New Personal Data Protection Regulation

Date 8 jan. 2016
Download PDF version PDF


The European Commission, The European Parliament and the European Council have reached an agreement on the new General Data Protection Regulation. The Regulation is expected to be formally adopted in the beginning of 2016, and will come into effect two years hereafter. 

The new General Data Protection Regulation will, inter alia, involve:

  • Much larger fines for breaches – up to EUR 20 million or 4 % of global turnover,
  • Obligation to appoint a Data Protection Officer for larger companies,
  • Intensified rules and increased requirements, including, inter alia, increased information on how data is processed and commitment to “forget” (permanently erase) all information concerning a person upon request,
  • Notification to the national supervisory authority of serious breach (for example if individual’s information has been hacked) within 72 hours, and
  • Development of compliance program/regulation for larger companies.

All companies processing personal data – whether it is a data controller or only processing data on behalf of others (data processor) – will be covered by the regulation. Companies established outside the EU will also be covered if they offer services in the EU and thus processing personal data of EU citizens.

The overall objective is to ensure individuals’ control over their personal data. It is also the purpose that the General Data Protection Regulation will stimulate economic growth, and, particularly for SMEs, reduce the administrative burdens and costs for European businesses.

For groups of companies and companies that operate across the EU, the new regulation also entails that the organization only needs to deal with one set of rules and one supervisory authority (instead of 28 as of today), and they will compete on a level playing field (in relation to data protection) with companies established outside the EU.

Also, the current application and notification requirements will in general completely disappear. There can, however, continue to be national rules, for example Denmark’s obligation to notify the processing of personal data as part of administration of personnel.  

We encourage all businesses to start the implementation of the necessary changes.

Moalem Weitemeyer Bendtsen has extensive experience in data protection, and would be pleased to assist in formulating compliance programs, review existing processes and general preparation in order to meet the new rules. If you have any questions or would like additional information regarding the above, please contact Partner Pernille Nørkær (, or Partner Signe Renée West (

The above does not constitute legal counselling and Moalem Weitemeyer Bendtsen does not warrant the accuracy of the information. With the above text, Moalem Weitemeyer Bendtsen has not assumed responsibility of any kind as a consequence of any reader’s use of the above as a basis for decisions or considerations.