The agreement in the EU on the GDPR was a long process with many discussions and negotiations. In the early 2010s, the EU began to address the new data protection requirements resulting from digitalisation. In the following years, these considerations were deepened and the GDPR finally came into force in 2016. It replaced the previous Data Protection Directive from 1995.

It has been implemented as law in all member states since May 2018 and is therefore valid in all member states.

An overview of the development of the regulation can also be found on the website of the European Data Protection Supervisor:

• in German 
• in English

Categorisation and criticism

The GDPR merely creates a framework for the protection of personal data. It is therefore imprecise in many places and leaves a lot of room for interpretation. As a result, many specific questions have only been or will only be clarified in court. 

In addition, the member states can enact national legislation to refine and supplement the requirements of the GDPR. In addition to the GDPR, it is therefore always necessary to keep an eye on the national regulations in the respective country. 

In Germany, for example, there is the "Federal Data Protection Act", which concretises the requirements of the GDPR at federal level and, in addition, each federal state has its own state data protection law, which makes further refinements (e.g. Baden-Württemberg State Data Protection Act).