Implementation of the EU GDPR 2016/679 – General Guidance to Members


Published: 7 March 2018

Regulation (EU) 2016/679 containing the General Data Protection Regulation (the "GDPR" or "Regulations") will come into force on 25 May 2018 when it will have direct effect in the EU/EEA. It will be incorporated into the Norwegian, and enter into force at the same time. The Regulation, which is some 88 pages long, may be found here.

This general guidance intends only to provide a brief introduction to the GDPR, as relevant to the Association and its Members. The impact of the Regulation will most often be felt in claims relating to personal injury and illness or other cases involving data originating from natural persons, or individuals. Data originating from a legal entity that does not contain personal information, or information otherwise not related to natural persons is unaffected.

The broad intention of the Regulation is to replace Directive 95/46/EC and strengthen and harmonise EU/EEA procedures concerning the collection, storage, processing, access, use, transfer and erasure of personal data. By establishing responsibilities for "controllers" and "processors" of personal data, the Regulation aims to provide natural persons with the same level of legally enforceable rights throughout the EU/EEA, and a supervisory and enforcement framework to ensure compliance.

The aim of the GDPR is to protect natural persons in relation to the processing of data. The Regulation applies to those within the EU/EEA which may hold such data, but also to those outside the EU/EEA which may offer goods or services to natural persons within that area, or send personal data to organisations within the EU/EEA, or send personal data to recipients within the EU/EEA. Because the Association operates within the EU/EEA, the GDPR will apply to the Association. Similarly, the Regulation will apply to Members, and third-party service providers operating within the EU/EEA or offering goods or services to natural persons within that area, and to personal data held within the EU/EEA belonging to individuals who are outside the EU/EEA.

The circular is attached on this page.