GDPR : Article 96 - Relationship with Previously Concluded Agreements

by Sneha Naskar

The General Data Protection Regulation (GDPR) has reshaped the landscape of data protection and privacy, affording individuals greater control over their personal data and imposing stringent obligations on organizations processing such information. Within the framework of GDPR, Article 96 addresses a fundamental yet often overlooked aspect - the relationship between this new regulation and previously established agreements. This blog post delves into the intricacies of Article 96 GDPR, unraveling its implications for both businesses and individuals.

Implications for Businesses and Individuals

Understanding Article 96 GDPR

Article 96 of the GDPR serves as a critical bridge between the new regulatory framework and pre-existing agreements. Its provisions are succinctly laid out as follows:

" Agreements and decisions that involve the processing of personal data and that were concluded before [the effective date of the GDPR] shall remain in force if they comply with this Regulation.

Member States shall communicate to the Commission the provisions of their laws which they adopt pursuant to this Regulation and shall communicate to the Commission the main provisions of law which they adopt pursuant to points (b) and (d) of Article 6.

Agreements that have been concluded between Member States on the basis of Article 26 of Directive 95/46/EC shall remain in force until amended, replaced, or repealed."

This article, in essence, addresses several critical issues pertaining to the compatibility of previously established agreements with the GDPR. To provide a comprehensive understanding, we shall explore each of these points in detail.

  • Continuity of Existing Agreements

Article 96 clearly stipulates that agreements and decisions made prior to the effective date of the GDPR, which is May 25, 2018, will remain in force provided they align with the requirements articulated within the GDPR itself. The overarching objective of this provision is to ensure a seamless transition from the previous data protection framework, Directive 95/46/EC, to the more robust GDPR.

However, it is crucial to recognize that this continuity comes with a set of conditions. For these agreements to remain valid, they must strictly adhere to the core principles enshrined within the GDPR. These principles encompass transparency, informed consent, purpose limitation, data minimization, and the safeguarding of the rights of data subjects. In instances where an agreement falls short of these rigorous standards, it may necessitate revision or even termination to realign with the GDPR's stringent requirements.

  • Member State Adaptations

Article 96 places an obligation on Member States to communicate to the European Commission any provisions they enact in pursuit of compliance with the GDPR. This requirement is essential for ensuring the consistency of data protection laws across the European Union (EU). By openly sharing their national laws and regulations with the Commission, Member States actively contribute to a harmonized approach to data protection within the EU.

Furthermore, this provision underscores the paramount importance of cooperation and coordination among EU member states. Such collaboration is indispensable for upholding the GDPR's overarching principles and ensuring the effective implementation of data protection measures.

  • Continuity of Inter-Governmental Agreements

Article 96 is specifically directed at agreements entered into between Member States, particularly those established on the basis of Article 26 of Directive 95/46/EC. These inter-governmental agreements may encompass a wide array of issues, including but not limited to cross-border data transfers, mutual cooperation in data protection matters, and the harmonization of data protection standards. The GDPR duly recognizes the significance of such agreements and permits them to remain in force until they are either amended, replaced, or repealed.

This provision underscores the EU's unwavering commitment to maintaining the spirit of cooperation and information exchange among its member states while simultaneously ensuring that these agreements do not run counter to the fundamental provisions laid down within the GDPR itself.

GDPR Implementation Toolkit

Implications for Businesses and Individuals

Now that we have garnered a comprehensive understanding of Article 96 GDPR, it is essential to elucidate its far-reaching implications for both businesses and individuals.

For Businesses

  • Compliance Review and Audit

Organizations engaged in the processing of personal data and possessing pre-existing agreements should undertake a comprehensive review and audit of these agreements to ascertain their alignment with the GDPR's stipulations. Non-compliance with the GDPR can potentially result in substantial penalties and legal liabilities.

  • Legal Expertise and Counsel

Given the complexities embedded within data protection laws, it is highly advisable for businesses to seek the counsel of legal experts proficient in the domain of data protection. Legal experts can facilitate a thorough assessment of the compatibility of existing agreements with the GDPR and subsequently recommend and facilitate any requisite amendments.

  • Embrace Transparency and Accountability

The GDPR places a profound emphasis on transparency and accountability in data processing. Organizations should not only embed these principles within their agreements but also weave them into the fabric of their daily data processing activities. Doing so not only aligns them with the GDPR but also helps foster trust with both customers and regulatory authorities.

  • Vigilance in International Data Transfers

For organizations involved in international data transfers, Article 96 underscores the critical importance of ensuring that inter-governmental agreements comply with the GDPR's stringent provisions. Companies engaged in such transfers should remain vigilant, staying abreast of any developments or changes that might transpire in these agreements.

For Individuals

  • Enhanced Data Protection

The GDPR ushers in an era where individuals wield greater control over their personal data. It bestows upon them an array of rights, including but not limited to the right to access, rectify, and erase their data, along with the right to be informed about the processing of their data. Article 96 ensures that these rights remain sacrosanct, even within the context of pre-existing agreements.

  • Championing Transparency

The GDPR champions transparency in data processing activities. Individuals should be keenly aware of their rights and remain informed about how their data is being utilized. In instances where they harbor suspicions regarding non-compliance with the GDPR within existing agreements, individuals are well within their rights to seek legal redress, including filing complaints with the relevant data protection authorities.

  • Cross-Border Data Flows

For individuals whose personal data might traverse international boundaries, Article 96 serves as a protective mechanism, reinforcing the importance of inter-governmental agreements. It ensures that data protection standards are upheld even when personal data embarks on cross-border journeys.


In the intricate realm of data protection and privacy, Article 96 of GDPR stands as a crucial pillar, ensuring the compatibility of previously concluded agreements with the stringent data protection requirements of the GDPR. It endeavors to promote continuity while zealously safeguarding the rights and principles enshrined within the regulation itself. For businesses, compliance with the GDPR is not merely a legal obligation but also an opportunity to cultivate trust and credibility with their customer base. For individuals, Article 96 reinforces their rights and expectations concerning the safeguarding of their personal data. In an ever-evolving data protection landscape, Article 96 provides a sturdy foundation for the harmonization of data protection practices across the European Union, serving as a beacon guiding both businesses and individuals toward a more privacy-conscious future.

GDPR Implementation Toolkit