European Union Privacy Laws

Breach Notification

Mandated Timeframe

Within 72 hours

Fines & Penalties

Violations

Up to 4% of annual global turnover or €20 M

REGULATION LEVELS

Breach Reporting Consumer Notifications
Vendor Management Vendor Contract Required
LEVEL DESCRIPTION
Minimal Basic Comprehensive Extensive
LAWS RELATED TO PERSONAL INFORMATION
Regulated Breach Reporting

Breach Reporting Requirements

Consumer Notification Requirements

Vendor Notification of Breach

Vendor Requirements

Vendor Specific Obligations

Vendor Mandated Contracts

Privacy Program Requirements

Protection/Security

Employee Training

Vendor Protection/Security Program

Personal Information Protection

Data Disposal of Personal Information

Breach Notification

Mandated Timeframe

Within 72 hours

Fines & Penalties

Violations

Up to 4% of annual global turnover or €20 M

REGULATION LEVELS

Breach
Reporting
Consumer
Notifications
Vendor
Management
Vendor
Contract Required
LEVEL DESCRIPTION
Minimal Basic Comprehensive Extensive
LAWS RELATED TO PERSONAL INFORMATION
Regulated Breach Reporting

Breach Reporting Requirements

Consumer Notification Requirements

Vendor Notification of Breach

Vendor Requirements

Vendor Specific Obligations

Vendor Mandated Contracts

Privacy Program Requirements

Protection/Security

Employee Training

Vendor Protection/Security Program

Personal Information Protection

Data Disposal of Personal Information

Breach Notification

Mandated Timeframe

Within 72 hours

Fines & Penalties

Violations

Up to 4% of annual global turnover or €20 M

REGULATION LEVELS

Breach
Reporting
Consumer
Notifications
Vendor
Management
Vendor
Contract Required
LEVEL DESCRIPTION
Minimal Basic Comprehensive Extensive
LAWS RELATED TO PERSONAL INFORMATION
Regulated Breach Reporting

Breach Reporting Requirements

Consumer Notification Requirements

Vendor Notification of Breach

Vendor Requirements

Vendor Specific Obligations

Vendor Mandated Contracts

Privacy Program Requirements

Protection/Security

Employee Training

Vendor Protection/Security Program

Personal Information Protection

Data Disposal of Personal Information

Quick Facts

European Union Privacy Law Information

  • General Data Protection Regulation (GDPR)

    The General Data Protection Regulation (GDPR) is a comprehensive regulation designed to address most aspects of personal data processing within the European Union. This regulation imposes obligations onto any organisation who targets or collected data related to people in the European Union.

  • Privacy Program

    Member States are encouraged to establish their own country-specific codes of conduct. If your business is located and/or handles personal data from individuals in one or more Member States, you may have additional requirements with which you must comply. Controllers and Processors (unless exempt) must maintain an extensive log of all data processing activities.

  • Consent Requirements

    Controllers at the time when personal data are obtained must inform the data subject of the existence of the processing operation and its purposes including how the consumer can exercise their rights.

  • Vendor Contracts

    Controllers must contract with Processors who process personal data on behalf of the Controller. The contract must be in writing, including in electronic form. Controller’s expectations for Processor should be communicated clearly and be included in the contract with the Processor. Controllers must only contract with Processors who have in place appropriate protections and security of personal data, equal to the level of protections and security required for Controllers.

  • Vendor/Third Parties

    Processors must only process personal data at the specific direction of Controllers. Processors must ensure their employees who have access to and process personal data are aware of and abide by the contractual requirements of Controllers for the processing of personal data. Processors must assess the risks associated with the processing of personal data, to ensure proper safeguards are in place to prevent unauthorised destruction, loss, alteration, disclosure or access of the personal data. Processors must assist Controllers with any obligations for completing data protection impact assessments and comply with any guidance given by a supervisory authority following consultation. Processors ...

  • Fines & Penalties

    Organisations face fines, penalties, orders and/or sanctions as a result of violating GDPR requirements.

European Union

Statutes and Laws