EU GDPR regime

EU GDPR regime

The General Data Protection Regulation, Regulation (EU) 2016/679 (EU GDPR) regime became applicable across the EEA (which at the time included the UK) on 25 May 2018. The EU GDPR ceased to apply to the UK on 31 December 2020 at 11 pm.

This subtopic addresses key features of the EU GDPR at a supranational (ie EEA) level. Individual EEA states may exercise a number of national derogations and other discretions to put in place various additional or alternative data protection laws and the various supervisory authorities in each state may adopt different interpretation or approaches in practice. This topic does not consider the position under the laws of specific EEA states or the guidance of specific EEA supervisory authorities. You should refer to guidance from the relevant national supervisory authorities and national law regarding

To view the latest version of this document and thousands of others like it, sign-in with LexisNexis or register for a free trial.

TAKE A FREE TRIAL

Latest Information Law News

ICO concludes oversight of MoD's Afghan relocation data breach investigation

The Information Commissioner's Office (ICO) has announced the conclusion of its oversight of the Ministry of Defence's (MoD) internal investigation into a 2022 data breach affecting over 18,000 Afghan relocation applicants. The ICO confirmed the MoD's compliance with legal requirements by reporting the breach within the mandatory 72-hour timeframe after discovery in August 2023. Following review of the MoD's investigation and remedial actions, the ICO has determined that no further regulatory action is required, while maintaining the right to revisit this decision if new information emerges.

Information Law weekly highlights—17 July 2025

Welcome to this week’s edition of the Information Law weekly highlights: a hand-picked summary of news analysis, updates and new content related to laws governing the use and dissemination of information and personal data. Each week these highlights focus on developments in key topics such as data protection, ePrivacy, cybersecurity, breach of confidence, misuse of private information, and defamation.

High Court discharges MOD super-injunction on Afghan data breach after independent review

The High Court has discharged a super-injunction that previously prohibited disclosure of a significant data breach involving Afghan relocation applicants. This breach, which occurred in early 2022, entailed the unauthorized release of personal information and contact details for over 33,000 individuals who had applied for relocation to the UK following the Taliban takeover in 2021.

EDPB and EDPS issue joint opinion on proposed GDPR record-keeping amendments

The European Data Protection Board (EDPB) and European Data Protection Supervisor (EDPS) released a Joint Opinion on 9 July 2025 regarding the European Commission's proposed GDPR amendments. The proposal would extend the record-keeping derogation under Article 30(5) to organisations with fewer than 750 employees, up from the current 250-employee threshold. The amendments also introduce formal definitions for Small and Medium-sized Enterprises (SMEs) and Small Mid-cap Companies (SMCs) in Article 4, while extending codes of conduct and certification provisions to SMCs. The regulators requested clarification on the 750-employee threshold and emphasised that public authorities should remain excluded from the derogation.

View Information Law by content type :

News