On 25 May 2018, the European Data Protection Regulation (GDPR) came into force directly in all member states of the European Union after a two-year transition period. All companies and institutions had to adapt their business processes to the new legal requirements by the deadline. The GDPR Regulation "replaces the EU Data Protection Directive dating back to 1995 and provides contemporary answers to the advancing digitalization of the economy and society. With modern data protection at the European level, the GDPR offers solutions to questions raised by 'big data' and new techniques or types of data processing such as profiling, web tracking or cloud computing for the protection of privacy," according to the Federal Ministry for Economic Affairs and Energy.
The GDPR is aimed at anyone who handles personal data outside the purely private sphere (companies, associations, foundations). Companies and institutions must be able to prove at any time that they are in compliance with these data protection mandates. This also includes the obligation to appoint data protection officers in companies of ten or more permanent employees. If the GDPR is not complied with, companies may be subject to severe fines. The ePrivacy Directive should enter into force at the same time as the GDPR. However, this is still in limbo. The directive sees itself as an extension and concretization of the General Data Protection Regulation. The ePrivacy Regulation, also known colloquially as the "Cookie Directive", should regulate the data protection of electronic communications. This includes, among other things:
- Data processing and data storage
- Number suppression
- Direct mail
- Right to be forgotten
For many years, the EU member states were unable to reach a consensus; in addition, there was resistance from the business community. In February 2021, the EU states managed to agree on a position. However, there is no question that this regulation is coming. But it is still uncertain when the directive will actually come into force.