The European Union’s General Data Protection Regulation

  • The General Data Protection Regulation (GDPR) is a regulation that harmonizes national data privacy laws throughout the EU and enhances the protection of all EU residents with respect to their personal data.
  • This harmonization creates new rights for individuals and a set of stronger and clearer rules for businesses.
  • The GDPR applies to all companies handling the personal data of EU residents, including companies established outside the EU if they offer goods or services to EU residents or monitor their behaviour.
  • The GDPR entered into force on May 25, 2018.

What’s new with the GDPR?

  • Updated definition of personal data: Location data and online identifiers are now expressly included in the definition of personal data.
  • Comprehensive record-keeping obligation: Records are used to demonstrate compliance.
  • Stricter definition of consent: Specific, informed and unambiguous consent must be freely given by a statement or by clear affirmative action. Individuals can withdraw their consent at any time.
  • New rights for individuals: Individuals have the right to access, transfer, correct and restrict their personal data and to ask that it be destroyed.
  • New requirement to appoint a data protection officer: Companies processing personal data on a large scale must appoint a data protection officer.
  • New data breach notification requirement: Competent supervisory authorities within the EU must generally be informed within 72 hours of a personal data breach.
  • Diversified toolkit of mechanisms: The toolkit is provided to lawfully transfer data outside the EU; the transfer is subject to specific conditions and safeguards.
  • Penalties for non-compliance: Companies would be subject to fines of up to 4% of global annual turnover or €20 million, whichever is higher.

The level of obligations varies depending on the size and activities of the company, on the sensitivity of personal data and on its use. Certain exemptions may also apply.

What can organizations do?

  • Seek further information on the GDPR.
  • Evaluate your business activities and use of personal data to determine whether the GDPR applies to you.
  • Discuss with your data protection officer or seek legal advice on whether the GDPR applies to you and what you need to do.
  • If the GDPR applies to you, take the necessary measures to be compliant.

What about Canada’s adequacy decision by the EU?

  • In 2001, the EU recognized Canada’s Personal Information Protection and Electronic Documents Act (PIPEDA) as providing adequate protection.
  • Canada’s adequacy status ensures that data processed in accordance with the GDPR can be subsequently transferred from the EU to Canada without requiring additional data protection safeguards (for example, standard contractual rules) or authorization to transfer the data.
  • The GDPR provides for the continuity of existing EU adequacy decisions, including Canada’s.

Useful Resources


Other documents produced by the Trade Commissioner Service (TCS)