Earlier this month, we reported the progress of trilogue discussions on the long-awaited General Data Protection Regulation (GDPR). On 15 December 2015, almost four years after the legislative proposal was originally tabled by the European Commission, the European Parliament and the Council finally reached agreement, bringing the GDPR one step closer to adoption.
The final trilogue negotiations, which were concluded 15 December 2015, saw a “strong compromise” reached between the European Council, Parliament and Commission. The GDPR will be formally adopted by the European Parliament and Council at the beginning of 2016, and organisations will then have two years to ensure that their data practices are compliant. Some headline provisions of the agreed text are:
- Companies can be fined up to 4% of their annual turnover for data protection breaches
- Companies based outside Europe will be subject to the regulation if they offer goods and services in Europe
- Companies processing sensitive personal data must appoint a data protection officer
- Companies will only have to deal with a single supervisory authority