A survey conducted in April and May 2023 revealed that around ** percent of the companies that do business in the European Union (EU) and the United Kingdom (UK) found it challenging to adapt to new or changing requirements of the General Data Protection Regulation (GDPR) or Data Protection Act 2018 (DPA). A further ** percent of the survey respondents said it was challenging to increase the budget because of the changes in the data privacy laws.

Since the enforcement of the General Data Protection Regulation (GDPR) in May 2018, fines have been issued for several types of violations. As of February 2025, the most significant share of penalties was due to companies' non-compliance with general data processing principles. This violation has led to over 2.4 billion euros worth of fines.

The European Union implemented data privacy laws in mid-2018 and the state of California enacted a similar law several weeks later. These regulations affect medical data collection and analysis. It is unclear if they achieve this goal in the realm of clinical trials. Here we investigate the effect of these laws on clinical trials through analysis of clinical trials recorded on the US's ClinicalTrials.gov, the World Health Organization's International Clinical Trials Registry Platform and scientific papers describing clinical trials. Our findings show that the number of phase 1 and 2 trials in countries not adhering to these data privacy laws rose significantly after implementation of these laws. The largest rise occurred in countries which are less free, as indicated by the negative correlation (−0.48, p = 0.008) between the civil liberties freedom score of countries and the increase in the number of trials. This trend was not observed in countries adhering to data privacy laws nor in the paper publication record. The rise was larger (and statistically significant) among industry funded trials and interventional trials. Thus, the implementation of data privacy laws is associated a change in the location of clinical trials, which are currently executed more often in countries where people have fewer protections for their data.

Questions about GDPR? Ecommerce managers everywhere are wondering how their online business will be affected by the General Data Protection Regulation. It is set to become law in the European Union (EU) on May 25, 2018. But your business isn’t headquartered in the EU? GDPR requirements will govern the way you interact with EU customers […]

Between 2018 and 2022, there has been a significant increase in the level of awareness around the General Data Protection Regulation (GDPR) among European users. In 2018, when the GDPR was first applied, the United Kingdom had the highest level of awareness, with 32 percent of respondents agreeing or strongly agreeing with the statement: "I am aware of the new General Data Protection Regulation (GDPR) that will be introduced in May 2018". In 2022, the share of UK respondents agreeing with the statement increased to 73 percent. France had the lowest level of awareness in 2018, 20 percent, whereas in 2022 it reached 47 percent but remained the lowest among other European markets.

Abstract

The General Data Protection Regulation (GDPR) stands as one of the most significant legal frameworks for data protection and privacy in recent years. Enforced by the European Union (EU) since May 2018, the GDPR has garnered global attention due to its wide-reaching impact on businesses, organizations, and individuals, transcending geographical boundaries. While initially conceived to safeguard the data rights of EU citizens, its influence extends far beyond EU member states… See the full description on the dataset page: https://huggingface.co/datasets/AndreaSimeri/GDPR.

Introduction

GDPR Statistics: ​In 2024, enforcement of the General Data Protection Regulation (GDPR) intensified across Europe, resulting in significant financial penalties for non-compliance. The Irish Data Protection Commission (DPC) imposed a €310 million fine on LinkedIn for processing personal data without a proper legal basis.

Similarly, Uber faced a €290 million penalty from the Dutch Data Protection Authority for unlawfully transferring European drivers' personal data to the United States. Meta Platforms Ireland Limited was fined €251 million by the Irish DPC due to a 2018 data breach affecting millions of user accounts. Collectively, GDPR fines in 2024 totaled approximately €1.2 billion, marking a 33% decrease from the previous year.

Since the regulation's inception in 2018, cumulative fines have reached €5.88 billion. These figures underscore the ongoing commitment of European authorities to uphold data privacy standards and the substantial financial risks organizations face for non-compliance.

The General Data Protection Regulation (GDPR) provides, since 25 May 2018, for the mandatory designation of a Data Protection Officer (DPO) in public services and, under certain conditions, by companies and associations.

The delegate — also known as the Data Protection Officer (DPO) — is responsible for ensuring GDPR compliance with the processing of personal data of the body that designated him or her. Internal or external, the delegate may also be appointed on behalf of several bodies.

To ensure the effectiveness of his/her tasks, the delegate shall:

— must have specific professional qualities and knowledge; — must benefit from material and organisational resources, resources and positioning enabling it to carry out its tasks effectively and independently.

To learn more about the role of delegate: https://www.cnil.fr/fr/devenir-delegue-la-protection-des-donnees.

In accordance with the applicable texts, the CNIL shall publish in an open and easily reusable format the name and professional contact details of the bodies that have appointed a Data Protection Officer, as well as the means of contacting the Data Protection Officer.

** Warning 1:** The published data, including the public contact details of delegates, are extracted from the designations of delegates as received by the CNIL via its dedicated teleservice. Any delegate may request the modification of the contact details published directly to the CNIL’s Data Protection Officers Service.

** Warning 2:** Any re-use of published data which would have the nature of personal data (telephone number, e-mail address, etc.) presupposes, on the part of the re-user, verification of the full fulfilment of his/her obligations under the GDPR, in particular in terms of informing the delegates concerned and respecting their other rights as defined by the European Regulation. Otherwise, the re-user would in particular be exposed to the penalties provided for in the GDPR.

Exploiting the timing and territorial scope of the European Union’s General Data Protection Regulation (GDPR), this paper examines how privacy regulation shaped the financial performance of companies across 31 countries and 22 industries. Con- trolling for firm and country-industry-year unobserved characteristics, we compare the outcomes of firms at different levels of exposure to EU markets, before and af- ter the enforcement of the GDPR in 2018. We find that enhanced data protection had the unintended consequence of harming the profitability of companies targeting European consumers, primarily through the cost channel. Digital technology firms exposed to the regulation experienced a 2.1% decline in profits, but not in sales. We bolster these findings by showing that the GDPR increased extra expenses, added to firms wage bills, and accelerated patenting in GDPR-related technology fields.

Contracts concluded between the Controller and the Processor pursuant to Act No. 18/2018 Coll. and General Data Protection Regulation — GDPR

Since the entry into force of the General Data Protection Regulation (GDPR), on 25 May 2018, only digital processing of the most sensitive personal data must be subject to prior formalities with the CNIL.

These formalities may take the form of simplified declarations (declarations of conformity with a reference framework proposed by the CNIL), requests for an opinion (for the sovereign activities of the State) or applications for authorisation (in the field of health). To find out more: cnil.fr.

In accordance with the amended Data Protection Act (Article 36), the CNIL keeps available to the public the list of these formalities in an open and easily reusable format, known as “List article 36”.

** Warnings:**

1/The published data are the result of the prior formalities completed, since May 25, 2018, by the controllers of personal data processing at the CNIL, via its dedicated teleservices. The CNIL cannot be held responsible for their content.

2/The processing carried out on behalf of the State may not appear in the dataset, the formalities having been completed in the form of requests for an opinion on a draft regulatory act (decree or decree) not submitted via the teleservices mentioned. The information relating to these treatments is available on Legifrance, the opinion of the CNIL being published with the act authorising the treatment (to access the deliberations of the CNIL: https://www.legifrance.gouv.fr/initRechExpCnil.do). In addition, some important treatments are subject to fiches on the CNIL website.

3/Exceptionally exempted from the publication of the regulatory act authorising them (decree or decree) are not included in the published data set, in accordance with article 36 of the amended Data Protection Act. The treatments referred to in Article 30 I and II may be exempted, by decree in the Council of State, from the publication of the regulatory act which authorises them. These treatments are mentioned in Decree n°2007-914 of 15 May 2007.

One out of two surveyed respondents representing Danish organizations stated in a survey that the new General Data Protection Regulations (GDPR) had been a burden on their business as of 2019. That was a drastic increase from the year before, when just one out of three respondents stated so.

The goal of this study was to measure the attitudes towards data sharing and data-collecting organizations before and after the introduction of the EU General Data Protection regulations (GDPR) among people in Germany. The data come from a three-wave split-panel web survey among people 18 years and older in Germany who were recruited from a German nonprobability online panel. In April 2018 (before the GDPR came into effect), 2,095 participants completed the Wave 1 questionnaire on device ownership, social media use, trust in different data collecting organizations, willingness to share data, general trust, awareness of and knowledge about the GDPR, and privacy concerns. In July and in October 2018 (after the GDPR came into effect), respondents from the earlier waves were invited to participate in a second and a third web survey that repeated most of the questions from the first wave. In addition to participants from the earlier waves, fresh respondents were also invited to Waves 2 and 3. A total of 2,046 (Wave 2) and 2,117 (Wave 3) respondents completed the questionnaire in the subsequent waves. 1,269 participated in all three waves.

Topics:

Wave 1

Possession of smartphone, mobile phone, PC, tablet and/or e-book reader; social media use: account with user name and password at selected providers (Google, Facebook, Twitter, LinkedIn, Xing); trust in institutions (Google, Facebook, Bundesamt für Statistik, Universitätsforscher) with regard to the protection of personal data and reasons for this assessment; probability scale with regard to the protection of personal data at the above-mentioned institutions and reasons for this assessment; agreement with the import of personal data of the social insurance institutions to the survey data; general personal trust; awareness of the EU General Data Protection regulations (GDPR) ; knowledge test: goals of the GDPR (open); feeling of invaded privacy by the following institutions: Google, Facebook, government agencies, university researchers; general privacy concerns.

Wave 2

Possession of smartphone, mobile phone, PC, tablet and/or e-book reader; social media use: account with user name and password with selected providers (Google, Facebook, Twitter, LinkedIn, Xing); trust in institutions (Google, Facebook, Federal Statistical Office, university researchers) with regard to the protection of personal data; general personal trust; awareness of the EU General Data Protection regulations (GDPR); knowledge test: goals of the GDPR (open); consent to the storage of various personal data by Facebook or Google (name, e-mail address, home address, date of birth, telephone number, income, marital status, number of children, current location, Internet browser history, account names from other social media and data received from third parties); feeling of invasion of privacy by the following institutions: Google, Facebook, government agencies, university researchers; general privacy concerns.

Wave 3

Possession of smartphone, mobile phone, PC, tablet and/or e-book reader; social media use: account with user name and password at selected providers (Google, Facebook, Twitter, LinkedIn, Xing); trust in institutions (Google, Facebook, Federal Statistical Office, university researchers) with regard to the protection of personal data; general personal trust; awareness of the EU General Data Protection regulations (GDPR); knowledge test: goals of the GDPR (open); concerns about privacy in general; comprehensibility of excerpts of the contents of the EU General Data Protection regulations (GDPR) (resp. on passenger rights in the event of denied boarding and flight delays); estimated popularity of smartphones (proportion of smartphone owners per 100 adult Germans); repetition of the question on trust data collecting organisations (Google, Facebook) with regard to the protection of personal data and general personal trust; readiness for data exchange by Google (or Facebook or the Federal Statistical Office) for research purposes (or for commercial purposes).

Demography: sex; age (year of birth); federal state; school education; professional qualification.

Additionally coded was: running number; respondent ID; experimental groups GDPR Info; duration (reaction time in seconds); used device type to complete the questionnaire.

The questionnaire also included two experiments, one on the effect of GDPR-related information on trust in data collecting organisations and one on the comfort of data shar...

List of personal data processing activities of the Government of Aragon that comply with data protection regulations (General Data Protection Regulation - Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data and repealing Directive 95/46/EC and Royal Decree-Law 5/2018 of 27 July 2018 on urgent measures for the adaptation of Spanish law to European Union legislation on data protection).

Collection of definitions of terms in English, French, German, Italian and Spanish extracted from the following data-related European laws:

1. Directive 2007/2/EC of the European Parliament and of the Council of 14 March 2007 establishing an Infrastructure for Spatial Information in the European Community (INSPIRE)

2. Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation) (Text with EEA relevance)

3. Commission Recommendation (EU) 2018/790 of 25 April 2018 on access to and preservation of scientific information

4. Regulation (EU) 2018/1807 of the European Parliament and of the Council of 14 November 2018 on a framework for the free flow of non-personal data in the European Union (Text with EEA relevance)

5. Directive (EU) 2019/790 of the European Parliament and of the Council of 17 April 2019 on copyright and related rights in the Digital Single Market and amending Directives 96/9/EC and 2001/29/EC (Text with EEA relevance)

6. Directive (EU) 2019/1024 of the European Parliament and of the Council of 20 June 2019 on open data and the re-use of public sector information (recast) (Open Data Directive)

7. Regulation (EU) 2021/695 of the European Parliament and of the Council of 28 April 2021 establishing Horizon Europe – the Framework Programme for Research and Innovation, laying down its rules for participation and dissemination, and repealing Regulations (EU) No 1290/2013 and (EU) No 1291/2013 (Text with EEA relevance)

8. Regulation (EU) 2022/868 of the European Parliament and of the Council of 30 May 2022 on European data governance and amending Regulation (EU) 2018/1724 (Data Governance Act) (Text with EEA relevance)

9. Regulation (EU) 2022/1925 of the European Parliament and of the Council of 14 September 2022 on contestable and fair markets in the digital sector and amending Directives (EU) 2019/1937 and (EU) 2020/1828 (Digital Markets Act) (Text with EEA relevance)

10. Regulation (EU) 2022/2065 of the European Parliament and of the Council of 19 October 2022 on a Single Market For Digital Services and amending Directive 2000/31/EC (Digital Services Act) (Text with EEA relevance)

11. Commission Implementing Regulation (EU) 2023/138 of 21 December 2022 laying down a list of specific high-value datasets and the arrangements for their publication and re-use (Text with EEA relevance)

12. Regulation (EU) 2023/2854 of the European Parliament and of the Council of 13 December 2023 on harmonised rules on fair access to and use of data and amending Regulation (EU) 2017/2394 and Directive (EU) 2020/1828 (Data Act)

13. Regulation (EU) 2024/903 of the European Parliament and of the Council of 13 March 2024 laying down measures for a high level of public sector interoperability across the Union (Interoperable Europe Act)

14. Regulation (EU) 2024/1689 of the European Parliament and of the Council of 13 June 2024 laying down harmonised rules on artificial intelligence and amending Regulations (EC) No 300/2008, (EU) No 167/2013, (EU) No 168/2013, (EU) 2018/858, (EU) 2018/1139 and (EU) 2019/2144 and Directives 2014/90/EU, (EU) 2016/797 and (EU) 2020/1828 (Artificial Intelligence Act) Text with EEA relevance.

15. Regulation (EU) 2024/2847 of the European Parliament and of the Council of 23 October 2024 on horizontal cybersecurity requirements for products with digital elements and amending Regulations (EU) No 168/2013 and (EU) 2019/1020 and Directive (EU) 2020/1828 (Cyber Resilience Act) (Text with EEA relevance)

Prior to the entry into force of the General Data Protection Regulation (GDPR) on 25 May 2018, the Data Protection Correspondent (CIL) was responsible for ensuring compliance with the Data Protection Act within the company, group, association or administration that had designated it.

This designation was optional.

The CNIL publishes the list of private and public bodies that wished to engage in a compliance process by designating a CIL prior to the establishment, by the GDPR, of the DPO.

This set of data, collects the list of processing of personal data of the City of Madrid, in accordance with the European Data Protection Regulation (fully applicable from 25/05/2018) With the full application of Regulation (EU) 2016/679 of the European Parliament and of the Council , General Data Protection Regulation , on May 25, 2018, the obligation to notify the registration of files, both public or private, in the Register of Files of the Spanish Agency for Data Protection, without prejudice to the obligation to prepare and keep updated the Register of Treatment Activities. Information is incorporated from each processing of personal data including the person responsible, categories of interested parties and data, technical and organizational measures, legitimacy for the treatment and storage periods. You can also consult the information of this registry in PDF format ordered by Government Area and by treatment managers in each of them.

Since the enforcement of the General Data Protection Regulation (GDPR) in May 2018, Ireland has reported the highest amount of fines issued for violation of the regulation, over **** billion euros. Luxembourg ranked second, with around *** million euros, while France followed, issuing ****** million euros of fines for GDPR violations.

As of January 2025, The European Union (EU) had three fully operating and one upcoming law regarding online privacy and the usage of digital technologies. The first one, the General Data Protection Regulation (GDPR), was enacted in May 2018. The second law became effective on February 17, 2024, and is called the Digital Services Act (DSA). In March 2024, another law protecting consumer privacy, the Digital Markets Act, was enacted. The latest regulation adopted by the European Union (EU) is called the Cyber Resilience Act (CRA), which became active in December 2024.

The CNIL may sanction a data controller who has not taken the necessary measures to comply with the Data Protection Act and, from 25 May 2018, the General Data Protection Regulation (GDPR). The datasets presented concern the number of sanctions, pronounced by the restricted formation of the CNIL, notified each year since 2014 (and their breakdown by type of decision, which has evolved hence the publication of data with the new typology of sanctions as of 2019). In addition to the distribution of this game, the content of the public sanctions is available on Legifrance. Disclaimer: for any questions about the operation of a file and the help that the CNIL can provide you, please do not use the "Discussions" below, which are visible to all and reserved for exchanges on published datasets; use the Need help service (https://www.cnil.fr/en/cnil-direct) or contact the CNIL on 01 53 73 22 22.