Competencia y Derecho aplicable en el reglamento general sobre protección de datos de la Unión Europea

Abstract

The new EU General Data Protection Regulation brings about a deep transformation of the previous legal framework based on the mere approximation of laws. As regards the cross-border dimension, it amends the territorial scope of application of EU data protection law to clarify that it covers the processing of data of subjects who are in the Union by a controller or a processor not established in the Union where the processing activities are related to offering goods or services to such data subjects. This article discusses the rationale that supports the new approach and the relevant criteria for its interpretation. Unlike the previous regime, the provisions of the Regulation on its territorial scope do not determine the competent national supervisory authority. The Regulation includes specific provisions on the distribution of competences between the supervisory authorities of the Member States with regard to cross-border situations. Such rules play also an important role concerning the right to a judicial remedy against a supervisory authority. Additionally, new special jurisdiction rules are established concerning private claims by data subjects against a controller or processor as a result of the infringement of the rights granted to them by the Regulation. Such rules are of special significance with respect to the right to compensation where a damage results from an infringement of the Data Protection Regulation. One of the main objectives of this article is to clarify the issues raised by the relationship of the new special rules on jurisdiction and related proceedings with other provisions, such as those of the Brussels I (Recast) Regulation. The shortcomings of EU conflict rules in the area of private enforcement of data protection law and the interplay between the new Regulation and the general EU framework on conflict of laws are also discussed.