Article 98: Review of other Union legal acts on data protection

Article 98 is not an operational obligation on your organization; it is a GDPR “maintenance” provision directing the European Commission to review other EU laws for consistency with data protection. To operationalize it, treat it as a regulatory-change trigger: monitor EU legislative updates that amend sector rules, then update your GDPR scope, roles, and controls where those changes affect your processing. (Regulation (EU) 2016/679, Article 98)

Key takeaways:

• Article 98 drives EU-level legal alignment, but you still need an internal mechanism to catch downstream changes that can alter your obligations.
• Operationalize via a regulatory change management control tied to your GDPR role-and-scope register and policy/control updates.
• Keep auditable decision records showing you assessed applicability and adjusted controls when relevant EU legal acts change.

Compliance teams lose time on Article 98 because it reads like a requirement but behaves like a signal. The text is aimed at the European Commission: it may submit legislative proposals to amend other Union legal acts on personal data protection to keep protection “uniform and consistent,” with particular focus on processing by EU institutions and the free movement of data. (Regulation (EU) 2016/679, Article 98)

For a CCO or GRC lead, the practical question becomes: what do we do with a “Commission shall” provision? The operator answer is to convert Article 98 into a governance control that prevents your GDPR program from drifting out of alignment when other EU legal acts change (for example, sector rules that define confidentiality, disclosure constraints, or institutional processing rules that affect how your public-sector customers or third parties handle data).

This page gives requirement-level implementation guidance you can run immediately: applicability determination, control design, evidence to retain, common audit hangups, and a practical execution plan. The goal is simple: you can show, on demand, that you track relevant EU legal changes and translate them into updates to scope, roles (controller vs processor), and operating procedures across intake, processing, sharing, and retention.

Regulatory text

Excerpt (operator-relevant): The Commission shall, if appropriate, submit legislative proposals to amend other Union legal acts on protection of personal data to ensure uniform and consistent protection of natural persons, with particular concern for rules on processing by Union institutions, bodies, offices and agencies and on the free movement of such data. (Regulation (EU) 2016/679, Article 98)

Plain-English interpretation (what this means for you)

• The legal duty in Article 98 sits with the European Commission, not directly with private entities. Your organization is not expected to “submit legislative proposals.”
• Your operational exposure is indirect but real: if the EU amends other legal acts to align with data protection, your obligations can change through:
  • new or modified sector-specific requirements that touch personal data handling, sharing, or retention; or
  • procurement and contracting expectations from EU institutions and public bodies that reflect the updated legal acts.
• So your “requirement” is readiness: you need a repeatable way to detect and act on EU legal changes that affect your processing and your controller/processor posture.

Keep the interpretation tight in your control narrative: “We monitor EU legislative and regulatory changes that may amend or clarify personal data protection obligations and update our GDPR scope, roles, and controls accordingly.” Anchor it to Article 98 as the GDPR basis. (Regulation (EU) 2016/679, Article 98)

Who this applies to (entity + operational context)

Entity scope

• Controllers and processors subject to GDPR that may be impacted by amendments to other Union legal acts touching data protection concepts, public-sector processing, or cross-border data movement. (Regulation (EU) 2016/679)
• Higher relevance if you:
  • sell to, integrate with, or process data on behalf of Union institutions, bodies, offices, or agencies (directly referenced by Article 98); or
  • operate in regulated sectors where EU legal acts often intersect with personal data handling.

Operational context (where this shows up day-to-day)

• Regulatory change management: intake, triage, applicability determination, and assignment of changes into control owners.
• Data governance: updates to data maps/records of processing, retention schedules, transfer mechanisms, and access models.
• Third-party risk management: contract updates when customer templates or DPAs change due to EU legal alignment; reassessing sub-processor and onward transfer conditions.

What you actually need to do (step-by-step)

Step 1: Classify Article 98 correctly in your obligations inventory

1. Mark Article 98 as an “EU institutional/legislative alignment” provision.
2. Document a short applicability statement: “No direct operational obligation; triggers internal monitoring for downstream changes to other EU legal acts.”
3. Assign an owner (usually Legal/Privacy or Regulatory Affairs) and a backup.

Output: obligations register entry + control statement tied to regulatory change management. (Regulation (EU) 2016/679, Article 98)

Step 2: Build a “role-and-scope register” entry for GDPR alignment tracking

Create or update a register that captures, at minimum:

• controller vs processor role by product/service line;
• categories of personal data and data subjects;
• key systems and processing purposes;
• key third parties/sub-processors touching the data.

Why it matters here: when EU legal acts change, you need a fast way to identify which processing contexts are affected. This aligns with the recommended control approach from the fact pack. (Regulation (EU) 2016/679)

Output: GDPR role-and-scope register entry that is searchable and tied to systems.

Step 3: Define your change triggers and your monitoring sources

You do not need dozens of sources. You need a defensible set and consistent evidence.

• Triggers to define:
  • new EU legislative proposals or adopted acts affecting data protection concepts;
  • changes affecting processing by EU institutions/public bodies;
  • changes affecting cross-border data movement or data sharing obligations.
• Minimum monitoring sources to cite internally:
  • EUR-Lex for GDPR Article 98 context and updates (use the primary text as your anchor). (Regulation (EU) 2016/679, Article 98)

Output: documented trigger list + monitoring SOP.

Step 4: Implement a requirement-specific operating procedure (SOP)

Your SOP should answer five questions with named roles:

1. Who monitors? (Regulatory owner)
2. How often are updates reviewed? (Set an internal cadence as a policy choice; keep it consistent and evidenced.)
3. How do you determine applicability? (Triage criteria, decision template, legal review thresholds)
4. Who must approve changes? (Privacy, Security, Product, Procurement, and the control owner)
5. How do changes get implemented? (Tickets, policy updates, contract updates, training updates)

Tie the SOP explicitly to maintaining uniform and consistent protection expectations across your processing footprint, which is the intent of Article 98. (Regulation (EU) 2016/679, Article 98)

Output: approved SOP with owners, triggers, and approvals (recommended control). (Regulation (EU) 2016/679, Article 98)

Step 5: Run a repeatable impact assessment workflow when a change hits

Use a short decision matrix:

Question	If “yes”	Owner
Does the change affect a processing purpose we perform?	Update RoPA/data map; review lawful basis and notices	Privacy
Does it change constraints on sharing/disclosure?	Update DPAs, data sharing agreements, API/data export rules	Legal + Product
Does it impact EU-institution processing expectations?	Update public-sector contract addenda, security annexes	Legal + Sales Ops
Does it affect third parties?	Update third-party due diligence and contract clauses	TPRM/Procurement
Does it require technical controls?	Create security/privacy engineering tasks; verify completion	Security/Engineering

Output: completed impact assessment + implementation plan.

Step 6: Retain an “evidence packet” each cycle

Treat this as the audit-ready bundle:

• what you reviewed,
• what changed,
• what you decided,
• what you implemented,
• what remains open (exceptions).

This matches the recommended evidence-packet control in the fact pack. (Regulation (EU) 2016/679, Article 98)

Output: evidence packet repository with consistent naming and retention.

Required evidence and artifacts to retain

Retain artifacts that prove operation, not just intent:

1. Role-and-scope register (controller/processor decisions, data categories, systems in scope). (Regulation (EU) 2016/679)
2. Regulatory change management SOP mapped to Article 98. (Regulation (EU) 2016/679, Article 98)
3. Monitoring logs (subscriptions, tracked items, meeting minutes, or docket screenshots) tied to review events. (Regulation (EU) 2016/679, Article 98)
4. Applicability decision records (why a change did or did not apply; who approved). (Regulation (EU) 2016/679, Article 98)
5. Change implementation records (tickets, policy redlines, contract templates updated, control test results). (Regulation (EU) 2016/679)
6. Exceptions and remediation tracking (accepted risk memos, compensating controls, closure evidence). (Regulation (EU) 2016/679)

Common exam/audit questions and hangups

Expect these lines of questioning:

• “Why is Article 98 in your GDPR control framework if it’s addressed to the Commission?”
  Answer with your classification and your downstream-change trigger control statement. Show the SOP and one evidence packet.

• “How do you ensure your GDPR program stays aligned as EU laws change?”
  Show monitoring sources, triage criteria, and the linkage into your scope register and control updates. (Regulation (EU) 2016/679, Article 98)

• “Who decides whether a change is applicable?”
  Auditors want named accountability and documented approvals, not an informal Slack thread.

• “How do you ensure product teams implement required changes?”
  Show the workflow from assessment to tickets to closure evidence.

Frequent implementation mistakes and how to avoid them

1. Mistake: Treating Article 98 as a policy-only checkbox.
   Fix: require an evidence packet per review cycle that includes decisions and implementation outputs. (Regulation (EU) 2016/679, Article 98)

2. Mistake: No controller/processor clarity, so change impact can’t be assessed quickly.
   Fix: keep a maintained role-and-scope register tied to services and systems. (Regulation (EU) 2016/679)

3. Mistake: Monitoring exists, but there’s no trigger-to-action workflow.
   Fix: define triage criteria and required approvals in the SOP, then enforce it through ticketing.

4. Mistake: Ignoring EU institution/public-sector nuance.
   Fix: flag public-sector customers and EU-institution-adjacent processing as higher sensitivity in your scope register because Article 98 explicitly calls it out. (Regulation (EU) 2016/679, Article 98)

Enforcement context and risk implications

No public enforcement cases were provided for Article 98 in the source catalog, and Article 98 is structurally less likely to be a direct enforcement hook against private entities. Your risk is program drift: failing to adapt when other Union legal acts change can cascade into noncompliance under other GDPR obligations, contract failures with public-sector customers, or gaps in third-party controls. Keep your narrative accurate: Article 98 supports the need for ongoing alignment, but enforcement would typically attach to the operational GDPR duties that become impacted. (Regulation (EU) 2016/679)

Practical 30/60/90-day execution plan

First 30 days (Immediate)

• Write the Article 98 control statement and place it in your obligations/control inventory. (Regulation (EU) 2016/679, Article 98)
• Assign owner and backup; set escalation path to Legal/Privacy.
• Create or update the GDPR role-and-scope register entry for the processing areas most exposed to EU legal changes (public sector, cross-border data flows, high-volume products). (Regulation (EU) 2016/679)

Next 60 days (Near-term)

• Publish the regulatory change management SOP with triggers, approvals, and required evidence. (Regulation (EU) 2016/679, Article 98)
• Stand up the evidence packet template (one-page decision record + attachments list).
• Run a tabletop: pick one plausible EU legal change scenario and walk it through triage → assessment → tickets → closure evidence.

Next 90 days (Operationalize and prove)

• Execute the process for at least one real update item (even if the decision is “not applicable”); retain the evidence packet. (Regulation (EU) 2016/679, Article 98)
• Add the control to your internal audit plan and test for: monitoring evidence, decision approvals, and closed-loop implementation.
• If you use Daydream for third-party risk management and compliance evidence, map this workflow to a recurring task with required artifacts so you can answer diligence requests with a single exportable packet.

Frequently Asked Questions

Is Article 98 a direct requirement on my company?

No. The text assigns action to the European Commission, not private entities. Your operational task is to monitor downstream changes to EU legal acts that can alter your obligations and then update your controls accordingly. (Regulation (EU) 2016/679, Article 98)

How do I justify spending time on Article 98 during an audit?

Position it as part of regulatory change management for GDPR alignment. Show the SOP, monitoring evidence, and at least one decision record demonstrating how you assessed applicability and implemented (or declined) changes. (Regulation (EU) 2016/679, Article 98)

What evidence is strongest for this requirement?

A dated monitoring log, a signed applicability decision record, and implementation tickets with closure proof. Pair that with your role-and-scope register so reviewers can see you had a structured way to find impacted processing. (Regulation (EU) 2016/679)

We’re a processor only. Do we still need this?

Yes as a governance practice, because changes to Union legal acts can affect processor obligations through customer contract templates, security annexes, and transfer expectations. Your role-and-scope register should still document where you act as a processor and which systems/processes are involved. (Regulation (EU) 2016/679)

What’s the minimum “operational control” that satisfies this in practice?

A documented change management SOP tied to GDPR, an assigned owner, and retained evidence packets for reviews and decisions. Without evidence of operation, this stays a paper control. (Regulation (EU) 2016/679, Article 98)

How does this relate to third-party risk management?

EU legal changes often show up first in third-party contracts and customer DPAs, especially for public-sector and regulated customers. Your workflow should route applicable changes to Procurement/TPRM to update due diligence questions, contract clauses, and sub-processor oversight. (Regulation (EU) 2016/679, Article 98)