Authors: Gerrit Hornung and Indra Spiecker gen. Döhmann
- This Regulation shall enter into force on the twentieth day following that of its publication in the Official Journal of the European Union.
- It shall apply from 25 May 2018.
I. Preliminary note
Art. 99 is the complementary rule to Art. 94 para. 1 and regulates, divergent from each other, the time of entry into force (para. 1) as well as the time of application (para. 2) of the GDPR. The norm was not changed during the legislative process. From the beginning, it was agreed to provide for a two-year transition period so that data controllers and processors could adapt to the new requirements and change their processing procedures correspondingly, and that Member States could adapt their data protection laws and align them with the opening clauses (→ mn. 5). In view of the changes, especially in the procedural context (→ Introduction mn. 171), the multitude and vagueness of the opening clauses as well as the now massive sanctions of the GDPR (→ Introduction mn. 170 et seq., 201, 220), this transitional period was appropriate, even if, in view of the dynamics in the IT sector, a faster reaction to the enforcement deficits and the already sufficiently practised exercise of a “law of the strongest” at the expense of data protection would have been desirable. The parallel rule in Art. 63 para. 1 JHA Directive also granted a two-year period for implementation into national law; however, this period started earlier and already expired on 6.5.2018.
II.Entry into force of the GDPR (para. 1)
The GDPR entered into force on the twentieth day following that of its publication in the Official Journal of the EU. The paragraph has a purely declaratory effect, as the date of entry into force follows directly from Art. 297 para. 1 subpara. 3 sentence 2 TFEU, which sets the twenty-day limit. The GDPR was published in the Official Journal of the EU on 4 May 2016. The electronic version of the publication is decisive and legally binding. The GDPR has therefore been in force since 24 May 2016.
The practical significance of para. 1 lies in the anticipatory early effects of the GDPR (→ mn. 1, 5). In contrast, the legal significance of para. 1 is limited because only one other norm, Art. 91 para. 1, refers to the entry into force of the GDPR and thus to para. 1. According to Art. 91, churches may in principle continue to apply those data protection rules already existing at the time of entry into force, i.e. on 24 May 2016. The political agreement in the trialogue had included such references in other rules, but these were replaced by the specific date of entry into force, i.e. 24 May 2016 (Art. 54 para. 1 lit. d, Art. 92 para. 2, Art. 96).
III.Application of the GDPR (para. 2)
The GDPR has been in force since 25 May 2018, 0:00 a.m.; this marked the end of the transitional period. The term “application” describes the fact that since then a new data protection law regime has been binding in the EU – and also for many controllers and processors outside the EU due to the market-place principle according to Art. 3 para. 2 – and thus directly required compliance. Since this date, the requirements of the GDPR can be fully enforced by the supervisory authorities and data subjects can exercise their rights. In contrast, supervisory and other authorities as well as courts will still act on the basis of the previous legal regime, i.e. according to the national implementation laws on the basis of the DPD, for infringements prior to 25 May 2018 (insofar as such old cases still exist). Consequently, the DPD was revoked when the GDPR became effective (Art. 94 para. 1). This has further consequences for previously lawful ongoing data processing (→ Art. 94 mn. 5), in particular on the basis of consent (→ Art. 94 mn. 6), for national implementing laws adopted on the basis of the DPD (→ Art. 94 mn. 7), for decisions and resolutions of the Comm (→ Art. 94 mn. 8) and for references to the DPD (→ Art. 94 mn. 9 et seq.).eng
The deliberate choice of the European legislator to separate the entry into force of the GDPR (→ mn. 2) on the one hand and the repeal of the DPD (Art. 94) and the application of the GDPR (→ mn. 4) on the other hand results in a two-year transition period. As a result, the data controllers, processors and the supervisory authorities were able to adapt their processing, contracting and control processes to the new rules and, at the same time, the Member States were able to make use of the opening clauses, and to review and adapt existing legal regulation, which was characterised by the implementation of the DPD and thus by considerable leeway. The interplay of para. 2 and Art. 94 para. 1 means that there is no competition between the two legal regimes at any time, but also no choice: neither data controllers nor processors nor Member States could lawfully switch to the rules of the GDPR within this period if these were in contradiction with the rules of Member State law under the DPD.
[…]