The General Data Protection regulation finalized | KPMG | BE

The General Data Protection regulation finalized

The General Data Protection regulation finalized

The final text of the General Data Protection Regulation (hereafter “GDPR”) was adopted on 14 April 2016 by the European Parliament and shall - as already indicated in a previous edition of this newsletter - replace the Data Protection Directive 95/46/EC.



K law


Related content

The GDPR has been published on 4 May 2016 in the Official Journal of the European Union. The Regulation has entered into force on the 24th of May 2016, with a transition period of 2 years, meaning that the regulation will apply as from 25 May 2018.

The new rules of the GDPR will help to stimulate the Digital Single Market in the EU by creating trust and legal certainty in the online environment. It is clear that the GDPR establishes a modern and harmonized data protection framework strengthening the rights of the EU citizen’s. As the new rules are set out in a regulation, the GDPR will be directly applicable in every member state of the European Union, without having to be implemented in national legislation.

This communication summarizes some of the most important new rules adopted in the GDPR:

  • The GDPR states that the consent of the data subject (being “any information relating to an identified or identifiable natural person”) for the processing of its personal data must be freely given, specific, informed and unambiguous.

  • The GDPR introduces the obligation to appoint a Data Protection Officer (DPO) if certain thresholds are reached. For all public authorities and organizations whose core activities require (1) a regular and systematic monitoring of data subjects “on a large scale”, or where the entity conducts (2) large scale processing of special categories of data or criminal records, a DPO must be appointed.

  • The GDPR also imposes significant direct obligations upon the processors (such as taking appropriate technical and organizational measures to protect the processing of personal data, notifying the controller of data breaches, etc.).

  • The GDPR strengthens the rights of the data subjects (such as the right to be forgotten).

  • The GDPR introduces two new concepts “data protection by design” and “data protection be default”.

  • The GDPR introduces the “one-stop shop” for a company which has establishments in several countries of the European Union.

  • Data controllers and processors who are located outside the European Union can also fall within the scope of the GDPR under certain conditions.

It must be clear that companies should start preparing and adjusting their policies, their internal and external procedures for data security breaches and taking into account the new rights of the data subjects. Furthermore, it will be necessary for a company to analyze its current privacy policy, security measures, and underlying operational processes. and Companies will need to identify areas for which process improvements are necessary to ensure compliance with the new legislation.

In conclusion the GDPR seeks to improve the protection of data subjects by introducing more obligations for controllers and for processors.


FS Regulatory Newsletter

  • See all editions of the FS Regulatory Newsletter


Tim Fransen
K law *
Tel.: +32(0)27083682
E-mail: Tim Fransen


* K law, an independent law firm, forms a cost association with KPMG Tax & Legal Advisers

Connect with us


Request for proposal