Annexes to COM(2016)214 - Communication to the EP concerning the Council's position on the General Data Protection Regulation

Please note

This page contains a limited version of this dossier in the EU Monitor.

agreement reached between the European Parliament and the Council in informal trilogues on 15 December 2015, subsequently endorsed by the Council on 8 April 2016.

The Commission supports this agreement since it is in keeping with the objectives of the Commission proposal.

The agreement maintains the nature of the legal instrument as proposed by the Commission, namely a Regulation as opposed to a Directive which would then require transposition into 28 national legal systems. It also ensure the necessary level of harmonisation while leaving a room of maneouvre for Member States as regards the specifications of the data protection rules for the public sector.

The Council position confirm the Commission approach as regards the territorial scope of the Regulation which will also apply to controllers or processors established in a third country if they offer goods or services or monitor the behaviour of data subejcts in the Union.

The agreement, in keeping with the Commission approach, strengthens the principles of data processing (e.g. data minimisation) and the rights of data subjects by enshrining a right to be forgotten and a right to portability and by further developping existing rights such as the right to information or the right of access.

The agreement also preserves and further develops the risk-based approach already present in the Commission proposal and which requires that controllers and, in some cases the processors, to take into account the nature, scope, context and purposes of processing and the risks of varrying likelihood and severity for the rights and freedoms of the data subject of such processing. Moreover, the agreement reached on the "one-stop-shop" mechanism is legally and institutionally sound, and brings significant added value for companies and data subjects. The mechanism will rely on the principle of the "best placed authority" to take the decision and it will focus only on cases with an important cross-border dimension. The outcome in Council maintains the key simplification element of having a single decision across the EU and a single interlocutor for business and for the individual.

The agreement also further clarifies and specifies the rules on international transfers as regards, for example, the criteria to be taken into account for assessing the level of protection in a third country or the instruments that can provide for appropriate safeguards for international transfers.

The Council position empowers supervisory authorities to impose financial sanctions for infringements of the Regulation, going up to 2 - 4% of the global annual turnover of an undertaking.

Finally, the Council position contrary to the Commission proposal does not consider the Regulation as a development of the Schengen acquis. Therefore, the Commission considers that a statement in this regard is necessary.

4. Conclusion

The Commission supports the results of the inter-institutional negotiations and can therefore accept the Council's position at first reading.

5. Statement by the Commission - Schengen relevance of the Regulation

"The Commission regrets the change to its initial proposal through the deletion of recitals 136, 137 and 138 related to the Schengen acquis. The Commission considers that in particular as visas, border control and return are concerned, the General Data Protection Regulation constitutes a development of the Schengen acquis for the four States associated with the implementation, application and development of said acquis."

(1) Directive 95/46/EC on the protection of individuals with regard to the protection of personal data and on the free movement on such data, OJ L 281, 23.11.1995, p. 31.