority will be the main point of contact for the company and responsible for ensuring its compliance with GDPR. In cases involving citizens from several countries the lead authority will coordinate with other “concerned” authorities. If there are disputes between authorities, a new body, the European Data Protection Board (EDPB), can make binding decisions.

($1 = 0.8354 euros)

Reporting by Julia Fioretti; Editing by Douglas Busvine and Pravin Char