EU Consumer Rights and Data Protection

PHOTO: Pixabay

Consumer Rights

New rules were introduced into the European Union in 2014 to protect online shoppers:

  • Customers in the EU have the right to change their minds within two weeks of receiving goods purchased online.
  • The seller has 30 days to deliver the product or the customer has the right to cancel the purchase.
  • The seller must provide the customer with clear information on the characteristics of the product.
  • Pre-ticked boxes on websites for extra payments are not allowed.
  • Surcharges for the use of credit cards and phone hotlines are not allowed.

More generally, customers have two years from the date of delivery to request repair or replacement if goods do not conform to a sales contract. In these cases, the seller has to replace or repair the goods free of charge. In the cases where repair or replacement isn’t possible, a refund or a price reduction may be requested.

In some countries customer guarantees longer than those provided by the EU parliament are stipulated.

Data Protection

Since 2002, the EU has recognized that the Canadian Personal Information Protection and Electronic Documentation Act (PIPEDA) provides adequate protection of EU citizens’ personal data and privacy, and thus has allowed the electronic transfer of personal data between the EU and Canada.

However, starting next year, managing the personal data of EU citizens will be governed under much stricter regulation.

Source: TCS

EU General Data Protection Regulation

A new data regulation is coming out of the EU on May 28, 2018.

The General Data Protection Regulation (GDPR), billed as the most significant change to European data privacy regulation in 20 years, was approved and adopted by the EU parliament in April 2016. When it comes into force next year, the GDPR will replace an EU data privacy directive established in 1995.

The main difference between a regulation and a directive in this context is that a regulation is a binding legislative act that must be applied in its entirety across the EU, while a directive is more informal—an act that sets out goals for EU members but let’s countries decide how to achieve those goals. What this means is that that GDPR will formalize, codify and harmonize data privacy law across all 28 EU member states.

The regulation requires any organization that offers goods or services to EU residents or collects data on EU residents for marketing purposes to implement specific protection measures and processes to effectively manage personal data.

Not complying with the GDPR carries very stiff penalties: a maximum fine of four per cent of a firm’s global annual turnover or 20 million Euro (whichever is greater) is possible.

For an SME, a 20 million Euro fine could mean lights out for their business, so for anyone who trades in the EU or wants to break into the market, this is something you need to pay attention to.

Study finds global firms ill-prepared for upcoming EU data regulations

General Data Protection Regulation, coming May 25, 2018, affects any firm that does business in the EU and imposes colossal fines for mismanagement of personal data: $29.5 million or 4 per cent of annual turnover. A new study found only 2 per cent of global business were likely to be compliant

The EU’s General Data Protection Regulation aims to harmonize data privacy and protection mandates across the union’s 28 member states. PHOTO: Pixabay

Here’s how the GDPR regulation breaks down:

Increased Territorial Scope

The GDPR applies to all companies processing personal data of people residing in the EU, regardless of that company’s location. In other words, even if your operation is not based in the EU and your data processing does not take place in Europe, you are still responsible for any data management that affects EU citizens.

Non-EU businesses processing the data of EU citizens will have to appoint a representative in the EU.
These rules apply to both processors of data and controllers (cloud management services).


The maximum fine of 4 per cent of annual global turnover or 20 million Euro will only be imposed for the most serious infringements, such as not having sufficient customer consent to process data.

There is a tiered approach to these fines.

Companies can be fined 2 per cent of turnover for not having their records in order, not notifying the supervising authority and data subjects about a breach and not conducting an impact assessment.


The request for consent to process a person’s data must be given in an easily accessible form, using clear and plain language, with the purpose of the data processing included.

It must also be as easy to withdraw consent as it is to provide it.

Parental consent will be required to process the personal data of children under 16 for online services.

Brexit Implications

Any data processing activities which affect EU citizens are subject to the GDPR, no matter how small, but if your operations are limited to the U.K., then keep in mind that the U.K. government has indicated plans to implement an equivalent or alternative legal mechanism.

The U.K. legislation is expected to follow the GDPR, given the support previously provided to the GDPR by the U.K. government as an effective privacy network. Similar legislation also allows for continuity and simplicity of operations between the two markets.

Data Subject Rights:

Breach Notification

Breach notification will become mandatory under the GDPR in all member states where a data breach is likely to result in a risk to those involved.

Notification, made to the proper regulatory authority, must be made within 72 hours of first becoming aware of the breach. Firms must also notify their customers and data controllers “without undue delay”.

Right to Access

Under the GPDR, EU citizens have the right to know whether or not personal data concerning them is being processed, where it is being processed and for what purpose.

Firms also need to provide a copy of the personal data, free of charge, in an electronic format.

Right to be Forgotten

EU citizens have the right to request that a firm erase their personal data, cease further dissemination of the data and potentially have third parties halt processing of the data. This is based on the conditions that the data is no longer relevant to the original purpose of processing or a data subject is withdrawing consent.

This right also requires controllers to compare the data subject’s rights to “the public interest in the availability of the data” when considering these requests.

Data Portability

Data subjects have the right to receive the personal information concerning them and have the right to transmit that data to another organization.

Privacy by Design

Privacy by design calls for the inclusion of data protection from the onset of the designing of systems, rather than an addition.

The regulation also stipulates that firms only hold and process data absolutely necessary to the completion of duties, as well as limiting personal data to those needed to process it.


The brief synopsis of information provided here is just that. For more detailed information, consult the Trade Commissioner Service or seek out legal advice.