The General Data Protection Regulations‭ (‬GDPR‭) ‬effective as of 25‭ ‬May 2018

The General Data Protection Regulations (GDPR) regulates the way businesses process and manage personal data. Effective as of 25 May 2018 and applicable to all businesses and organizations, it constitutes the biggest change to the EU’s data protection rules in over 20 years.

Not only does the GDPR give citizens more control over how their personal data is used, it also significantly streamlines the regulatory environment for businesses. The GDPR represents a new opportunity for businesses to improve personal data management and subsequently increase consumer trust in their business.

Who does the GDPR apply to?

The GDPR applies to any company processes and hold personal data of data subjects residing in the European Union, regardless of the company’s location. Even if the company processes data on behalf of other companies, it still needs to abide by the rules.

What are the benefits for businesses?

The reform provides clarity and consistency of the rules to be applied, and restores trust of consumer, thus allowing undertakings to seize fully the opportunities in the Digital Single Market. The data protection reform package helps the Digital Single Market realize this potential through:

One Union, one law: a single set of rules makes it simpler and cheaper for companies to do business in the EU

One-stop-shop: Companies will only have to deal with one single supervisory authority.

The same rules for all companies – regardless of where they are established: companies based outside of Europe have to apply the same rules when they offer goods or services on the EU market. This creates a level playing field.

Risk-based approach: the GDPR avoids a burdensome, one-size-fits-all obligation and instead tailors obligations to the respective risks.

Rules fit for innovation: the GDPR is Technology neutral.

How does the GDPR help reduce costs?

The GDPR aims to remove administrative requirements in order to reduce costs and minimize the administrative burden:

No more prior notifications: the reform scraps most prior notifications to supervisory authorities, along with their associated costs.

Data Protection Officers: companies mainly need to appoint a Data Protection Officer (DPO) if their core activities involve processing sensitive data on a large scale or involve the large-scale, regular and systematic monitoring of individuals. Public administrations have an obligation to appoint a DPO.

Data Protection Impact Assessments: companies are only obliged to carry out a Data Protection Impact Assessment if a proposed data processing activity involves a high risk to the rights and freedoms of individuals.

Record keeping: companies with less than 250 employees are not required to keep records unless the data processing is not incidental or involves sensitive information.

What penalties will there be for businesses if they break the new data protection rules?

The General Data Protection Regulation establishes a range of tools for enforcing the new rules, including penalties and fines. When it comes to deciding on an appropriate fine, each case will be carefully assessed and a range of factors will be taken into account:

  • the gravity/ duration of the violation;
  • the number of data subjects affected and level of damage suffered by them;
  • the intentional character of the infringement;
  • any actions taken to mitigate the damage;
  • the degree of co-operation with the supervisory authority.

The regulation sets two ceilings for fines if the rules are not respected. The first ceiling sets fines up to a maximum of €10 million or, in case of an undertaking, up to 2% of worldwide annual turnover. The higher ceiling of fines reaches up to a maximum of €20 million or 4% of worldwide annual turnover. Fines are adjusted according to the circumstances of each individual case.

Tin298_p15a Tin298_p15b Tin298_p15c


For more information and details regarding‭ ‬General Data Protection Regulation”,‭ ‬please visit the website at‭:‬

For more tips on investing and trading in the EU‭, ‬please contact the Business Cooperation Centre of Enterprise Europe Network Central China‭ – ‬Macao Office‭ (‬EENCC Macao Office‭) ‬at Tel‭: ‬2871‭ ‬3338‭, ‬2872‭ ‬7882‭/‬Fax‭: ‬2871‭ ‬3339‭/‬Email‭: ‬