EU GDPR regime

Data protection law in the EEA (the EU plus Iceland, Norway, and Liechtenstein) is intended to ensure information about living individuals (within the definition of ‘personal data’) is used fairly and responsibly.

To help ensure that, data protection laws impose a large number of obligations on those ‘processing’ personal data (and on controllers of such processing) and grant rights to those whose personal data is processed (the ‘data subjects’). In summary, ‘processing’ includes doing almost anything with personal data, including storing, sharing, deleting or using it.

This subtopic addresses EEA data protection law, the General Data Protection Regulation, Regulation (EU) 2016/679 (EU GDPR) and its key features at a supranational level. The regime is referred to as ‘general’ since there are special regimes applicable to the processing of personal data in niche areas, such as law enforcement processing and processing by the intelligence services, that are unlikely to be relevant to most organisations. Individual EEA states may exercise a number of national derogations and other discretions to put in place various additional or alternative data protection laws and the various supervisory authorities in each state may

To view the latest version of this document and thousands of others like it, sign-in with LexisNexis or register for a free trial.

Powered by Lexis+®
Latest EU Law News

EU adopts regulation streamlining financial services reporting requirements

The European Parliament and Council have adopted Regulation (EU) 2025/… of 8 October 2025 amending Regulations (EU) No 1092/2010, (EU) No 1093/2010, (EU) No 1094/2010, (EU) No 1095/2010, (EU) No 806/2014, (EU) 2021/523 and (EU) 2024/1620 regarding reporting requirements in financial services and investment support (otherwise known as the Better Data Sharing Regulation). The regulation introduces new information sharing obligations between EU financial authorities including the European Supervisory Authorities (ESAs), European Systemic Risk Board (ESRB), Single Resolution Board (SRB), European Central Bank (ECB) and the Authority for Anti-Money Laundering and Countering the Financing of Terrorism (AMLA), implementing a 'report once' principle whereby authorities must request information from other authorities rather than directly from financial institutions where possible. The regulation requires European Supervisory Authorities (ESAs) to prepare a feasibility study for a cross-sectoral integrated reporting system within 60 months, establish a permanent single contact point for reporting duplicative requirements, and grants authorities discretionary powers to share anonymised information with researchers for innovation purposes. The regulation also changes InvestEU Programme reporting frequency from biannual to annual and mandates authorities to review and propose removal of redundant reporting requirements within 24 months.

View EU Law by content type :

Popular documents