The GDPR articles explained: Chapter 11 - Final provisions

Chapter 11 of the GDPR contains several final provisions which are crucial for understanding how the regulation operates in practice. It ensures a smooth transition from the previous data protection directive, outlines ongoing evaluation and potential amendment processes, and specifies the regulation's relationship with other EU legal acts.

Article 94 - Repeal of Directive 95/46/EC

Directive 95/46/EC was the previous EU directive on data protection. Article 94 states that the GDPR repeals Directive 95/46/EC as of 25th May 2018.

Implications: IT systems and practices needed to be updated to comply with the stricter and more comprehensive GDPR requirements compared to the previous directive. For example, organizations had to review and potentially redesign data handling processes to meet GDPR's enhanced transparency and accountability standards.

Article 95 - Relationship with Directive 2002/58/EC

This article clarifies that GDPR does not impose additional obligations on providers of electronic communications services beyond those set out in Directive 2002/58/EC (the ePrivacy Directive).

Implications: Companies providing electronic communications services (e.g., email providers, messaging apps) need to comply with both GDPR and the ePrivacy Directive. For IT departments, this means ensuring that data processing activities related to electronic communications are compliant with both sets of regulations.

Article 96 - Relationship with previously concluded agreements

International agreements regarding the transfer of personal data to third countries or international organizations concluded by member states before 24th May 2016, remain valid if they comply with the law as it stood before that date.

Implications: Organizations involved in cross-border data transfers need to ensure that any international agreements they rely on for such transfers are aligned with GDPR requirements. For instance, data transfer agreements with non-EU vendors or service providers must incorporate GDPR-compliant clauses or safeguards.

Article 97 - Commission reports

The European Commission must submit reports on the evaluation and review of the GDPR every four years. These reports are public and assess various aspects of GDPR implementation.

Implications: Organizations should monitor these reports as they may highlight areas of GDPR enforcement focus or indicate potential future amendments to the regulation. For example, reports might assess the effectiveness of cross-border data transfer mechanisms, impacting IT strategies related to international data flows.

Article 98 - Review of other Union legal acts on data protection

The Commission may propose amendments to other EU legal acts to ensure consistent protection of personal data across all areas regulated by the EU.

Implications: IT professionals should stay informed about any proposed amendments that could affect how personal data is handled across different sectors (e.g., healthcare, finance). For instance, amendments could introduce new data protection requirements for specific industries, necessitating IT system adjustments and compliance updates.