Читать книгу Privacy and Data Protection based on the GDPR - Leo Besemer - Страница 20
1.1.1.8 General Data Protection Regulation (EU) 2016/679
ОглавлениеAfter years of discussion, the GDPR was published on 25 May 2016. The GDPR applies as law in all countries of the EEA as of 25 May 2018. At the same time Directive 95/46/EC is repealed. This means that all national law based on this directive is replaced by the GDPR:
References to the repealed Directive shall be construed as references to this Regulation. References to the Working Party on the Protection of Individuals with regard to the Processing of Personal Data established by Article 29 of Directive 95/46/EC shall be construed as references to the European Data Protection Board established by (the GDPR).
GDPR Article 94(2)
Article 94 makes clear that, even when Member States need more time to update national law that somehow complements law based on Directive 95/46/EC, there can be no confusion on which law applies. As an EU regulation, the GDPR takes precedence.
As mentioned before, the principles described in Article 5 of the GDPR are not new. They were already expressed by the Council of Europe in Convention 108 as early as 1981, and again in the “Data Protection Directive” 95/46/EC. The definition of processing, the need for a legitimate purpose for processing and most of the other requirements of the GDPR were also requirements of Directive 95/46/EC, so processes to meet these requirements should have been in place in business and organizations for over twenty years.
Following the adoption of the GDPR by the European Parliament and the European Council in April 2016, and its subsequent publication in the Official Journal of the European Union, there was initially little reaction, except for some careful written analysis from large legal firms, setting out the most important changes in legal English (usually with an invitation to hire them for a more detailed and bespoke solution). However, about a year before the new regulation would come into force and after newspapers had given it considerable attention, a storm of protest arose. Reports claimed that companies and organizations would not be able to become compliant within the two-year period before the regulation would apply. In addition, “horrendous fines” would cripple companies and lead to bankruptcy all over Europe. And, worst of all, the legal text was unclear and left a lot of issues open for debate, according to both lawyers and laymen. This opposition, however, calmed soon after the European Data Protection Board (EDPB) published a stream of publications explaining the details, among them many of which were updated versions of earlier publications of the Working Party according to Article 29 of Directive 95/46/EC (WP29).