New legislation on the personal data protection

On 25 May 2018 new Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regards to the processing of personal data and on the free movement of such data (hereinafter as the “GDPR”), which replaces and harmonizes the current legislation, will be fully enforceable in the member states of the European Union (hereinafter as the “EU”). The current legislation on the personal data protection based on the Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 is not implemented alike in all EU countries and after more than 20 years of existence, it no longer satisfies the present needs of the society. Below, we are bringing to your attention an overview of the most important changes which the GDPR is introducing.


In comparison to the current legislation, the GDPR will have a broader territorial scope and will not be applied only to the controllers and processors that are processing personal data within the scope of their business activities in the EU, however, in some circumstances also to the controllers and processors that are not established in EU but are processing the personal data of persons, who are in the EU.

Right to be forgotten

In case the legal requirements are met (e.g. the personal data are no longer necessary in relation to the purpose of data processing, the data subject withdraws the consent or the personal data are unlawfully processed) the controller will be obliged, upon request of the data subject, to erase his/her personal data without undue delay.

Data protection officer

Public authority or body and selected controllers will be required to designate a data protection officer responsible for the processing of personal data.

Notification of a personal data breach

The controllers and processors will be obliged to notify the supervisory authority about a personal data breach without undue delay (within 72 hours at the latest). In case the breach of personal data is likely to result in a high risk to the rights and freedoms of data subjects, the controller and processor will be obliged to communicate the breach also to the data subject.

Administrative simplification

The GDPR is moving away from the registration and notification obligations and is replacing them with the obligation to maintain a record of processing activities. This obligation, however, will not be applicable to a businesses or organizations employing less than 250 persons, unless there is the risk, that the processing is likely to result in a risk to data subjects´ rights and freedoms, the processing is frequent or the special categories of personal data or personal data related to criminal convictions and offences will be processed.

One-stop-shop principle

In order to monitor the compliance with the GDPR, every member state will be obliged to establish an independent supervisory authority. The supervisory authorities of all member states will be promoting the harmonized application of the GDPR and will be cooperating with each other. Large companies with the establishments in several EU countries will be required to follow only the decisions of one supervisory authority (usually according to a seat of main establishment), so the decisions will not be issued separately for each establishment by a separate supervisory authority.