GDPR - What are the benefits for citizens?

The data protection reform package which entered into force in May 2016 and will be applicable as of May 2018 includes the General Data Protection Regulation (GDPR) and the Data Protection Directive for the police and criminal justice sector.


The data protection reform package which entered into force in May 2016 and will be applicable as of May 2018 includes the General Data Protection Regulation (GDPR) and the Data Protection Directive for the police and criminal justice sector.

What are the benefits for citizens?

The reform provides tools for gaining control of one's personal data, the protection of which is a fundamental right in the European Union. The data protection reform will strengthen citizens' rights and build trust.

Nine out of ten Europeans have expressed concern about mobile apps collecting their data without their consent, and seven out of ten worry about the potential use that companies may make of the information disclosed. The new rules address these concerns through:

A "right to be forgotten": When an individual no longer wants her/his data to be processed, and provided that there are no legitimate grounds for retaining it, the data will be deleted. This is about protecting the privacy of individuals, not about erasing past events or restricting freedom of the press.

Easier access to one's data: Individuals will have more information on how their data is processed and this information should be available in a clear and understandable way. A right to data portability will make it easier for individuals to transmit personal data between service providers.

The right to know when one's data has been hacked: Companies and organisations must notify the national supervisory authority of data breaches which put individuals at risk and communicate to the data subject all high risk breaches as soon as possible so that users can take appropriate measures.

Data protection by design and by default: ‘Data protection by design' and ‘Data protection by default' are now essential elements in EU data protection rules. Data protection safeguards will be built into products and services from the earliest stage of development, and privacy-friendly default settings will be the norm – for example on social networks or mobile apps.

Right to be forgotten: How will it work?

Already the current Directive gives individuals the possibility to have their data deleted, in particular when the data is no longer necessary. For example, if an individual has given her or his consent to processing for a specific purpose (such as display on a social networking site) and does not want this service anymore, then there is no reason to keep the data in the system.

In particular, when children have made data about themselves accessible – often without fully understanding the consequences – they must not be stuck with the consequences of that choice for the rest of their lives.

This does not mean that on each request of an individual all his personal data are to be deleted at once and forever. If, for example, the retention of the data is necessary for the performance of a contract, or for compliance with a legal obligation, the data can be kept as long as necessary for that purpose.

The proposed provisions on the "right to be forgotten" are very clear: freedom of expression, as well as historical and scientific research are safeguarded. For example, no politician will be able to have their earlier remarks deleted from the web. This will thus allow, inter alia, news websites to continue operating on the basis of the same principles.

Is there specific protection for children?

Yes, the Regulation recognises that children deserve specific protection of their personal data, as they may be less aware of risks, consequences, safeguards and their rights in relation to the processing of personal data.

When it comes to information society services offered directly to a child, the Regulation foresees that consent for processing the data of a child must be given or authorised by the holder of the parental responsibility over the child. The age threshold is for Member States to define within a range of 13 to 16 years.

The aim of this specific provision aims at protecting children from being pressured to share personal data without fully realising the consequences. It will not to stop teenagers from using the Internet to get information, advice, education etc. Moreover, the Regulation specifies that the consent of the holder of parental responsibility should not be necessary in the context of preventive or counselling services offered directly to a child.

For more information, please visit: Questions and Answers – General Data Protection Regulation

Source: European Commission