GDPR – General Data Protection Regulation

Handbook on European data protection law



How to use this handbook

This handbook outlines the legal standards relating to data protection set by the European Union (EU) and the Council of Europe (CoE). It is designed to assist practitioners not specialised in the feld of data protection, including lawyers, judges and other legal practitioners, as well as individuals working for other bodies, such as non-governmental organisations (NGOs), who may be confronted with legal questions relating to data protection.
The handbook serves as a first point of reference on relevant EU law and the European Convention on Human Rights (ECHR), as well as the CoE Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data (Convention 108) and other CoE instruments.
Each chapter begins with a table that identifes the legal provisions relevant to the topics dealt with in the specifc chapter. The tables cover both CoE and EU law, and include selected case law of the European Court of Human Rights (ECtHR) and the Court of Justice of the European Union (CJEU). The relevant laws of the two different
European orders, as they apply to the specifc topics addressed, are then presented in sequence. This allows the reader to see where the two legal systems converge and where they differ. It should also help readers fnd the key information relating to their situation, especially if they are subject only to CoE law. In some chapters, where this helps the concise presentation of the content, the order of the topics in the tables may differ slightly from that within the chapter itself. The handbook also provides a brief overview of the United Nations framework.
Practitioners in non-EU states that are member states of the CoE and parties to the ECHR and Convention 108 can access the information relevant to their own country by going straight to the sections on the CoE. Practitioners in non-EU states must also bear in mind that, since the adoption of the EU General Data Protection Regulation, EU data protection rules apply to organisations and other entities that are not established in the EU, if they process personal data and offer goods and services to data subjects in the Union or monitor the behaviour of such data subjects.
Practitioners in EU Member States will need to consult both sections, as these states are bound by both legal orders. It should be noted that the reforms and modernisation of data protection rules in Europe, undertaken both in the framework of the Council of Europe (Modernised Convention 108 as amended by Protocol 
CETS No. 223) and of the EU (adoption of the General Data Protection Regulation and of Directive 2016/680/EU), were carried out in parallel. Regulators in both legal systems have taken utmost care to ensure consistency and compatibility between
the two legal frameworks. The reforms have thus brought greater harmonisation between CoE and EU data protection law. For individuals who need more information on a particular issue, a list of more specialised material can be found in the ‘Further reading’ section. For information regarding the provisions of Convention 108
and its additional Protocol of 2001, which continue to apply until the entry into force of the amending Protocol, readers should refer to the 2014 edition of the handbook.
CoE law is presented through short references to selected ECtHR cases. These have been chosen from the large number of ECtHR judgments and decisions that exist on data protection issues.
Relevant EU law comprises legislative measures that have been adopted, relevant provisions of the treaties and the Charter of Fundamental Rights of the European Union, as interpreted in the case law of the CJEU. In addition, the handbook presents opinions and guidelines adopted by the Article 29 Working Party, the advisory body tasked under the Data Protection Directive with providing expert advice to EU Member States, and that will be superseded by the European Data Protection Board (EDPB) from 25 May 2018 onwards. Opinions of the European Data Protection
Supervisor also provide important insights into the interpretation of EU law and so are included in this handbook.
The cases described or cited in this handbook provide examples of an important body of both ECtHR and CJEU case law. The guidelines at the end of the handbook aim to assist readers in searching case law online. The CJEU case law presented relates to the former Data Protection Directive. However, the CJEU’s interpretations remain applicable to the corresponding rights and obligations established by the General Data Protection Regulation.
In addition, practical illustrations with hypothetical scenarios are provided in textboxes with a blue background. These further illustrate the application of European data protection rules in practice, particularly where no specifcally relevant ECtHR or CJEU case law exists. Other textboxes – with a grey background – provide examples
taken from sources other than ECtHR and CJEU case law, such as legislation and opinions issued by the Article 29 Working Party.

The handbook begins with a brief description of the role of the two legal systems as established by the ECHR and EU law (
Chapter 1). Chapters 2 to 10 cover the following issues:
• data protection terminology;
• key principles of European data protection law;
• rules of European data protection law;
• independent supervision;
• data subjects’ rights and their enforcement;
• cross-border transfers and flows of personal data;
• data protection in the context of police and criminal justice;
• other European data protection rules in specifc areas;
• modern challenges in personal data protection.





The manuscript for this handbook was completed in April 2018.
Updates will become available in future on the FRA website at, the Council of
Europe website at, on the European Court of Human Rights website under
the Case Law menu at, and on the European Data Protection Supervisor website at
Photo credit (cover & inside): © iStockphoto
© European Union Agency for Fundamental Rights and Council of Europe, 2018
Reproduction is authorised, provided the source is acknowledged.
For any use or reproduction of photos or other material that is not under the European Union
Agency for Fundamental Rights/Council of Europe copyright, permission must be sought directly
from the copyright holders.
Neither the European Union Agency for Fundamental Rights/Council of Europe nor any person
acting on behalf of the European Union Agency for Fundamental Rights/Council of Europe is
responsible for the use that might be made of the following information.