Talk:General Data Protection Regulation

From Wikipedia, the free encyclopedia
Jump to navigation Jump to search

Summary needs work[edit]

The current summary (shown below) does not seem appropriate.

"The proposed new EU data protection regime extends the scope of the EU data protection law to all foreign companies processing data of EU residents. It provides for a harmonization of the data protection regulations throughout the EU, thereby making it easier for non-European companies to comply with these regulations; however, this comes at the cost of a strict data protection compliance regime with severe penalties of up to 4% of worldwide turnover."

While it may seem like a general description of the regulation it is in fact a description from 2012 which was referenced in this article. Please update the summary to reflect the regulation as it was passed. — Preceding unsigned comment added by (talk) 16:21, 23 October 2017 (UTC)

Right to Rectification[edit]

The entire section of law relating to right of rectification is missing from the article.

UK Legislation mentioned in summary[edit]

I am removing the following text, which is not appropriate to the summary section of an article on the EU GDPR (Even if it might make sense in a section on effects of Brexit on the GDPR, or in an article on English, Scottish or Northern Irish Data Protection law, it's not particularly relevant to the GDPR itself).

The UK Data Protection Bill will update data protection laws for the digital age and was introduced to the House of Lords on 13 September 2017. Until then the UK will be subject to the GDPR. The Data Protection Bill is primarily based on the GDPR.

Also, it's not true - at least not as currently written (I believe intermediate edits have mangled the sense somewhat). The UK will presumably be subject to the GDPR, along with the rest of EU law, until 2 years after the UK's Article 50 notice to leave the EU (possibly longer depending on the nature of any regulatory equivalence which may be negotiated). - Paul (talk) 17:10, 8 December 2017 (UTC)

'Personally Identifiable Information (PII)' vs. 'Personal data'[edit]

In the summary ...

[...] the regulation contains provisions and requirements pertaining to the processing of personally identifiable information (personal data) of individuals (formally called data subjects in the GDPR) inside the European Union[...]

To some, "personally identifiable information" (PII) will have a specific meaning, particularly with regard to the US legal definition. Reading the personally identifiable information page itself makes this distinction a bit clearer. The GDPR definition of "personal data" is broader in scope than that of PII.

While the term is sometimes used ubiquitously to refer to a broad range of personal information (granted that a search on Wiki for "personal data" will redirect to the PII page) I think in this context it is better sense to refer solely to "personal data", here in the summary and anywhere else on the page — in particular because the scope of the GDPR does have an impact on firms in the US who might have EU customers. Views?

+1, and very much so. The PII page itself states multiple times that "personal data" is (substantially) wider than PII; hence, the two cannot and should never be used as meaning the same thing. --User:Haraldmmueller 10:34, 11 September 2018 (UTC)
Very true, Haraldmmueller. ♫ RichardWeiss talk contribs 12:23, 11 September 2018 (UTC)
Ok, I have made that change. (talk) 11:04, 12 September 2018 (UTC)

No longer a proposal[edit]

The section "Content" starts with "The proposal for the European Data Protection ..." But for 18 months, this has not been a proposal, but a regulation (or "law", if you want). So this should be changed, shouldn't it? --User:Haraldmmueller 13:38, 25 November 2017 (UTC)

 Done This is indeed the case[1], therefore I will change it. Droogstoppel (talk) 20:55, 12 December 2017 (UTC)


Data is plural[edit]

The word data is the plural of datum. Throughout this article data has been used as a singular noun. However the English version of REGULATION (EU) 2016/679 OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL, i.e. the General Data Protection Regulation, to which the article refers, correctly differentiates singular from plural. FussyBSM (talk) 03:24, 31 January 2018 (UTC)

Umm, no. See Data (word) - data in this sense is an uncountable mass noun. It is perfectly proper to write "data is available" and not the awkward-sounding "data are available". Wikipedia does not duplicate the writing style of EU regulations, but writes encyclopedia articles. Mauls (talk) 19:25, 25 February 2018 (UTC)
One of the signs of a word being fully assimilated - people argue over whether it should comply with source language usage, formal English or colloquial English. Jackiespeel (talk) 15:52, 16 May 2018 (UTC)
"Data are available" sounds perfectly normal to me. "Data is available" seems like a reference to the Star Trek character or merchandise thereof ("Data is available as either a 6 inch or 12 inch action figure.") --Khajidha (talk) 15:53, 26 May 2018 (UTC)
Data is plural. ♫ RichardWeiss talk contribs 05:21, 14 June 2018 (UTC)

You can unscramble the hashes of humanity's 5 billion email addresses in ten milliseconds for $0.0069[edit]

Given that many companies are using hashed emails as a way to comply with GDPR, this seems important to point out


John Cummings (talk) 07:43, 10 April 2018 (UTC)

Could companies not salt the hashes? Jasperwillem (talk) 06:34, 13 April 2018 (UTC)
This problem can solved easily by adding a secret 256-bit salt, this can prevent unhash and rainbow table lookup, which make you unscramble one email address from one millisecond to a billions of year, even use a supercomputer. — Preceding unsigned comment added by (talk) 03:05, 7 November 2018 (UTC)

Outside influence[edit]

Dear all,

Hereby I wanted to point your editors to the following piece;, where the reach of GDPR is wider as just European consumers. Other topics on the internet already suggested that this framework could be a referral piece of legislation for other law making entities. Since I am no expert in this topic I wanted to point this out for people known with the subject who could place it justly in the articles scope.


Jasperwillem (talk) 06:32, 13 April 2018 (UTC)

I have added a link to the Brussels effect. Implementation of GDPR outside the EU jurisdiction is an example of the Brussels effect and that entry mentions the GDPR as one of the examples. LeoVeo (talk) 18:26, 25 May 2018 (UTC)

"B2B Marketing" original research?[edit]

Someone added that section - with only links to GDPR articles, but no secondary source. This alone is not really ok. However, "B2B" implies that both (or all) involved parties are not persons, but "businesses" - so prima facie, the GDPR should not at all be relevant for B2B. So why would one claim this, and support it with paragraphs from the GDPR, which only refer to "natural persons"? I argue that this section should be removed, unless some proff can be given that GDPR professionals (lawyers) regards B2B in the context of the GDPR. --User:Haraldmmueller 10:00, 18 May 2018 (UTC)

... has been removed. Thanks! --User:Haraldmmueller 17:02, 14 October 2019 (UTC)


I am surprised there is no chapter on critisim - after all, there are plenty... — Preceding unsigned comment added by (talk) 20:03, 23 May 2018 (UTC)

Just research and add it ... BTW, in the German WP, we had the opposite problem: The whole article contained essentially only critical information, but nothing whatsoever about the GDPR's contents; so I rewrote it ... --User:Haraldmmueller 20:24, 23 May 2018 (UTC)
It's clearly there, and the topic is big enough that criticism should not be given undue weight. Much of it comes from US services and companies, which is already somewhat undue. Prinsgezinde (talk) 22:49, 13 June 2018 (UTC)

Section: "Restrictions" (Disputed)[edit]

Section Restrictions currently states: "The following cases are not covered by the regulation: ... Statistical and scientific analysis"

This is untrue. The exceptions are limited: an exemption to Article 9(1) by Article 9(2)(j), and a provision that Member States can "provide exemptions, derogations, conditions or rules in relation to specific processing activities".

Article 89, Recital 156, and Recital 159 refer explicitly to the way statistical and scientific analysis is regulated.

Additionally with the only citation being marked Page Needed, I'm doubtful about the rest of that section.

I am going to mark the section Disputed. Please indicate so that we can reach consensus as editors and seek to rewrite it or remove.

Golightlys (talk) 18:59, 26 May 2018 (UTC)

Over a year later, and this needs action. Claims that science isn't covered is clearly false: "(156) The processing of personal data for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes should be subject to appropriate safeguards for the rights and freedoms of the data subject pursuant to this Regulation. [...] (159) Where personal data are processed for scientific research purposes, this Regulation should also apply to that processing." All this can be verified on and it would be nice if this section were accurate. Certainly a researcher wanting a quick overview of this huge regulation would likely come to Wikipedia first. (talk) 16:34, 13 February 2020 (UTC)

Reference broken[edit]

The following reference, #14 at the moment, is broken and provides no PDF document: Reference "Data protection" (PDF). European Commission – European Commission. — Preceding unsigned comment added by Ignacio.Agulló (talkcontribs) 22:54, 28 May 2018 (UTC)

Semi-protected edit request on 2 June 2018[edit] (talk) 00:22, 2 June 2018 (UTC)
 Not done: it's not clear what changes you want to be made. Please mention the specific changes in a "change X to Y" format and provide a reliable source if appropriate. LittlePuppers (talk) 06:34, 2 June 2018 (UTC)


Hey guys,

The largest change in the data privacy regulation law is GDPR. WP GDPR compliance require that you as a website owner, must take care of all PII - Personal Identifiable Information, in order to support the compliance of the citizens rights. See here

Best regards, gdpr-system


Re "As the GDPR is a regulation, not a directive, it does not require national governments to pass any enabling legislation and is directly binding and applicable.[dubious – discuss]": This sentence is actually misleading. The GDPR actually is directly binding and applicable - this is true. However, it has a number of "open areas" where members states need to pass legislation to define more narrowly these open areas. I do not know whether a member state must pass such additional legislation - would Malta or Cyprus actually do this? Anyone has any information how many member states actually did pass such supportive laws, like Germany's "Bundesdatenschutzgesetz (neu)" or Austria's "Datenschutz-Anpassungsgesetz 2018"? --User:Haraldmmueller 07:41, 5 October 2018 (UTC)

Can I link to 'GDPR fines and notices' from the Sanctions section?[edit]

I've started contributing to the GDPR fines and notices page. Would it be appropriate to add a link to this page under the Sanctions section? And if so, what would be the appropriate text for such a reference? — Preceding unsigned comment added by Rkranendonk (talkcontribs) 14:18, 24 June 2019 (UTC)

Criticism: Social Engineering Vulnerability[edit]

According to it appears that there is at least anecdotal evidence that GDPR has made it *easier* for (possibly malicious) 3rd parties to extract private information from online services. This may be worth starting a "Criticism" section, as this is a vulnerability apparently worsened by GDPR. Tantek (talk) 23:29, 16 August 2019 (UTC)

Drop tools section[edit]

The tools section feels like spam/advertising. It's just an arbitrary list of 4 software tools. I think it should be removed, but didn't want to edit the article without asking.

If anyone else agrees, I'd vouch for removing it.

Grocko1 (talk) 11:34, 23 August 2019 (UTC)

I removed all. Actually, there are tools that might be more "objective", namely those provided by the authorities (we use one in Germany that is provided by the French office for data protection; and which is favored here in Bavaria). But I would have to research that area before I'd feel confident to add them here on WP. --User:Haraldmmueller 13:50, 30 August 2019 (UTC)

GDPR-K age of consent map[edit]

Hello, where do I find a map for age of consent in the EU?

Which is issued by Ingrida Milkaite and Eva Lievens at Ghent University. [1] --TaleofTalisman (talk) 22:27, 12 September 2019 (UTC)

GDPR age of consent[edit]

Here's are my list that limits younger people to gain access data in European Union:

EU country Age required
 Belgium 13
 Denmark 13
 Estonia 13
 Finland 13
 Latvia 13
 Malta 13
 Portugal 13 (16 for Google accounts)
 Sweden 13
 United Kingdom 13
 Austria 14
 Bulgaria 14
 Cyprus 14
 Italy 14
 Lithuania 14
 Spain 14
 Czech Republic 15 (same as age of consent)
 France 15 (same as age of consent)
 Croatia 16
 Germany 16
 Greece 16 (15 for age of consent)
 Hungary 16
 Ireland 16
 Luxembourg 16
 Netherlands 16
 Poland 16
 Romania 16
 Slovakia 16
 Slovenia 16 (15 for age of consent)

However, San Marino is not member of the European Union and/or European Economic Area. Instead, the minimum age of consent is 16 for Google accounts.

Source: [2]

--TaleofTalisman (talk) 08:13, 24 September 2019 (UTC)

Missing Basic Explanation of Applicability[edit]

Sometimes it's instructive to hear how some random person off the street views an endeavor. I came here wondering why US citizens have to comply with EU laws? And there's no explanation in the article, or did I miss it? It's a simple matter but I bet many people will have the same question. Friendly Person (talk) 22:51, 4 October 2019 (UTC)

But there is. See the paragraph under "Impact" on "international law" and the "Brussels effect"; and, additionally, the paragraph on "extraterritorial effects". That's about what can be said (unless you are a US citizen in the EU - then of course you have to comply with national, as well as EU law of the state where you are). --User:Haraldmmueller 20:18, 5 October 2019 (UTC)

Extraterritorial effects, again[edit] (see bottom:根据相关法律法规,本站不对欧盟用户提供服务。)

Tsinghua mirror site declared it will not serve EU citizens, despite it's an open source mirror site + doesn't make any explicit data requests. (This line was quietly added, no appearance in

From the article: Article 48 states that any judgement of a court or tribunal and any decision of an administrative authority of a third country requiring a controller or processor to transfer or disclose personal data may not be recognized or enforceable in any manner unless based on an international agreement, like a mutual legal assistance treaty in force between the requesting third (non-EU) country and the EU or a member state.

Does that mean for any country/region which legal system is not mutually-endorsed with EU's, all entities there cannot simultaneously satisfy its own country's laws and GDPR effectively has EU blocking them, even if they have no intention to abuse the data?

Efforts to correct wrong and misleading information were blocked[edit]

Hi, I work with GDPR from 2017 as consultant and trainer and have a CIPP/E and CIPM certifications in the field. Recently I discovered that the the wiki-article devoted to General Data Protection Regulation is full of misleading statements that might cause serious problems for the audience. Examples from the first 3 paragraphs:

  • wrong statement that only processors must put in place appropriate technical and organizational measures,
  • confusion between consent and other lawful bases,
  • misguided statement that GDPR protects just EU citizens

I tried to correct them. There been back and forth with MrOllie around whether I can refer to specific articles and exact paragraphs from unofficial gdpr website ( . So after a number of unsuccessful attempts I had to delete any references and offered the edit just limited to correcting the falsehoods in the text: Unfortunately, MrOllie continues to undo my edits and to restore misleading information. Any suggestions? — Preceding unsigned comment added by Privacypro (talkcontribs) 12:29, 7 January 2020 (UTC)

Doing what you started here: Explain the problems on the discussion page to try to create consent. I appreciate your last edit - it makes some aspects clearer, so I would like to have the change permanent. --User:Haraldmmueller 14:05, 7 January 2020 (UTC)
  • Privacypro, You replaced a source,, with many from, which adds nothing except some explanatory text from, and links to,, where the co-founder's qualifications and experience match those you've declared as your own. This is pretty clearly WP:REFSPAM in which you're trying to conceal advertising links for your business in references. It's not an acceptable use of Wikipedia. Cabayi (talk) 16:17, 7 January 2020 (UTC)

Abuse of GDPR / What GDPR is NOT ![edit]

Isn't there a list of examples where GDPR was misused? --SvenAERTS (talk) 03:21, 4 December 2020 (UTC)

Granting of the Royal Assent (UK)[edit]

The article currently has : "The United Kingdom granted royal assent to ...".

The United Kingdom does not do that. Royal Assent is granted by the Reigning Monarch (except when some form of proxy or deputy, such as I suppose the Prince Regent [1811-1820], has of necessity been formally appointed). (talk) 17:10, 6 January 2021 (UTC)