Q&A: the data protection legal framework in European Union

Law and the regulatory authority

Which authority is responsible for overseeing the data protection law? What is the extent of its investigative powers?

Each EU member state must provide for one or more independent public authorities to be responsible for monitoring the application of the GDPR, the Law Enforcement Directive, the PNR Directive, and the ePrivacy Directive.

Under the GDPR, the national authorities have the following investigative powers:

• to order the controller and the processor, and, where applicable, the controller's or the processor's representative to provide any information it requires for the performance of its tasks;
• to carry out investigations in the form of data protection audits;
• to carry out a review of certifications issued pursuant to article 42(7) of the GDPR;
• to notify the controller or the processor of an alleged infringement of this Regulation;
• to obtain, from the controller and the processor, access to all personal data and to all information necessary for the performance of its tasks; amd
• to obtain access to any premises of the controller and the processor, including to any data processing equipment and means, in accordance with EU or member state procedural law.

Under the Law Enforcement Directive, the national authorities have at least the investigative power to obtain from the controller and the processor access to all personal data that are being processed and to all information necessary for the performance of its tasks.

Under the PNR Directive, the national authorities have the following powers:

• deal with complaints lodged by any data subject, investigate the matter and inform the data subjects of the progress and the outcome of their complaints within a reasonable time period; and
• verify the lawfulness of the data processing, conduct investigations, inspections and audits in accordance with national law, either on its own initiative or on the basis of a complaint referred to in the previous point.

Under the ePrivacy Directive, the national authorities have the necessary investigative powers and resources, including the power to obtain any relevant information they might need to monitor and enforce national provisions adopted pursuant to this Directive.

Are there legal obligations on the data protection authority to cooperate with other data protection authorities, or is there a mechanism to resolve different approaches?

A national supervisory authority are required to provide other data protection authorities (DPA) with relevant information and mutual assistance in order to implement and apply the GDPR in a consistent manner (articles 57.1(g) and 61 GDPR). They must put in place measures for effective cooperation with other DPAs. Mutual assistance must cover, in particular, information requests and supervisory measures, such as requests to carry out prior authorisations and consultations, inspections and investigations.

Where processing affects data subjects in more than one EU member state (cross-border processing), the lead supervisory authority must cooperate with the other DPAs concerned (article 60 GDPR). The lead supervisory authority and the other supervisory authorities concerned must seek consensus, exchange all relevant information with each other, and follow the consistency mechanism outlined in article 63 of the GDPR if a disagreement arises.

The national supervisory authority must also conduct joint operations, including joint investigations and joint enforcement measures, in which members or staff of the other member states' DPAs are involved (article 62 GDPR). The competent DPA must invite the other member states' DPAs to take part in the joint operations and must respond without delay to a DPA request to participate.

Can breaches of data protection law lead to administrative sanctions or orders, or criminal penalties? How would such breaches be handled?

Data breaches can lead to administrative sanctions under the GDPR. The national supervisory authority may impose administrative fines as set out in article 83 of the GDPR, including in relation to data breaches – for example, obligation to implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk (article 32 GDPR), obligation to notify personal data breaches to the competent DPA (article 33 GDPR), obligation to inform affected data subjects where the personal data breach is likely to result in a high risk to their rights and freedoms (article 34 GDPR). Administrative fines may vary depending on the infringed GDPR provision, between €10 million or 2 per cent of global annual turnover and €20 million or 4 per cent of global annual turnover (article 83 GDPR).

Data breaches can also lead to corrective measures, including warnings, reprimands, temporary or definitive limitations (including a ban) on processing, suspension of data flows to a recipient in a third country, and an order to communicate a personal data breach to the data subject (article 58.2(e) GDPR).

Breaches are first handled through an investigation step. It starts upon the notification of the breach (by the controller) or with a complaint or ex officio at the national supervisory authority's own initiative. The national supervisory authority may conduct on-site audits and request information or documents. After the investigation, the national supervisory authority issues a formal written decision, which may include a fine, an order to implement specific measures, and publication of the breach/sanction in serious cases. For cross-border breaches, the national supervisory authority cooperates with other DPAs and, if a disagreement arises, the European Data Protection Board can issue a binding decision (articles 63 to 65 GDPR).

Scope

Does the data protection law cover all sectors and types of organisation or are some areas of activity outside its scope?

Data protection rules apply to all sectors and types of organisation, whether in the private or public sector (a controller may be, within the meaning of the General Data Protection Regulation (GDPR), any natural or legal person, public authority, agency or another body), and whether the processing is operated by automated means or by non-automated means.

However, data protection rules do not apply to the processing of personal data by an individual in the course of a purely personal or household activity (article 2.2(c) GDPR).

The processing of personal data by competent authorities for the purposes of law enforcement and criminal justice is not covered by the GDPR but by the Law Enforcement Directive. The processing of personal data by EU institutions, bodies, offices and agencies is neither covered by the GDPR nor a national law but by Regulation (EC) No 45/2001.

Does the data protection law cover interception of communications, electronic marketing or monitoring and surveillance of individuals?

Data protection rules cover those areas.

The ePrivacy Directive prohibits listening to, tapping, storing, or otherwise subjecting communications and related traffic data to interception or surveillance without the user's consent. Member states may adopt legislative measures to restrict the scope of these rights when such restriction constitutes a necessary, appropriate and proportionate measure within a democratic society to safeguard national security (ie, state security), defence, public security, and the prevention, investigation, detection and prosecution of criminal offences or unauthorised use of the electronic communication system.

The ePrivacy Directive also requires the prior consent of the user for the use of automated calling and communication systems without human intervention (automatic calling machines), facsimile machines (fax) or electronic mail for the purposes of direct marketing. Some exceptions apply.

Are there any further laws or regulations that provide specific data protection rules for related areas?

In addition to the general data protection legislative framework indicated above, European Union law has several sector-specific laws and regulations that provide data protection rules in related areas. These include but are not limited to:

• Directive (EU) 2022/2555 of 14 December 2022 on measures for a high common level of cybersecurity across the Union (NIS2 Directive) – NIS2 Directive comprises cybersecurity obligations for essential/important entities and includes personal data breach reporting and resilience measures;
• Regulation (EU) 2022/2554 of 14 December 2022 on digital operational resilience for the financial sector (DORA) – DORA mandates ICT risk management for financial entities, including protection of personal data in outsourced digital services;
• Regulation (EU) 2024/1689 of 13 June 2024 laying down harmonised rules on artificial intelligence (AI Act) – Regulation comprises rules applicable to high-risk AI systems processing personal data and includes transparency, data governance and human oversight requirements;
• Regulation (EU) 2025/327 of 11 February 2025 on the European Health Data Space (EHDS) – Regulation creates a framework for sharing and reusing health personal data (primary and secondary use), with strong data protection safeguards;
• Regulation (EU) 2022/868 of 30 May 2022 on European data governance (Data Governance Act) – Regulation governs data intermediaries, voluntary data altruism and reuse of certain protection public-sector data, including personal data, with safeguards; and
• Regulation (EU) 2023/2854 of 13 December 2023 on harmonised rules on fair access to and use of data (Data Act) – Regulation sets rules on access to and sharing of user-generated data, including personal data from IoT devices, under user control and with privacy compliance.

What categories and types of PI are covered by the law?

Almost all categories and types of personal data are covered by the law. In accordance with the GDPR, are notably excluded the following personal data types:

• data relating to legal persons (article 4(1) GDPR);
• personal data of deceased persons (Recital (27) GDPR);
• purely personal or household data (article 2.2(c) GDPR);
• anonymous data (Recital (26) GDPR); and
• non-personal information, in statistical and research data (Recital (26) GDPR).

Is the reach of the law limited to PI owners and processors physically established or operating in your jurisdiction, or does the law have extraterritorial effect?

The GDPR may have an extraterritorial effect. It applies to the processing of personal data of data subjects who are in the European Union even if the controller or processor is not established in the European Union , where the processing activities are related to:

• the offering of goods or services, irrespective of whether a payment of the data subject is required, to such data subjects in the European Union; or
• the monitoring of their behaviour as far as their behaviour takes place within the European Union.

The GDPR may also have an extraterritorial effect even where the processing activities are not related to those two situations; for example, a controller or processor may be deemed to have an 'establishment' in Luxembourg (and, therefore, be subject to its law) if it has there a real and effective activity — even a minimal one — exercised through stable arrangements (see Recital (22) GDPR).

Is all processing or use of PI covered? Is a distinction made between those who control or own PI and those who provide PI processing services to owners? Do owners’, controllers’ and processors’ duties differ?

Almost all processing or use of personal data is covered, with the exception of processing activities carried out on types of data not covered by the law. In accordance with the GDPR, the law makes a distinction between those who control personal data (controllers) and those who provide processing services to owners (processors).

The 'controller' is any entity that, alone or jointly with others, determines the purposes and means of the processing of personal data (it decides on the 'why' and 'how'). The 'processor' is any entity which processes personal data on behalf of the controller based on a contract under EU or Luxembourg law.

Controllers and processors duties differ. Some examples include the following:

• The controller has a primary responsibility for legal compliance with the data protection rules. The processor must act on documented instructions from the controller.
• The controller must identify and document the processing legal basis. The processor does not need any independent lawful basis for its activity (it relies on the one identified by the controller).
• The controller must respond to the exercise of data subject rights. The processor must assist the controller in fulfilling those rights.
• The controller must notify the National Commission for Data Protection within 72 hours after having become aware of a data breach, and the data subjects if needed. The processor must notify the controller of the data breach without undue delay.