EU GDPR regime

EU GDPR regime

Data protection law in the EEA (the EU plus Iceland, Norway, and Liechtenstein) is intended to ensure information about living individuals (within the definition of ‘personal data’) is used fairly and responsibly.

To help ensure that, data protection laws impose a large number of obligations on those ‘processing’ personal data (and on controllers of such processing) and grant rights to those whose personal data is processed (the ‘data subjects’). In summary, ‘processing’ includes doing almost anything with personal data, including storing, sharing, deleting or using it.

This subtopic addresses EEA data protection law, the General Data Protection Regulation, Regulation (EU) 2016/679 (EU GDPR) and its key features at a supranational level. The regime is referred to as ‘general’ since there are special regimes applicable to the processing of personal data in niche areas, such as law enforcement processing and processing by the intelligence services, that are unlikely to be relevant to most organisations. Individual EEA states may exercise a number of national derogations and other discretions to put in place various additional or alternative data protection laws and the various supervisory authorities in each state may

To view the latest version of this document and thousands of others like it, sign-in with LexisNexis or register for a free trial.

TAKE A FREE TRIAL

Latest EU Law News

Commission launches consultation to revise the EU Cybersecurity Act and strengthen the EU cybersecurity framework

The European Commission launched a call for evidence to support the preparation of a legislative proposal to revise the EU Cybersecurity Act. The initiative aims to strengthen EU cyber resilience, update the mandate of the EU Agency for Cybersecurity (ENISA) and improve the effectiveness of the European Cybersecurity Certification Framework. The Commission noted that the cybersecurity landscape has become significantly more complex and threat‑intensive since the Act’s adoption in 2019, while subsequent EU legislation has expanded ENISA’s tasks beyond its original mandate, creating the need to streamline, simplify and supplement the existing framework to ensure coherence, reduce administrative burdens and improve implementation for businesses and users. The initiative focuses on measures to support a secure and resilient Information and Communication Technology supply chain and the EU cybersecurity industrial base, addresses shortcomings in the certification framework such as slow adoption, unclear roles, limited agility and insufficient clarity on covered risks, including non‑technical factors, and considers alignment with newer instruments such as the Cyber Resilience Act. The Commission outlined policy options ranging from non‑legislative measures to targeted or comprehensive regulatory revision, stating that EU‑level action is required to prevent internal market fragmentation and to secure long‑term economic and social benefits through greater harmonisation, stronger cybersecurity and resilience, more efficient incident response and enhanced protection of fundamental rights, including personal data. The call for evidence will run until 20 June 2025.

Commission imposes definitive anti-dumping duties on Chinese steel cylinder imports

The European Commission has imposed definitive anti-dumping duties ranging from 57.7% to 90.3% on high-pressure seamless steel cylinders for compressed or liquefied gas imported from China. The measures follow an investigation that identified unfair trade practices covering cylinders of all diameters and volume capacities. During the investigation period, from 1 July 2023 to 30 June 2024, the EU market totalled 6.4 million units, of which 4.5 million units were imported from China.

Commission announces entry into force of EU-Singapore Digital Trade Agreement

The European Commission has announced that the EU-Singapore Digital Trade Agreement (DTA) entered into force on 2 February 2026, representing the EU's first standalone bilateral digital trade agreement. The DTA establishes rules for cross-border digital transactions and includes commitments on online consumer protection, personal data and privacy protection, as well as safeguards against unsolicited commercial communications. It promotes paperless trade, recognises the validity of electronic signatures, contracts and invoices and prohibits the imposition of customs duties on electronic transmissions. The DTA also prohibits unjustified data localisation requirements and the forced transfer of software source code. The DTA builds on the 2019 EU-Singapore Free Trade Agreement, with negotiations on the agreement having commenced on 20 July 2023.

ACER publishes Rules of Procedure for cross-border REMIT investigations

The Agency for the Cooperation of Energy Regulators (ACER) has published Rules of Procedure setting out how it will investigate suspected cross-border breaches of the EU Regulation on Wholesale Energy Market Integrity and Transparency (REMIT). This followed legislative changes in 2024 that gave ACER a mandate to investigate cases affecting more than one Member State. The rules explain how ACER will examine suspected insider trading, market manipulation, failures to disclose inside information, data reporting breaches and obligations on persons professionally arranging or executing transactions. They set out ACER’s investigatory powers, including on-site inspections, requests for information and interviews, while confirming that enforcement remains the responsibility of national regulatory authorities. The Rules of Procedure describe the stages of investigations, the decision-making process and the rights and obligations of the parties concerned. They are intended to ensure legal certainty, due process, fairness and efficiency. ACER is expected to begin using these cross-border investigatory powers from the second half of 2026.