Support Centre



Law: General Data Protection Regulation (Regulation (EU) 2016/679) ('GDPR')

Regulator: The European Data Protection Supervisor ('EDPS') is the European Union's (EU) data protection authority and monitors privacy within EU institutions and bodies. The European Data Protection Board ('EDPB') is an independent European body composed of representatives of the national data protection authorities and the EDPS.

Summary: The GDPR was approved on 24 May 2016 and became applicable in the EU Member States from 25 May 2018. It has since inspired several other privacy laws around the world. The GDPR lays down rules relating to the processing of personal data aimed at protecting natural persons, as well as provisions on the free movement of personal data. The GDPR, although a European regulation has a broad scope of application that imposes direct statutory obligations on data processors and can affect controllers established outside the EU.

The EU has also established further pieces of legislation with substantive importance within the Digital Single Market. In particular, the Directive on Privacy and Electronic Communications (2002/58/EC) (as amended) ('the ePrivacy Directive') regulates the processing of personal data and the protection of privacy in the electronic communications sector, with specific reference to, among other things, the regulation of unsolicited communications and cookies and similar technologies. Furthermore, the Directive on Security Network and Information Systems (Directive (EU) 2016/1148) ('the NIS Directive') establishes measures in order to achieve a high network and information systems security level within the EU. Importantly, the Directive on Measures for a High Common Level of Cybersecurity across the Union (Directive (EU) 2022/2555) ('NIS 2 Directive'), was published on 27 December 2022, and will repeal the NIS Directive as of 18 October 2024.


The European Data Protection Board (EDPB) adopted a final version of its Guidelines 04/2022 on the calculation of fines under the GDPR (the Guidelines). The Guidelines are intended to complement Working Paper 253, which deals with the circumstances for deciding whether and how to impose a fine. Following public consultation, an annex was added with a reference table summarizing the methodology and featuring two examples of practical application. It is important to note that the table and examples are for illustration purposes only and have to be read in conjunction with the Guidelines.

Thorsten Ihler and Melanie Ludolph, from Fieldfisher, discuss five steps for the calculation of fines, explore the Guidelines' impact, and discuss potential challenges arising for companies.

The last year has seen significant advances in the use of chatbots, exemplified by the ChatGPT service developed by OpenAI. The service is underpinned by both a language model and a knowledge base. The language model allows it to generate text by predicting which string of words is most likely to follow on from a user prompt. Peter Church, Counsel at Linklaters LLP, discusses how chatbots can be used, their relationship with legislation, and the issues both developers and users may encounter.

In this Insight article, Tim Van Canneyt and Eliot Sanam, from Fieldisher, analyze the groundbreaking electronic evidence (e-evidence) package, delving into its implications for streamlining cross-border e-evidence collection. They examine the changes this legislative framework brings to the realm of online law enforcement.

At the beginning of this year, the World Economic Forum Annual Meeting at Davos applauded the growth in artificial intelligence (AI), particularly generative AI. Against the backdrop of the world's biggest challenges, reports from Davos suggested that world leaders and business executives were cautiously optimistic for 2023. Reports have persisted throughout this year, with commentary lauding support for AI tech, while others point to a potential "" bubble brewing. Time will unveil the answer. In the meantime, decisions regarding fintech and digital transformation point to an overarching mindset - investing in AI, with care.

In this Insight article, Rory O'Keeffe, Partner at Matheson LLP, will take you on a short journey through AI and Fintech, discussing their advantages and risks, focusing in particular on what the future holds for Ireland in this area.

In this Insight article, Brian McElligott and Conor Califf, from Mason Hayes & Curran LLP, explore the risks and safeguards when engaging vendors in the EU for AI-powered services, covering data security, legal compliance, transparency, child data processing, the EU AI Act, and intellectual property concerns. Understanding these dynamics is crucial for businesses in the evolving AI landscape, ensuring responsible and compliant vendor partnerships.

In this Insight article, Colin Lambertus and Neil Williamson, from EM Law, delve into the complexities and legal implications of data scraping, a practice gaining renewed attention in the age of artificial intelligence (AI) and widespread web-based information. They explore the interplay between data protection, intellectual property rights, General Data Protection Regulation (GDPR) regulations, and recent legislative and case law developments.

Representing a significant portion of the digital advertising landscape, Interactive Advertising Bureau (IAB) Europe established the Transparency and Consent Framework (TCF). The TCF aims to strike a balance: ensuring businesses can continue to deliver tailored digital experiences while upholding the users' fundamental right to data protection and privacy. Pedro Vidigal Monteiro, Partner at Telles de Abreu e Associados - Sociedade de Advogados, SP, RL, offers an in-depth look into the vital components of the TCF, illuminating its foundational principles, overall scope, and the notion of user consent.

Artificial intelligence (AI) is everywhere - in translation or navigation services, in software for the monitoring of an assembly line, or in CV screening tools. The EU has been negotiating the world's first attempt to comprehensively regulate AI for 18 months. On June 14, 2023, the European Parliament voted overwhelmingly in favor of the Proposal for a Regulation of the European Parliament and of the Council Laying Down Harmonised Rules on Artificial Intelligence (the draft AI Act). Dr. Jessica Jacobi, Partner at KLIEMT.Arbeitsrecht Partnership of Lawyers Ltd., outlines what European employers should consider in light of the draft AI Act.

Part one of this Insight article series on cookie banners looked at how the use of reject all buttons are regulated at an EU level, and across France, Spain, and Germany. In this Insight, OneTrust DataGuidance has consulted with legal experts to explore the use of reject all buttons across Belgium, Ireland, and the UK.

When will companies face fines for data breaches? Recently, opinions of Advocates General at the Court of Justice of the European Union (CJEU) were published in two landmark cases on the imposition of fines under the EU's General Data Protection Regulation (GDPR). According to the opinions, data protection authorities (DPAs) should not be able to impose fines on companies regardless of fault. Data protection fines can be imposed directly on companies. However, this would require proof of an intentional or negligent act by an employee.

Valentino Halim, Senior Associate at WilmerHale, unpacks the recent Advocate General opinions in two landmark cases on GDPR fines before the CJEU, providing insight into key practical implications.

In this report, OneTrust DataGuidance and Edwards, Kenny & Btay LLP provide a means of analyzing and comparing data protection requirements and recommendations under the General Data Protection Regulation (GDPR) and the Personal Information Protection and Electronic Documents Act (PIPEDA). 

The report, which was last updated in July 2023, examines and compares the scope, main definitions, legal bases, data controller and processor obligations, data subject rights, and enforcement capacities of PIPEDA with the GDPR. 

You can access the latest version of the report here.

As the digital economy continues to expand globally and the legal regimes of data protection vary in different jurisdictions, multinational companies carrying out cross-border data transfer activities face challenges in complying with multi-jurisdictional data protection regulations. In this context, those relatively flexible approaches for cross-border data transfers with less regulatory involvement will become important instruments for multinational companies seeking to navigate the legal landscape.

In this Insight article, Dora Luo (Duoqun), Partner at Hunton Andrews Kurth LLP, examines the similarities and differences between the Standard Contract for Cross-border Transfer of Personal Information (the Standard Contract) under the Personal Information Protection Law (PIPL) and the Standard Contractual Clauses (SCCs) under the General Data Protection Regulation (GDPR), with a particular focus on requirements, steps that must be taken before their use, circumstances that may require revision, and general comments.