In the European Union, Article 8 of the EU Charter of Fundamental Rights and Article 16 of the Treaty on the Functioning of the European Union guarantee the protection of personal data.

From the Data Protection Directive to the General Data Protection Regulation

The EU adopted its Data Protection Directive 95/46/EC as early as 1995. Germany implemented the Directive through its Federal Data Protection Act (Bundesdatenschutzgesetz), the data protection laws of the federal states and numerous detailed data protection provisions in legislation on specific subjects. However, not all of the EU member states implemented or interpreted the Data Protection Directive the same way in their national legislation, so improvement was needed.

In order to harmonise and update EU data protection law, the European Parliament and the Council of the European Union adopted the General Data Protection Regulation (Regulation (EU) 2016/679) on 27 April 2016. The Regulation has applied directly in all EU member states since 25 May 2018.

The General Data Protection Regulation (GDPR) gives data subjects and the data protection supervisory authorities more rights and provides for large fines if data protection rules are violated. The European Data Protection Board was created to ensure that the law is applied consistently to data processing that involves more than one country.

At the same time, this EU data protection legislation is designed to promote the free movement of personal data within the European Union. Business activities too are conducted on the basis of harmonised EU data protection law.