A Berlin-based SaaS company processes employee and customer personal data and is mapping which EU instruments govern its activities. Its compliance lead notes that one instrument sets out the general, cross-sector rules for processing personal data, while the others address narrower fields such as electronic communications confidentiality and the cybersecurity of essential services. Which instrument provides the general legal framework for the processing of personal data across all sectors in the EU?
- AThe ePrivacy Directive 2002/58/EC, which sets the baseline rules for processing personal data across sectors
- BThe NIS 2 Directive, which sets the baseline rules for processing personal data across sectors
- CThe EU Artificial Intelligence Act, which sets the baseline rules for processing personal data across sectors
- DRegulation (EU) 2016/679, the General Data Protection Regulation, which sets the baseline rules for processing personal data across sectors Correct
Why A is wrong: The ePrivacy Directive is tempting because it does protect personal data, but it is sector-specific to electronic communications and confidentiality of communications, not the general framework.
Why B is wrong: NIS 2 is tempting because it imposes broad obligations on many entities, but it governs cybersecurity risk management and incident reporting, not the general rules for processing personal data.
Why C is wrong: The AI Act is tempting because it is a recent EU-wide regulation, but it regulates the placing on the market and use of AI systems by risk tier, not personal data processing generally.
Why D is correct: The GDPR is the general, directly applicable instrument governing the processing of personal data across all sectors in the EU, and the other instruments supplement rather than replace it.