A survey conducted in April and May 2023 revealed that around ** percent of the companies that do business in the European Union (EU) and the United Kingdom (UK) found it challenging to adapt to new or changing requirements of the General Data Protection Regulation (GDPR) or Data Protection Act 2018 (DPA). A further ** percent of the survey respondents said it was challenging to increase the budget because of the changes in the data privacy laws.

Between 2018 and 2022, there has been a significant increase in the level of awareness around the General Data Protection Regulation (GDPR) among European users. In 2018, when the GDPR was first applied, the United Kingdom had the highest level of awareness, with 32 percent of respondents agreeing or strongly agreeing with the statement: "I am aware of the new General Data Protection Regulation (GDPR) that will be introduced in May 2018". In 2022, the share of UK respondents agreeing with the statement increased to 73 percent. France had the lowest level of awareness in 2018, 20 percent, whereas in 2022 it reached 47 percent but remained the lowest among other European markets.

Since the enforcement of the General Data Protection Regulation (GDPR) in May 2018, fines have been issued for several types of violations. As of February 2025, the most significant share of penalties was due to companies' non-compliance with general data processing principles. This violation has led to over 2.4 billion euros worth of fines.

Ensuring GDPR Compliance At All Touch Points
The General Data Protection Regulation (GDPR) is a new updated version of the 1995 [95/46/EC] data protection directive legislation. It was enhanced to provide data subjects with more precise rights and security. On May 23, 2018, the European Parliament, the Council of the European Union (EU), and the European Commission as a whole worked together to create the new GDPR.The major goal of creating

Exploiting the timing and territorial scope of the European Union’s General Data Protection Regulation (GDPR), this paper examines how privacy regulation shaped the financial performance of companies across 31 countries and 22 industries. Con- trolling for firm and country-industry-year unobserved characteristics, we compare the outcomes of firms at different levels of exposure to EU markets, before and af- ter the enforcement of the GDPR in 2018. We find that enhanced data protection had the unintended consequence of harming the profitability of companies targeting European consumers, primarily through the cost channel. Digital technology firms exposed to the regulation experienced a 2.1% decline in profits, but not in sales. We bolster these findings by showing that the GDPR increased extra expenses, added to firms wage bills, and accelerated patenting in GDPR-related technology fields.

This statistic shows the views as to whether general data protection regulation (GDPR) has been a good thing for European consumers. ** percent of the respondents agreed that GDPR has been a good thing for European consumers. This statistic addresses one of the biggest myths in the European tech ecosystem.

Since the entry into force of the General Data Protection Regulation (GDPR), on 25 May 2018, only digital processing of the most sensitive personal data must be subject to prior formalities with the CNIL. These formalities may take the form of simplified declarations (declarations of conformity with a reference framework proposed by the CNIL), requests for an opinion (for the sovereign activities of the State) or applications for authorisation (in the field of health). To find out more: cnil.fr. In accordance with the amended Data Protection Act (Article 36), the CNIL keeps available to the public the list of these formalities in an open and easily reusable format, known as “List article 36”. ** Warnings:** 1/The published data are the result of the prior formalities completed, since May 25, 2018, by the controllers of personal data processing at the CNIL, via its dedicated teleservices. The CNIL cannot be held responsible for their content. 2/The processing carried out on behalf of the State may not appear in the dataset, the formalities having been completed in the form of requests for an opinion on a draft regulatory act (decree or decree) not submitted via the teleservices mentioned. The information relating to these treatments is available on Legifrance, the opinion of the CNIL being published with the act authorising the treatment (to access the deliberations of the CNIL: https://www.legifrance.gouv.fr/initRechExpCnil.do). In addition, some important treatments are subject to fiches on the CNIL website. 3/Exceptionally exempted from the publication of the regulatory act authorising them (decree or decree) are not included in the published data set, in accordance with article 36 of the amended Data Protection Act. The treatments referred to in Article 30 I and II may be exempted, by decree in the Council of State, from the publication of the regulatory act which authorises them. These treatments are mentioned in Decree n°2007-914 of 15 May 2007.

One out of two surveyed respondents representing Danish organizations stated in a survey that the new General Data Protection Regulations (GDPR) had been a burden on their business as of 2019. That was a drastic increase from the year before, when just *** out of three respondents stated so.

Since the EU's implementation of the General Data Protection Regulation (GDPR) in May 2018, numerous fines have been issued for violations or non-compliance. Of these, the fine of 1.2 billion euros received by Meta Platforms, Inc. in May 2023 has been by far the greatest. The company was issued such a penalty for personal data transfers to the United States without sufficiently complying with the EU regulation.

List of personal data processing activities of the Government of Aragon that comply with data protection regulations (General Data Protection Regulation - Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data and repealing Directive 95/46/EC and Royal Decree-Law 5/2018 of 27 July 2018 on urgent measures for the adaptation of Spanish law to European Union legislation on data protection).

The questionnaire has eight items looking at knowledge of GDPR and current practices of data protection. It was developed using the Survey Monkey platform and posted in Greek nutrition and dietetics groups on Facebook. Data were collected between 5th and 10th May 2018. Language used is Greek.

Results were presented on May 11th 2018 at the 12th Macedonian Congress of Nutrition and Dietetics as part of a roundtable to discuss the future of the dietetics profession in Greece.

Collection of definitions of terms in English, French, German, Italian and Spanish extracted from the following data-related European laws:

1. Directive 2007/2/EC of the European Parliament and of the Council of 14 March 2007 establishing an Infrastructure for Spatial Information in the European Community (INSPIRE)

2. Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation) (Text with EEA relevance)

3. Commission Recommendation (EU) 2018/790 of 25 April 2018 on access to and preservation of scientific information

4. Regulation (EU) 2018/1807 of the European Parliament and of the Council of 14 November 2018 on a framework for the free flow of non-personal data in the European Union (Text with EEA relevance)

5. Directive (EU) 2019/790 of the European Parliament and of the Council of 17 April 2019 on copyright and related rights in the Digital Single Market and amending Directives 96/9/EC and 2001/29/EC (Text with EEA relevance)

6. Directive (EU) 2019/1024 of the European Parliament and of the Council of 20 June 2019 on open data and the re-use of public sector information (recast) (Open Data Directive)

7. Regulation (EU) 2021/695 of the European Parliament and of the Council of 28 April 2021 establishing Horizon Europe – the Framework Programme for Research and Innovation, laying down its rules for participation and dissemination, and repealing Regulations (EU) No 1290/2013 and (EU) No 1291/2013 (Text with EEA relevance)

8. Regulation (EU) 2022/868 of the European Parliament and of the Council of 30 May 2022 on European data governance and amending Regulation (EU) 2018/1724 (Data Governance Act) (Text with EEA relevance)

9. Regulation (EU) 2022/1925 of the European Parliament and of the Council of 14 September 2022 on contestable and fair markets in the digital sector and amending Directives (EU) 2019/1937 and (EU) 2020/1828 (Digital Markets Act) (Text with EEA relevance)

10. Regulation (EU) 2022/2065 of the European Parliament and of the Council of 19 October 2022 on a Single Market For Digital Services and amending Directive 2000/31/EC (Digital Services Act) (Text with EEA relevance)

11. Commission Implementing Regulation (EU) 2023/138 of 21 December 2022 laying down a list of specific high-value datasets and the arrangements for their publication and re-use (Text with EEA relevance)

12. Regulation (EU) 2023/2854 of the European Parliament and of the Council of 13 December 2023 on harmonised rules on fair access to and use of data and amending Regulation (EU) 2017/2394 and Directive (EU) 2020/1828 (Data Act)

13. Regulation (EU) 2024/903 of the European Parliament and of the Council of 13 March 2024 laying down measures for a high level of public sector interoperability across the Union (Interoperable Europe Act)

14. Regulation (EU) 2024/1689 of the European Parliament and of the Council of 13 June 2024 laying down harmonised rules on artificial intelligence and amending Regulations (EC) No 300/2008, (EU) No 167/2013, (EU) No 168/2013, (EU) 2018/858, (EU) 2018/1139 and (EU) 2019/2144 and Directives 2014/90/EU, (EU) 2016/797 and (EU) 2020/1828 (Artificial Intelligence Act) Text with EEA relevance.

Whilst this some of the requested information is held by the NHSBSA, we have exempted some of the figures under section 40(2) subsections 2 and 3(a) of the FOIA because it is personal data of applicants to the VDPS. This is because it would breach the first data protection principle as: a - it is not fair to disclose individual’s personal details to the world and is likely to cause damage or distress. b - these details are not of sufficient interest to the public to warrant an intrusion into the privacy of the individual. https://www.legislation.gov.uk/ukpga/2000/36/section/40 Information Commissioner Office (ICO) Guidance is that information is personal data if it ‘relates to’ an ‘identifiable individual’ regulated by the UK General Data Protection Regulation (UK GDPR) or the Data Protection Act 2018. The information relates to personal data of the VDPS claimants and is special category data in the form of health information. As a result, the claimants could be identified, when combined with other information that may be in the public domain or reasonably available. Online communities exist for those adversely affected by vaccines they have received. This further increases the likelihood that those may be identified by disclosure of this information. Section 40(2) is an absolute, prejudice-based exemption and therefore is exempt if disclosure would contravene any of the data protection principles. To comply with the lawfulness, fairness, and transparency data protection principle, we either need the consent of the data subject(s) or there must be a legitimate interest in disclosure. In addition, the disclosure must be necessary to meet the legitimate interest and finally, the disclosure must not cause unwarranted harm. The NHSBSA has considered this and does not have the consent of the data subjects to release this information and believes that it would not be possible to obtain consent that meets the threshold in Article 7 of the UK GDPR. The NHSBSA acknowledges that you have a legitimate interest in disclosure of the information to provide the full picture of data held by the NHSBSA; however, we have concluded that disclosure of the requested information would cause unwarranted harm and therefore, section 40(2) is engaged. This is because there is a reasonable expectation that patient data processed by the NHSBSA remains confidential, especially special category data. There are no reasonable alternative measures that could meet the legitimate aim. As the information is highly confidential and sensitive, it outweighs the legitimate interest in the information. Section 41 FOIA This information is also exempt under section 41 of the FOIA (information provided in confidence). This is because the requested information was provided to the NHSBSA in confidence by a third party - another individual, company, public authority or any other type of legal entity. In this instance, details have been provided by the claimants. For Section 41 to be engaged, the following criteria must be fulfilled:

A Data Protection Impact Assessment (DPIA) is one of the ways to find out what privacy risks people face when information is collected, used, stored, or shared about them. This helps the London Borough of Barnet find issues so that risks can be taken away or lowered to a level that is acceptable. It also cuts down on privacy breaches and complaints that could hurt the Council's reputation or lead to action by the Information Commissioner (the government watchdog). The London Borough of Barnet makes DPIAs public in with its Data Charter and the 2018 Data Protection Act and UK GDPR.

This set of data, collects the list of processing of personal data of the City of Madrid, in accordance with the European Data Protection Regulation (fully applicable from 25/05/2018) With the full application of Regulation (EU) 2016/679 of the European Parliament and of the Council , General Data Protection Regulation , on May 25, 2018, the obligation to notify the registration of files, both public or private, in the Register of Files of the Spanish Agency for Data Protection, without prejudice to the obligation to prepare and keep updated the Register of Treatment Activities. Information is incorporated from each processing of personal data including the person responsible, categories of interested parties and data, technical and organizational measures, legitimacy for the treatment and storage periods. You can also consult the information of this registry in PDF format ordered by Government Area and by treatment managers in each of them.

We neither confirm nor deny that we hold the information requested. We have the right to do this under section 40(5B) of the Freedom of Information Act. The below annex sets out the section in full. As we have not confirmed your identity, we cannot confirm whether or not we hold the requested information. Section 40 - Personal information (1) Any information to which a request for information relates is exempt information if it constitutes personal data of which the applicant is the data subject. (2) Any information to which a request for information relates is also exempt information if - a. it constitutes personal data which does not fall within subsection (1), and b. the first, second or third condition below is satisfied. (3A) The first condition is that the disclosure of the information to a member of the public otherwise than under this Act— would contravene any of the data protection principles, or would do so if the exemptions in section 24(1) of the Data Protection Act 2018 (manual unstructured data held by public authorities) were disregarded. (3B) The second condition is that the disclosure of the information to a member of the public otherwise than under this Act would contravene Article 21 of the GDPR (general processing: right to object to processing). (4A) The third condition is that— on a request under Article 15(1) of the GDPR (general processing: right of access by the data subject) for access to personal data, the information would be withheld in reliance on provision made by or under section 15, 16 or 26 of, or Schedule 2, 3 or 4 to, the Data Protection Act 2018, or on a request under section 45(1)(b) of that Act (law enforcement processing: right of access by the data subject), the information would be withheld in reliance on subsection (4) of that section. (5A) The duty to confirm or deny does not arise in relation to information which is (or if it were held by the public authority would be) exempt information by virtue of subsection (1). (5B) The duty to confirm or deny does not arise in relation to other information if or to the extent that any of the following applies— (a) giving a member of the public the confirmation or denial that would have to be given to comply with section 1(1)(a)—

As of January 2025, The European Union (EU) had three fully operating and one upcoming law regarding online privacy and the usage of digital technologies. The first one, the General Data Protection Regulation (GDPR), was enacted in May 2018. The second law became effective on February 17, 2024, and is called the Digital Services Act (DSA). In March 2024, another law protecting consumer privacy, the Digital Markets Act, was enacted. The latest regulation adopted by the European Union (EU) is called the Cyber Resilience Act (CRA), which became active in December 2024.

The CNIL may sanction a data controller who has not taken the necessary measures to comply with the Data Protection Act and, from 25 May 2018, the General Data Protection Regulation (GDPR). The datasets presented concern the number of sanctions, pronounced by the restricted formation of the CNIL, notified each year since 2014 (and their breakdown by type of decision, which has evolved hence the publication of data with the new typology of sanctions as of 2019). In addition to the distribution of this game, the content of the public sanctions is available on Legifrance. Disclaimer: for any questions about the operation of a file and the help that the CNIL can provide you, please do not use the "Discussions" below, which are visible to all and reserved for exchanges on published datasets; use the Need help service (https://www.cnil.fr/en/cnil-direct) or contact the CNIL on 01 53 73 22 22.

The President of the CNIL has the possibility to formal notice a data controller to take the necessary measures, within a period that it sets, to comply with the amended Data Protection Act and, from 25 May 2018, the General Data Protection Regulation (GDPR). The dataset presented concerns the number of formal notices notified each year since 2014 (and their public/non-public breakdown). In addition to the distribution of this game, the content of the public notices is available on Legifrance. Disclaimer: for any questions about the operation of a file and the help that the CNIL can provide you, please do not use the "Discussions" below, which are visible to all and reserved for exchanges on published datasets; use the Need help service (https://www.cnil.fr/en/cnil-direct) or contact the CNIL on 01 53 73 22 22.