EU GDPR regime

EU GDPR regime

Data protection law in the EEA (the EU plus Iceland, Norway, and Liechtenstein) is intended to ensure information about living individuals (within the definition of ‘personal data’) is used fairly and responsibly.

To help ensure that, data protection laws impose a large number of obligations on those ‘processing’ personal data (and on controllers of such processing) and grant rights to those whose personal data is processed (the ‘data subjects’). In summary, ‘processing’ includes doing almost anything with personal data, including storing, sharing, deleting or using it.

This subtopic addresses EEA data protection law, the General Data Protection Regulation, Regulation (EU) 2016/679 (EU GDPR) and its key features at a supranational level. The regime is referred to as ‘general’ since there are special regimes applicable to the processing of personal data in niche areas, such as law enforcement processing and processing by the intelligence services, that are unlikely to be relevant to most organisations. Individual EEA states may exercise a number of national derogations and other discretions to put in place various additional or alternative data protection laws and the various supervisory authorities in each state may

To view the latest version of this document and thousands of others like it, sign-in with LexisNexis or register for a free trial.

TAKE A FREE TRIAL

Latest EU Law News

European Commission releases December 2025 infringement package

The European Commission has published the December 2025 infringement package, which sets out the EU Member States the Commission is taking action against for failing to comply with their obligations under EU law. The December 2025 package includes letters of formal notice, reasoned opinions, and Court of Justice referrals issued to Belgium, Bulgaria, Czechia, Cyprus, Estonia, Finland, France, Germany, Greece, Hungary, Ireland, Italy, Latvia, Lithuania, Luxembourg, Malta, the Netherlands, Poland, Portugal, Romania, Slovakia, Slovenia, Spain, Austria and others across a range of policy areas, including environmental protection (water, waste, air quality, nature), public procurement, services, free movement, firearms, media freedom, child protection, energy and climate, taxation, customs, transport, financial services and competition.

Zalando loses its challenge against EU DSA VLOP designation

TMT analysis: On 3 September 2025, the General Court of the European Union delivered the first major judicial interpretation of Regulation (EU) 2022/2065, the EU Digital Services Act (EU DSA) in its dismissal of Zalando’s challenge against its designation as a ‘very large online platform’ (VLOP) under the EU DSA. Zalando’s argument had focussed on the fact that its e-commerce platform is a hybrid service, via which the Berlin-based fashion retailer sells its own products (not an activity regulated by the EU DSA), as well as allowing third-party partners to market products (an activity that is in-scope of the EU DSA). Zalando argued that this means that users who use the platform only to buy directly from Zalando, and not to engage with listings by third-party partners, should not be counted when assessing whether the platform meets the EU DSA’s user number threshold to qualify as a VLOP. This case has captured widespread attention, not only due to its impact on Zalando but also because the decision affects how all in-scope hybrid platform providers should count, and report on, their user numbers, and how likely such providers are to qualify as VLOPs. Written by Catherine O’Callaghan of Slaughter and May.

EU Law weekly highlights—11 December 2025

This week's edition of EU Law weekly highlights includes analyses on the impact of a Court of Justice ruling on operators of online marketplaces and their EU GDPR obligations, the Advocate General’s opinion on trade mark invalidity when marks are of such a nature as to deceive the public, the Court of Justice judgment on eligibility of utilitarian objects for copyright protection, the Digital Omnibus and key considerations for the life sciences sector, and questions from Member States on the planned delay for EU AI Act. In addition this week, the European Commission adopted a financial services market integration package, published the Environmental Simplification Omnibus, the European Grids Package and Energy Highways initiative, launched a public consultation on revising EU rules addressing unfair trading practices in business-to-business relationships within the agricultural and food supply chain, the Council of the EU and European Parliament reached provisional agreements to significantly narrow the scope of EU sustainability reporting and due diligence rules, as well to amend the EU Deforestation Regulation and the European Climate Law, the European Data Protection Board adopted recommendations clarifying the legal basis for requiring user account creation on e-commerce websites, the EIOPA launched consultations and published guidance as part of the Solvency II review and the Commission unveiled its Quality Jobs Roadmap, a strategic plan to ensure high-quality, future-proof employment across the EU.