Iubenda logo
Start generating


Table of Contents

A Quick Overview of European Privacy Laws

Do you need to get a better grasp of European privacy laws? Are you looking for specific information for your compliance? Our European Privacy Laws Overview is what you need!

👀 In this guide, we give basic information regarding major EU laws such as the GDPR or the ePrivacy, and provide many further resources for you to dive deeper into your topics of interest.

The current privacy landscape in Europe

A need for better data protection: the importance of European privacy laws

A strong framework for data protection was necessary when companies started to heavily collect, use and store personal data of individuals in order to get relevant insights on customers, provide them with personalized experiences or ads, and more.

Privacy laws have been crucial for protecting individuals’ personal data and ensuring it is not being abused by organizations. They helped to:

  • give power back to individuals over their data, granting them critical rights;
  • regulate usage, processing and storage (with special measures for high-risk data);
  • implement sanctions and reduce data breaches;
  • impose rules for organizations to set up internally (organizational and technical measures) and externally (user-focused, i.e.disclosures, collecting consent, etc.)

European privacy laws overview – the most relevant laws

🇪🇺 The General Data Protection Regulation (GDPR)

🗓️ When? The GDPR is a European regulation that became fully enforceable on May 25th, 2018. It is the most robust and strictest privacy law to date.

💬 What? At its most basic, the GDPR specifies how personal data should be lawfully processed, collected, shared, used, protected or interacted with in general.

📍 Where? The GDPR can apply to you whether your organization is based in the EU or not.

The GDPR applies to:

  • an entity’s base of operations is in the EU (this applies whether the processing takes place in the EU or not);
  • an entity not established in the EU offers goods or services to people in the EU; or where
  • an entity is not established in the EU, but it monitors the behavior of people who are in the EU, provided that such behavior takes place in the EU.

🔍 Check out our dedicated section below for useful resources on the GDPR.

🇬🇧 UK Privacy Laws

The UK privacy landscape has been undergoing some changes after Brexit, but the GDPR still applies (until a new bill is passed) and is now referred to as the UK GDPR and enforced by the UK DPA, called ICO.

The Privacy and Electronic Communications Regulations (PECR) is a British law that gives people specific privacy rights in relation to electronic communications. It sits alongside the UK GDPR.

🇬🇧 You are based in the UK or do business in the UK?

💡 Learn more about what Brexit means for your business and its impact on data protection

🇪🇺 The ePrivacy Directive (or Cookie Law)

🗓️ When? 2022, ePrivacy Directive 2002/58/EC (or Cookie Law).

💬 What? It establishes guidelines for the protection of electronic privacy, including email marketing and cookie usage, and it still applies today. It works hand in hand with the GDPR.

📍 Where? The ePrivacy is an EU law. It applies if you do business in the EU (regardless of whether you are based in the EU or not), and more practically, if your website can be visited by European users and it uses cookies.

🔍 Check out our dedicated section below for useful resources on the Cookie Law.

Enforcement by European Data Protection Authorities

While the GDPR and the ePrivacy are on an EU-level, some independent public authorities called DPAs (Data Protection Authorities) oversee the enforcement of data protection laws on a country-level. They also conduct investigations, issue fines and sanctions, and provide guidance on best practices, i.e. on cookie usage.

The most active DPAs include:

  • 🇫🇷 The “CNIL” in France, and its law “La loi Informatique et Libertés” – see here for their guidance on cookies;
  • 🇮🇹 The “Garante” in Italy – see here for their guidance on cookies;
  • 🇪🇸 The “AEPD” in Spain – see here for more information on the DPA (in Spanish) and their guidance on cookies here;

and many more such as the Irish, Belgian, Danish, Austrian, German DPAs…

european privacy laws overview

Note: the information outlined below is simplified information, and as a business, you should discuss your specific situation with legal professionals. In the meantime, keep reading! Our resources can give you a head start with your compliance.

Focus on: the General Data Protection Regulation (GDPR)

As part of our European privacy laws overview, here’s a collection of resources on everything you should know about GDPR compliance.

European Privacy Laws: GDPR’s main provisions

If you process personal data, the GDPR requires you to have a valid legal basis for doing so. If consent is your legal basis, before collecting any personal data, you will have to obtain explicit user consent and keep records of this consent.

You must also honor user rights and requests, as well as implement organizational measures (assessments, appointing a person responsible for privacy) and keep the data safe when stored.

🔍 Check out these resources for further detail on GDPR standards:

Must-read guides for your GDPR compliance

These guides will give you practical tips and tools for simplifying your website/app’s compliance:

Focus on: the ePrivacy directive (Cookie Law)

As part of our European privacy laws overview, here’s a collection of resources on everything you should know about ePrivacy and cookie compliance.

European Privacy Laws: Cookie Law’s main provisions

The ePrivacy directive applies to any type of trackers that store or access information on a user’s device, including cookies.
Here again, working along the GDPR, the Cookie Law requires you to inform users and obtain their consent before using such technologies. Common practice is to use a cookie banner.

The vast majority of EU countries’ DPAs (mentioned before) have established cookie rules following the ePrivacy, adding the need for keeping records of cookie consent (to align with the GDPR).

Before sending direct marketing communications in electronic form (emails, newsletters, etc.), user consent is required as well. As always, users must also be given the right to withdraw (opt-out, or unsubscribe in the case of emails) at any time.

🔍 Check out these resources for further detail on the ePrivacy directive:

Must-read guides for your ePrivacy compliance

These guides will give you practical tips and tools for simplifying your website/app’s compliance:

Not sure what privacy laws actually apply to you?

Do this free 1-min quiz to find out

About us


Attorney-level solutions to make your websites and apps compliant with the law across multiple countries and legislations.