Chapter 19: Transitional provisions – Unlocking the EU General Data Protection Regulation | White & Case LLP International Law Firm, Global Law Practice
EU General Data Protection Regulation (GDPR): EU's new data protection law

Chapter 19: Transitional provisions – Unlocking the EU General Data Protection Regulation

Previous Chapter | Next Chapter | Index of Chapters


Why does this topic matter to organisations?

This topic covers the transitional period between the publication of the GDPR (on 4 May 2016) and the GDPR Effective Date (i.e., 25 May 2018). This represents a limited, two-year window in which organisations need to understand the GDPR and bring their data processing practices into line with its requirements.

What types of organisations are most affected?

All organisations to which the GDPR applies are affected, regardless of the sectors or business areas in which they operate.

What should organisations do to prepare?

Organisations should use the transitional period effectively. In particular, they should:

  • ensure that the relevant decision makers understand the changes implemented by the GDPR;
  • review their current data processing activities and compliance mechanisms (e.g., consent mechanisms, privacy policies, etc.) and determine whether any changes or improvements are required; and
  • put in place measures to ensure compliance with the GDPR.

Organisations should begin this process as early as possible, in order to ensure that they have allocated sufficient time and budget to enable them to achieve compliance before the GDPR and its significant new fines and sanctions (see Chapter 16) come into force.


Icons are used below to clarify the impact of each GDPR change. These GDPR impact icons are explained here.


Detailed analysis


The Directive




Transitional period

When any new EU legislation is introduced, it is generally acknowledged that Member States, and affected organisations and individuals will need a reasonable period of time to consider and adapt to that new legislation.



Member States are required to bring into force the laws, regulations and administrative provisions necessary to comply with this Directive within three years of the date on which the Directive was adopted.

materially changes

Rec.171; Art.99

After the GDPR enters into force, there will be a two-year moratorium on enforcement, until the GDPR Effective Date.


Both the Directive and the GDPR provide for a transitional period of a few years. However, unlike the Directive, the GDPR does not need to be implemented in national law. In recognition of the fact that it will take some time for DPAs and organisations to adapt to the GDPR, DPAs will not enforce the GDPR until the GDPR Effective Date (25 May 2018).



EU data protection law is particularly susceptible to technological developments that change the ways in which people and organisations process personal data. EU data protection law therefore has to be able to react and adapt to new technologies and developments. For this reason, the law makes provision for regular and ongoing evaluations of whether its aims are being achieved, and whether any changes are needed.



The Commission is required to report to the Council and the European Parliament every three years, providing (if necessary) suitable proposals for amendments to the Directive.

materially changes

Art.97, 98

The Commission is required to submit reports on the evaluation of the GDPR to the European Parliament and the Council every four years, providing (if necessary) suitable proposals for amendments to the GDPR. The Commission is also required to review other EU data protection instruments on a regular basis.


Under both the Directive and the GDPR, the Commission has to review the law, in particular taking into account the developments in information technology and the state of progress in the information society. Organisations should keep any such proposals under review, and consider whether to engage in lobbying efforts on issues that directly affect the areas in which they operate.


Further analysis

Commentary: Two-year transitional period

Organisations have two years to prepare for the enforcement of the GDPR. Enforcement will commence on the GDPR Effective Date (25 May 2018). The two‑year transition period is designed to allow organisations to adapt to the new requirements of the GDPR. Processing that is already under way should be brought into conformity with the GDPR within this two‑year period (see Rec.171 of the GDPR). Processing that has not yet commenced should be carefully reviewed and planned to ensure conformity with the GDPR. Organisations should also bear in mind that although enforcement of the GDPR does not commence for two years, DPAs are increasingly likely to interpret and apply EU data protection law in accordance with the provisions of the GDPR.

Commentary: Implementation

The Directive needed to be transposed into the national laws of each Member State, resulting in 28 different interpretations of EU data protection law. The new unified data protection law will be directly applicable throughout the EU. The GDPR (like all Regulations) applies without the need for national implementation. In theory, this will result in a more uniform set of data protection laws across the EU, as there will be less scope for national legislatures to add their own interpretations to the GDPR (however, please note that there are a number of issues that remain subject to national laws, as discussed in Chapter 17).

Commentary: Status of existing Commission and DPA decisions

Under Rec.171 of the GDPR, Commission decisions adopted (e.g., Adequacy Decisions regarding transfers to third countries) and authorisations by DPAs based on the Directive, remain in force until amended, replaced or repealed.


Chapter 20: Glossary


Unlocking the EU General Data Protection Regulation:
A practical handbook on the EU's new data protection law


Chapter 1: Introduction

Chapter 2: Preparing for the GDPR

Chapter 3: Subject matter and scope

Chapter 4: Territorial application

Chapter 5: Key definitions

Chapter 6: Data Protection Principles

Chapter 7: Lawful basis for processing

Chapter 8: Consent

Chapter 9: Rights of data subjects

Chapter 10: Obligations of controllers

Chapter 11: Obligations of processors

Chapter 12: Impact assessments, DPOs and Codes of Conduct

Chapter 13: Cross-Border Data Transfers

Chapter 14: Data Protection Authorities

Chapter 15: Cooperation and consistency

Chapter 16: Remedies and sanctions

Chapter 17: Issues subject to national law

Chapter 18: Relationships with other laws

Chapter 19: Transitional provisions

Chapter 20: Glossary

Our Global Data, Privacy & Cyber Security Practice


If you would like to request a hard copy of this Handbook, please do so here.


This publication is provided for your convenience and does not constitute legal advice. This publication is protected by copyright.
© 2016 White & Case LLP