Data protection and its long-awaited reform

Published on 18 Jun, 2018

At European level, Directive 95/45 regulated data protection. But it should not be said that since then, the data processing environment has completely changed: the evolution and use of the Internet alone, the emergence of social networks, smartphones, online banking and data storage in the cloud has had a strong impact in recent years.


Hence the necessity for the Commission to reform data protection legislation. After four years of discussions, the complete overhaul of the data protection regime was finally voted in April 2016 and will be implemented 2 years after its publication in the Official Journal, i.e. from 20 May 2018. The controllers concerned therefore have another year to comply.


The objective of this reform is to give users back the right to their personal data, to establish a high and harmonised level of data protection and to prepare the EU for the digital age.


The main changes are:

  • Explicit agreement: unless legally required for processing, the data subject must have consented to the processing of his or her personal data for one or more specific purposes. The data subject has the right to withdraw his or her consent at any time.


  • Limitation and minimisation of data: the data are limited to what is necessary for the purposes for which they are processed, the controller must guarantee their accuracy and their storage will also be limited.


  • The controller is required to provide the person with all information concerning the processing in a precise, transparent, easily accessible and, above all, understandable manner, i.e. in clear and simple terms.


  • The data subject has access to the data to either receive all the information related to the processing (purposes, recipients, storage period,…) or to request their rectification, processing limitation, erasure or portability of the data


  • At the request of the data subject, the person in charge must provide the data subject with the information requested within one month.


  • In order to comply as effectively as possible with legal obligations, controllers are required to keep a register of processing activities which includes not only a description of the data processed, but also all information relating to the processing.


  • The controller must collaborate with the authorities to ensure protection. In particular, he is obliged to notify any violation of personal data to both the authority and the data subject.


  • Under certain conditions, the head must even appoint a Data Protection Officer to advise him or her on all data protection issues.

    There is a need to raise awareness and prepare for the implementation of the new data protection regulations.