main banner Avramopoulos

EU Data Protection Reform is expected to boost Digital Single Market and allow people to regain control over their personal data


The EU Data Protection Reform launched by the Commission in January 2012 is almost reaching an end, as an agreement was found with the European Parliament and Council on the Commission’s proposals.
The reform is twofold, consisting of the General Data Protection Regulation (“GDPR”) expected to be adopted this spring, and the Data Protection Directive for the police and criminal justice sector (“Directive”).
The General Data Protection Regulation updates and modernizes the current EU legislation on data protection (“Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data”), which was in place since 1995, when many of today’s challenges for data protection arising from the rapid development of the internet and related online services did not yet exist.
Data protection safeguards will now be built into products and services from the earliest stage of development (“data protection by design”), whereas privacy-friendly default settings will be the norm, for instance on social networks and mobile apps (“data protection by default”).
At the same time the GDPR focuses on strengthening individuals’ rights and allowing them to regain control over their personal data. In this respect, the introduction of a clarified “right to be forgotten”[1] together with the right to data portability[2] and the facilitated access to own personal data clearly stand out.
Furthermore, we consider worth mentioning the fact that the GDPR recognizes that children deserve specific protection of their personal data and as such benefit from a clearer right to be forgotten.
As far as information society services offered directly to a child are concerned, the GDPR provides that the holder of the parental responsibility over the child should consent to the processing of the child’s data. The respective age threshold ranges between 13 and 16 years and is up to the Member States to define. In case of preventive or counseling services offered directly to a child, no such consent is required.
In addition, the GDPR establishes one single set of modernized and unified rules across the EU, which will simplify doing business therein and stimulate economic growth by reducing costs for European businesses, especially for small and medium enterprises (SMEs). Thus, undertakings will be able to fully seize the opportunities of the Digital Single Market.
It is important to note that the GDPR will also apply to organizations based outside the EU when they offer goods or services in the EU, which till now enjoyed lower standards than EU based ones. In this way, the GDPR creates a level playing field.
The Data Protection Directive for the police and criminal justice sector is conceived to be a key element of the development of the EU’s area of freedom, security and justice and a building block of the EU Agenda on Security.
On one hand it ensures protection of personal data of individuals involved in criminal proceedings, be it as witnesses, victims or suspects, by establishing a comprehensive framework of rules to achieve a high level of data protection based on the principles of necessity, proportionality and legality. Everyone’s personal data should be processed lawfully, fairly and only for a specific purpose.
On the other hand, it facilitates a smoother exchange of information between Member States’ police and judicial authorities, promoting cooperation in the fight primarily against terrorism in Europe. Thus, it not only increases the efficiency of criminal law enforcement but also creates conditions for a more effective crime prevention.
The Directive replaces Framework Decision 2008/977/JHA, which previously governed data processing by police and judicial authorities.
For more information on the EU Data Protection Reform you may visit the website:

[1] The right to be forgotten "reflects the claim of an individual to have certain data deleted so that third persons can no longer trace them." It has been defined as "the right to silence on past events in life that are no longer occurring.  (

[2] Transfer of data between service providers.

Athens, April 2016
Avramopoulos & Partners 

For further information please contact:
Barbara Angelopoulou
Junior Partner
Avramopoulos & Partners Law Firm
Tel.: +30 210 6912200
Fax: +30 210 6911211
Important Note: The information contained in this newsletter is provided for your information only and should not be regarded as a legal advice.