GDPR : Article 99 - Entry Into Force and Application

by Sneha Naskar

The General Data Protection Regulation (GDPR) has been a transformative force in the realm of data protection and privacy. This all-encompassing regulation, introduced by the European Union (EU), has far-reaching implications for organizations engaged in personal data processing. Among its numerous provisions, Article 99 of the GDPR addresses the critical aspects of its entry into force and application. In this comprehensive blog post, we will delve into the intricacies of Article 99, exploring its historical context, significance, and its profound impact on data protection practices not only in the EU but also worldwide.

Impact and Significance

Background and Historical Context

To gain a deeper understanding of Article 99, it is essential to grasp the historical backdrop that led to the inception of the GDPR. Before the GDPR came into force on May 25, 2018, the European Union operated under the Data Protection Directive of 1995. While this directive laid the groundwork for data protection laws across EU member states, it was limited in its effectiveness and uniformity, unable to address the evolving challenges posed by the digital age.

The need for a more robust and harmonized data protection framework became increasingly evident as technological advancements made data processing more accessible and widespread. The GDPR emerged as a response to these challenges, designed to provide a unified approach to data protection capable of effectively safeguarding the rights and freedoms of individuals in the digital era.

Article 99 of the GDPR played a pivotal role in facilitating the transition from the Data Protection Directive to the GDPR itself. It outlines essential details about the regulation's entry into force and application, ensuring a seamless transition for all stakeholders.

Entry Into Force

Article 99 commences by specifying the date of entry into force for the GDPR. According to this article, the regulation officially came into effect on May 25, 2018. This date marked the culmination of years of planning, negotiations, and extensive preparations. The fixed implementation date allowed organizations and data protection authorities ample time to adapt to the new legal framework.

The choice of May 25, 2018, as the enforcement date, was not arbitrary; it was selected to coincide with the 20th anniversary of the adoption of the Data Protection Directive of 1995. This symbolic alignment underscored the GDPR's role as an evolutionary leap forward in data protection within the EU and demonstrated a commitment to enhancing data privacy.


While entry into force is a critical aspect of Article 99, this article also delves into the regulation's application, addressing several key points:

  • Temporal Application: The GDPR features a backward-looking temporal scope, which means it applies not only to data processing activities initiated after its enforcement but also to those that commenced before May 25, 2018, if they continue beyond that date. This approach ensures that all data processing activities fall under the GDPR's purview, regardless of when they began.
  • Territorial Scope: The GDPR boasts an expansive territorial reach. It applies not only to organizations located within the EU but also to those outside the EU that process the personal data of EU residents while offering goods or services or monitoring their behavior. This global applicability underscores the GDPR's significance beyond European borders, affecting organizations worldwide.
  • Consistency and Cooperation: Article 99 places a strong emphasis on the importance of consistent application and cooperation among EU member states' supervisory authorities. This cooperation is vital for addressing cross-border data protection issues effectively, ensuring uniform protection for individuals.
  • Transitional Provisions: The GDPR incorporates various transitional provisions, which are further detailed in Article 99. These provisions ensure that the transition from the Data Protection Directive to the GDPR is as seamless as possible. They outline how existing data processing activities and authorizations should be treated under the new regulation, promoting legal continuity and predictability.
GDPR Implementation Toolkit

Impact and Significance

Article 99 of the GDPR has had a profound impact on data protection and privacy practices, both within the European Union and globally. Here are some of the key reasons why this article is significant:

  • Clarity and Legal Certainty: By specifying the entry into force and application dates, Article 99 provides much-needed legal clarity to organizations and individuals. It ensures there is no room for ambiguity regarding when the GDPR took effect and to whom it applies, enhancing predictability and compliance.
  • Global Reach: The GDPR's expansive territorial scope, elucidated in Article 99, has compelled organizations worldwide to reassess their data protection practices. Many non-EU companies have had to adapt to the GDPR's requirements to continue conducting business with EU residents, resulting in a significant ripple effect on global data protection standards and practices.
  • Consistency and Cooperation: Article 99's emphasis on consistency and cooperation among EU member states' supervisory authorities has contributed to a more harmonized approach to data protection enforcement. This ensures that individuals' rights are consistently protected across the EU, regardless of their location.
  • Transparency and Accountability: The GDPR's transitional provisions, highlighted in Article 99, have motivated organizations to be more transparent and accountable for their data processing activities. They have been compelled to review and, if necessary, adapt their existing data processing practices to align with the new regulation, promoting responsible data handling.


Article 99 of the GDPR stands as a cornerstone for the regulation's entry into force and application. It provides the necessary clarity, temporal scope, territorial reach, and transitional provisions to ensure that the GDPR's overarching goals of protecting individuals' data privacy and fostering consistency in data protection practices are effectively achieved. The impact of Article 99 transcends the borders of the European Union, exerting a lasting influence on global data protection standards and practices. As the digital landscape continues to evolve, Article 99 remains a fundamental reference point for organizations and individuals navigating the complex world of data protection and privacy. Its enduring relevance underscores the GDPR's status as a seminal piece of legislation in the modern era of data privacy.

GDPR Implementation Toolkit