A survey conducted in April and May 2023 revealed that around 55 percent of the companies that do business in the European Union (EU) and the United Kingdom (UK) found it challenging to adapt to new or changing requirements of the General Data Protection Regulation (GDPR) or Data Protection Act 2018 (DPA). A further 45 percent of the survey respondents said it was challenging to increase the budget because of the changes in the data privacy laws.

As of January 2025, The European Union (EU) had three fully operating and one upcoming law regarding online privacy and the usage of digital technologies. The first one, the General Data Protection Regulation (GDPR), was enacted in May 2018. The second law became effective on February 17, 2024, and is called the Digital Services Act (DSA). In March 2024, another law protecting consumer privacy, the Digital Markets Act, was enacted. The latest regulation adopted by the European Union (EU) is called the Cyber Resilience Act (CRA), which became active in December 2024.

Since the enforcement of the General Data Protection Regulation (GDPR) in May 2018, fines have been issued for several types of violations. As of February 2025, the most significant share of penalties was due to companies' non-compliance with general data processing principles. This violation has led to over 2.4 billion euros worth of fines.

The General Data Protection Regulation (GDPR) provides, since 25 May 2018, for the mandatory designation of a Data Protection Officer (DPO) in public services and, under certain conditions, by companies and associations.

The delegate — also known as the Data Protection Officer (DPO) — is responsible for ensuring GDPR compliance with the processing of personal data of the body that designated him or her. Internal or external, the delegate may also be appointed on behalf of several bodies.

To ensure the effectiveness of his/her tasks, the delegate shall:

— must have specific professional qualities and knowledge; — must benefit from material and organisational resources, resources and positioning enabling it to carry out its tasks effectively and independently.

To learn more about the role of delegate: https://www.cnil.fr/fr/devenir-delegue-la-protection-des-donnees.

In accordance with the applicable texts, the CNIL shall publish in an open and easily reusable format the name and professional contact details of the bodies that have appointed a Data Protection Officer, as well as the means of contacting the Data Protection Officer.

** Warning 1:** The published data, including the public contact details of delegates, are extracted from the designations of delegates as received by the CNIL via its dedicated teleservice. Any delegate may request the modification of the contact details published directly to the CNIL’s Data Protection Officers Service.

** Warning 2:** Any re-use of published data which would have the nature of personal data (telephone number, e-mail address, etc.) presupposes, on the part of the re-user, verification of the full fulfilment of his/her obligations under the GDPR, in particular in terms of informing the delegates concerned and respecting their other rights as defined by the European Regulation. Otherwise, the re-user would in particular be exposed to the penalties provided for in the GDPR.

Prior to the entry into force of the General Data Protection Regulation (GDPR) on May 25, 2018, any digital file or device recording personal data must, prior to its implementation, be declared to the CNIL (except, in particular, designation of a correspondent IT and Liberties by the organisation concerned or exemption from declaration decided by the CNIL).

This statement, often simplified, made it possible to raise awareness of the file manager’s legal obligations. It took the form of a request for advice or an authorisation request for the most sensitive files.

In accordance with the amended Data Protection Act, the CNIL keeps available to the public a list of these declarations prior to the entry into application of the GDPR, in an open and easily reusable format.

** Warning 1**: the published data do not concern the formalities completed as of 25 May 2018, the date of application of the GDPR.

** Warning 2**: the data made available are those declared to the CNIL by the bodies that have completed the formalities. The CNIL cannot be held responsible for their content.

Contracts concluded between the Controller and the Processor pursuant to Act No. 18/2018 Coll. and General Data Protection Regulation — GDPR

Between 2018 and 2022, there has been a significant increase in the level of awareness around the General Data Protection Regulation (GDPR) among European users. In 2018, when the GDPR was first applied, the United Kingdom had the highest level of awareness, with 32 percent of respondents agreeing or strongly agreeing with the statement: "I am aware of the new General Data Protection Regulation (GDPR) that will be introduced in May 2018". In 2022, the share of UK respondents agreeing with the statement increased to 73 percent. France had the lowest level of awareness in 2018, 20 percent, whereas in 2022 it reached 47 percent but remained the lowest among other European markets.

A Data Protection Impact Assessment (DPIA) pre-screen is a shortened version of the full DPIA and is used to determine if the full assessment is needed. It should be carried out before any new data processing starts (or if the processing is already happening, before a change that will involve a high risk to individuals starts). In many cases the pre-screen is sufficient to assess and manage any risks and a full assessment is not required. Like full DPIAs, these are published in accordance with the Council's Data Charter and also the GDPR/Data Protection Act 2018.”

Collection of definitions of terms in English, French, German, Italian and Spanish extracted from the following data-related European laws:

1. Directive 2007/2/EC of the European Parliament and of the Council of 14 March 2007 establishing an Infrastructure for Spatial Information in the European Community (INSPIRE)

2. Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation) (Text with EEA relevance)

3. Commission Recommendation (EU) 2018/790 of 25 April 2018 on access to and preservation of scientific information

4. Regulation (EU) 2018/1807 of the European Parliament and of the Council of 14 November 2018 on a framework for the free flow of non-personal data in the European Union (Text with EEA relevance)

5. Directive (EU) 2019/790 of the European Parliament and of the Council of 17 April 2019 on copyright and related rights in the Digital Single Market and amending Directives 96/9/EC and 2001/29/EC (Text with EEA relevance)

6. Directive (EU) 2019/1024 of the European Parliament and of the Council of 20 June 2019 on open data and the re-use of public sector information (recast) (Open Data Directive)

7. Regulation (EU) 2022/868 of the European Parliament and of the Council of 30 May 2022 on European data governance and amending Regulation (EU) 2018/1724 (Data Governance Act) (Text with EEA relevance)

8. Regulation (EU) 2022/1925 of the European Parliament and of the Council of 14 September 2022 on contestable and fair markets in the digital sector and amending Directives (EU) 2019/1937 and (EU) 2020/1828 (Digital Markets Act) (Text with EEA relevance)

9. Regulation (EU) 2022/2065 of the European Parliament and of the Council of 19 October 2022 on a Single Market For Digital Services and amending Directive 2000/31/EC (Digital Services Act) (Text with EEA relevance)

10. Commission Implementing Regulation (EU) 2023/138 of 21 December 2022 laying down a list of specific high-value datasets and the arrangements for their publication and re-use (Text with EEA relevance)

11. Regulation (EU) 2023/2854 of the European Parliament and of the Council of 13 December 2023 on harmonised rules on fair access to and use of data and amending Regulation (EU) 2017/2394 and Directive (EU) 2020/1828 (Data Act)

12. Regulation (EU) 2024/903 of the European Parliament and of the Council of 13 March 2024 laying down measures for a high level of public sector interoperability across the Union (Interoperable Europe Act)

13. Regulation (EU) 2024/1689 of the European Parliament and of the Council of 13 June 2024 laying down harmonised rules on artificial intelligence and amending Regulations (EC) No 300/2008, (EU) No 167/2013, (EU) No 168/2013, (EU) 2018/858, (EU) 2018/1139 and (EU) 2019/2144 and Directives 2014/90/EU, (EU) 2016/797 and (EU) 2020/1828 (Artificial Intelligence Act) Text with EEA relevance.

A data protection impact assessment (DPIA) is a process to identify privacy risks to individuals in the collection, use, storing, and disclosure of information. This allows Camden to identify problems so that risks can be removed or reduced to acceptable levels. It also reduces privacy breaches and complaints which can damage the Council’s reputation or enforcement action against it by the Information Commissioner (the regulator). We publish these as a dataset in accordance with the Council's Data Charter and also the GDPR/Data Protection Act 2018.

** Warnings:** 1/The published data are the result of the prior formalities completed, since May 25, 2018, by the controllers of personal data processing at the CNIL, via its dedicated teleservices. The CNIL cannot be held responsible for their content. 2/The processing carried out on behalf of the State may not appear in the dataset, the formalities having been completed in the form of requests for an opinion on a draft regulatory act (decree or decree) not submitted via the teleservices mentioned. The information relating to these treatments is available on Legifrance, the opinion of the CNIL being published with the act authorising the treatment (to access the deliberations of the CNIL: https://www.legifrance.gouv.fr/initRechExpCnil.do). In addition, some important treatments are subject to fiches on the CNIL website. 3/Exceptionally exempted from the publication of the regulatory act authorising them (decree or decree) are not included in the published data set, in accordance with article 36 of the amended Data Protection Act. The treatments referred to in Article 30 I and II may be exempted, by decree in the Council of State, from the publication of the regulatory act which authorises them. These treatments are mentioned in Decree n°2007-914 of 15 May 2007.

Since the EU's implementation of the General Data Protection Regulation (GDPR) in May 2018, numerous fines have been issued for violations or non-compliance. Of these, the fine of 1.2 billion euros received by Meta Platforms, Inc. in May 2023 has been by far the greatest. The company was issued such a penalty for personal data transfers to the United States without sufficiently complying with the EU regulation.

Collection of definitions of terms in English, French, German, Italian and Spanish extracted from the following data-related European laws:

Directive 2007/2/EC of the European Parliament and of the Council of 14 March 2007 establishing an Infrastructure for Spatial Information in the European Community (INSPIRE)

Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation) (Text with EEA relevance)

Commission Recommendation (EU) 2018/790 of 25 April 2018 on access to and preservation of scientific information

Regulation (EU) 2018/1807 of the European Parliament and of the Council of 14 November 2018 on a framework for the free flow of non-personal data in the European Union (Text with EEA relevance)

Directive (EU) 2019/790 of the European Parliament and of the Council of 17 April 2019 on copyright and related rights in the Digital Single Market and amending Directives 96/9/EC and 2001/29/EC (Text with EEA relevance)

Directive (EU) 2019/1024 of the European Parliament and of the Council of 20 June 2019 on open data and the re-use of public sector information (recast) (Open Data Directive)

Regulation (EU) 2021/695 of the European Parliament and of the Council of 28 April 2021 establishing Horizon Europe – the Framework Programme for Research and Innovation, laying down its rules for participation and dissemination, and repealing Regulations (EU) No 1290/2013 and (EU) No 1291/2013 (Text with EEA relevance)

Regulation (EU) 2022/868 of the European Parliament and of the Council of 30 May 2022 on European data governance and amending Regulation (EU) 2018/1724 (Data Governance Act) (Text with EEA relevance)

Regulation (EU) 2022/1925 of the European Parliament and of the Council of 14 September 2022 on contestable and fair markets in the digital sector and amending Directives (EU) 2019/1937 and (EU) 2020/1828 (Digital Markets Act) (Text with EEA relevance)

Regulation (EU) 2022/2065 of the European Parliament and of the Council of 19 October 2022 on a Single Market For Digital Services and amending Directive 2000/31/EC (Digital Services Act) (Text with EEA relevance)

Commission Implementing Regulation (EU) 2023/138 of 21 December 2022 laying down a list of specific high-value datasets and the arrangements for their publication and re-use (Text with EEA relevance)

Regulation (EU) 2023/2854 of the European Parliament and of the Council of 13 December 2023 on harmonised rules on fair access to and use of data and amending Regulation (EU) 2017/2394 and Directive (EU) 2020/1828 (Data Act)

Regulation (EU) 2024/903 of the European Parliament and of the Council of 13 March 2024 laying down measures for a high level of public sector interoperability across the Union (Interoperable Europe Act)

Regulation (EU) 2024/1689 of the European Parliament and of the Council of 13 June 2024 laying down harmonised rules on artificial intelligence and amending Regulations (EC) No 300/2008, (EU) No 167/2013, (EU) No 168/2013, (EU) 2018/858, (EU) 2018/1139 and (EU) 2019/2144 and Directives 2014/90/EU, (EU) 2016/797 and (EU) 2020/1828 (Artificial Intelligence Act) Text with EEA relevance.

Number of occasions on which public interest information has been disclosed to a responsible officer under the Public Interest Disclosure Act 2018.

These data are part of NACJD's Fast Track Release and are distributed as they were received from the data depositor. The files have been zipped by NACJD for release, but not checked or processed except for the removal of direct identifiers. Users should refer to the accompanying readme file for a brief description of the files available with this collection and consult the investigator(s) if further information is needed. This study includes data that was used to investigate the effect of legislative and judicial factors on system responses to sex trafficking of minors (STM) in metropolitan and non-metropolitan communities. To accomplish this, researchers evaluated the effectiveness of the immunity, protection, and rehabilitative elements of a state safe harbor law. This project was undertaken as a response to a growing push to pass state safe harbor laws to align governmental and community responses to the reframing of the issue of sex trafficking of minors that was ushered in with the passage of the Trafficking Victims Protection Act (TVPA). This collection includes 4 SPSS files, 3 Excel data files, and 2 SPSS Syntax files: Child-Welfare-Human-Trafficking-Reports-2013-2017-data.xlsx Judicial-Interview-De-identified-Quantitative-Data-for-NACJD_REV_Oct2018.sav (n=82; 36 variables) Judicial-online-survey-data-for-NACJD_REV_Dec2018.sav (n=55; 77 variables) Juvenile-Justice-Screening-for-HT-2015-MU-MU-0009.xlsx Post-implementation-survey-data-for-NACJD_REV_Dec2018.sav (n=365; 1029 variables) Pre-implementation-survey-data-for-NACJD_REV_Dec2018.sav (n=323; 159 variables) Recode-syntax-for-pre-implementation-survey-for-NACJD.sps Statewide-juvenile-court-charges-2015-MU-MU-0009-to-NACJD.xlsx Syntax-for-post-implementation-survey-data-to-NACJD.sps Qualitative data from judicial interviews and agency open-ended responses to Post-Implementation of the Safe Harbor Law Survey are not available as part of this collection.

Since the enforcement of the General Data Protection Regulation (GDPR) in May 2018, Ireland has reported the highest amount of fines issued for violation of the EU regulation, with over 2.8 billion euros. Luxembourg ranked second, with around 746 million euros, while France followed, issuing 371.82 million euros of fines for GDPR violations.

This set of data, collects the list of processing of personal data of the City of Madrid, in accordance with the European Data Protection Regulation (fully applicable from 25/05/2018) With the full application of Regulation (EU) 2016/679 of the European Parliament and of the Council , General Data Protection Regulation , on May 25, 2018, the obligation to notify the registration of files, both public or private, in the Register of Files of the Spanish Agency for Data Protection, without prejudice to the obligation to prepare and keep updated the Register of Treatment Activities. Information is incorporated from each processing of personal data including the person responsible, categories of interested parties and data, technical and organizational measures, legitimacy for the treatment and storage periods. You can also consult the information of this registry in PDF format ordered by Government Area and by treatment managers in each of them.

Annual report to Parliament summarizing the Office of the Superintendent of Financial Institution’s administration of the Privacy Act

As of February 2025, the European Union (EU) has introduced or proposed around 21 laws or amendments covering data privacy. The first and the most comprehensive such regulation was approved in 2016 and fully enforced in May 2018. The most recent law regulating data privacy, with the usage of AI, was the EU AI Act, fully enforced since August 2024.

Annual report on Invest in Canada’s administration of the Privacy Act