European Data Protection Board

Legal Framework

The EDPB was created by the EU General Data Protection Regulation (GDPR), adopted on 27 April 2016 and published in the EU Official Journal on 4 May 2016.

Please note that a corrigendum of the GDPR was published in the Official Journal on 23 May 2018 and is available here. The consolidated version of the EU General Protection Regulation (GDPR)  is available here.

The GDPR, which entered into force on 24 May 2016 and is applicable from 25 May 2018, creates a harmonised set of rules applicable to all personal data processing taking place in the EU.

The objective of this new set of rules is to ensure that personal data enjoys a high standard of protection everywhere in the EU, increasing legal certainty for both individuals and organisations processing data, and offering a higher degree of protection for individuals.

For certain sectors, specific rules continue to apply.

The Police Data Protection Directive (PDPD) applies to personal data processing carried out by competent authorities for the purpose of prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties.

This Directive was adopted together with the GDPR on 27 April 2016, and published in the EU Official Journal on 4 May 2016. It entered into force on 5 May 2016, and has to be transposed into the EU member states’ legislation to be fully applicable by 6 May 2018.

The GDPR and PDPD replaced Directive 95/46/EC for the private and most of the public sector, and Council Framework Decision 2008/977/JHA for the law-enforcement sector.

Regulation 45/2001 lays down the data protection rules which apply to EU institutions. The European Commission adopted a proposal on 10 January 2017 to bring these rules into line with the GDPR.