August 02, 2018

New EU data protection regulation

The EU General Data Protection Regulation (GDPR) went into effect throughout the EU on 25 May 2018. Pursuant to Article 3(1), GDPR applies to the processing of personally identifiable information in the course of activities of a branch of anyone who is responsible for maintaining such information or contracted to process such information in the European Union, regardless of whether processing of the information takes place in the European Union or not.

Furthermore, parties responsible for processing of personally identifiable information and those contracted to process such information outside the EU are subject to the principle of Market place location” or lex loci solutionis as from 25 May 2018. As a result, the regulation is applicable whenever an offer is targeted to a specific national market in the EU as well as to data processing activities that monitor the behaviour of persons in the EU. The regulation also applies to non-European companies operating in the European market. A previous regulation stating that personally identifiable information may not be processed unless there is legal legitimate interest or consent (prohibited unless authorised) remains in effect under GDPR. Examples of legal basis for lawful processing according to Art. 6 GDPR:

  • the data subject has given his or her consent to the processing of his or her personal data for one or more specific reasons;
  • processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract;
  • processing is necessary for compliance with a legal obligation to which the controller is subject;
  • processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of his or her personal data, in particular where the data subject is a child or minor.


Kristina Fink

Arbeitsrecht, Datenschutz, Europarecht

Kristina Fink