FEBIS

Data Protection & GDPR

General Data Protection Regulation and its implications for business information services

Overview

The General Data Protection Regulation (GDPR) is a comprehensive data protection and privacy regulation enacted by the European Union (EU). It became effective on May 25, 2018, replacing the Data Protection Directive 95/46/EC. The GDPR aims to harmonize data protection laws across the EU member states and provide individuals with greater control over their personal data.

The EU Digital Omnibus (European Commission proposal of 19 November 2025, e.g. COM (2025) proposals amending the Data Act, GDPR and related legislation) aims to simplify and harmonise the EU’s complex digital rulebook across data, privacy and AI.
It consolidates overlapping frameworks (notably around the Data Act – Regulation (EU) 2023/2854) and streamlines requirements on data access, sharing, and reporting obligations.
For business providers, this reduces regulatory fragmentation and compliance burdens, particularly for SMEs, while increasing legal clarity in handling and reusing data.  At the same time, it maintains core data protection standards but recalibrates certain obligations (e.g. under GDPR) to reduce operational friction. Overall, the Omnibus is expected to lower administrative costs and unlock innovation opportunities, while creating a more coherent and business-friendly EU data ecosystem.

Key elements and background of the GDPR include:

  1. 1

    Territorial Scope: The GDPR applies not only to organizations based within the EU but also to those outside the EU that process personal data of EU residents in connection with offering goods or services or monitoring their behavior.

  2. 2

    Enhanced Rights of Data Subjects: The GDPR grants individuals (data subjects) enhanced rights regarding their personal data. These rights include the right to access, rectification, erasure ("right to be forgotten"), data portability, and the right to object to processing.

  3. 3

    Data Processing and Consent: Organizations must have a legal basis for processing personal data. Consent is one of the legal grounds, and the GDPR sets stricter standards for obtaining and managing consent. Data subjects must be informed in clear and plain language about the purpose and scope of data processing.

Why is it important?

The GDPR establishes a set of fundamental principles regarding the processing of personal data. These include transparency, lawfulness, fairness, purpose limitation, data minimization, accuracy, storage limitation, integrity, and confidentiality.

FEBIS Position

Business Information providers are committed in supporting the upcoming GDPR evaluation. Legal requirements for the processing of personal data, and compliance is mandatory. Adhering to the GDPR ensures that FEBIS and its member organizations comply with European data protection laws, aligning with the broader goals of fostering trust in digital transactions.

FEBIS highly values collaborations with other industry partners and constructive exchange with authorities and is excited to see how ongoing evaluations offers more ways to use data responsibly and ethically while still fostering innovation and access to data in a common consideration.

But we continue to stress that some legislative trends go for more open data and enhanced possibilities to exchange information and enable better Digital Single Market, such as Open Data policies, the revision of the PSI directive or the Capital Markets Union, whereas other legislation such as GDPR considerably restrict the possibilities to access data especially on sole traders.

FEBIS is strongly recommending a clarification based on the capacity under which a natural person interacts with the creditors / financial institutions and to consider that natural persons acting in business capacity should be considered equal to legal persons in all relevant legislation. It is the capacity in which an individual interacts, which should be considered i.e. private for private capacity, and available for re-use for legitimate purposes for business capacity.

Key Dates

25 May 2018

GDPR application date

16 July 2020

Schrems II judgment

June 2021

New SCCs adopted

Ongoing

Regulatory guidance updates